metasploit | 8567ace64bbdd1dbb6a424a0780f8aea46d7ac1e9558dfd5dfcfc3e37aeb3be8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Size

220KB
MD5

f2fec6cd7fb126601698a2ed4113c522
SHA1

b546d286cc926df043ccabbb16c3469443f06539
SHA256

8567ace64bbdd1dbb6a424a0780f8aea46d7ac1e9558dfd5dfcfc3e37aeb3be8
SHA512

eb1225482e481fffb6cee4e3aa12c9146d7d05125cbc73c39a12f31fc3470fa7190df04800d6b80152d0b6518d240943714812981509c908dd523c78796fa55a
SSDEEP

3072:yawE8SILiT0V+iFtPji/pL9YV2gPsoKKGQlG7SKPUqOyqjN2R3cJukfUgf:jwE8ST/Z+2gUoK66ntOJ52FcJFMgf

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 36 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	intelgfx32.exe

Deletes itself 1 IoCs

pid	Process
1388	intelgfx32.exe

Executes dropped EXE 64 IoCs

pid	Process
384	intelgfx32.exe
1388	intelgfx32.exe
2576	intelgfx32.exe
404	intelgfx32.exe
3488	intelgfx32.exe
4544	intelgfx32.exe
3344	intelgfx32.exe
2128	intelgfx32.exe
5040	intelgfx32.exe
1396	intelgfx32.exe
2924	intelgfx32.exe
3748	intelgfx32.exe
4840	intelgfx32.exe
892	intelgfx32.exe
548	intelgfx32.exe
2316	intelgfx32.exe
2092	intelgfx32.exe
1912	intelgfx32.exe
4720	intelgfx32.exe
2040	intelgfx32.exe
3592	intelgfx32.exe
5044	intelgfx32.exe
4692	intelgfx32.exe
4932	intelgfx32.exe
4916	intelgfx32.exe
2472	intelgfx32.exe
1052	intelgfx32.exe
3488	intelgfx32.exe
2560	intelgfx32.exe
1932	intelgfx32.exe
3612	intelgfx32.exe
4308	intelgfx32.exe
752	intelgfx32.exe
5040	intelgfx32.exe
2408	intelgfx32.exe
3556	intelgfx32.exe
1720	intelgfx32.exe
3952	intelgfx32.exe
4952	intelgfx32.exe
4508	intelgfx32.exe
1652	intelgfx32.exe
2096	intelgfx32.exe
812	intelgfx32.exe
716	intelgfx32.exe
2092	intelgfx32.exe
4876	intelgfx32.exe
4456	intelgfx32.exe
2748	intelgfx32.exe
2040	intelgfx32.exe
3592	intelgfx32.exe
3608	intelgfx32.exe
384	intelgfx32.exe
2220	intelgfx32.exe
4748	intelgfx32.exe
4928	intelgfx32.exe
1684	intelgfx32.exe
4800	intelgfx32.exe
2664	intelgfx32.exe
4872	intelgfx32.exe
456	intelgfx32.exe
5004	intelgfx32.exe
4740	intelgfx32.exe
4896	intelgfx32.exe
2164	intelgfx32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	intelgfx32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\intelgfx32.exe	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe

Suspicious use of SetThreadContext 37 IoCs

description	pid	Process	procid_target
PID 3932 set thread context of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 384 set thread context of 1388	384	intelgfx32.exe	85
PID 2576 set thread context of 404	2576	intelgfx32.exe	87
PID 3488 set thread context of 4544	3488	intelgfx32.exe	91
PID 3344 set thread context of 2128	3344	intelgfx32.exe	99
PID 5040 set thread context of 1396	5040	intelgfx32.exe	105
PID 2924 set thread context of 3748	2924	intelgfx32.exe	107
PID 4840 set thread context of 892	4840	intelgfx32.exe	109
PID 548 set thread context of 2316	548	intelgfx32.exe	113
PID 2092 set thread context of 1912	2092	intelgfx32.exe	116
PID 4720 set thread context of 2040	4720	intelgfx32.exe	118
PID 3592 set thread context of 5044	3592	intelgfx32.exe	120
PID 4692 set thread context of 4932	4692	intelgfx32.exe	122
PID 4916 set thread context of 2472	4916	intelgfx32.exe	124
PID 1052 set thread context of 3488	1052	intelgfx32.exe	126
PID 2560 set thread context of 1932	2560	intelgfx32.exe	128
PID 3612 set thread context of 4308	3612	intelgfx32.exe	131
PID 752 set thread context of 5040	752	intelgfx32.exe	133
PID 2408 set thread context of 3556	2408	intelgfx32.exe	135
PID 1720 set thread context of 3952	1720	intelgfx32.exe	137
PID 4952 set thread context of 4508	4952	intelgfx32.exe	139
PID 1652 set thread context of 2096	1652	intelgfx32.exe	141
PID 812 set thread context of 716	812	intelgfx32.exe	143
PID 2092 set thread context of 4876	2092	intelgfx32.exe	145
PID 4456 set thread context of 2748	4456	intelgfx32.exe	147
PID 2040 set thread context of 3592	2040	intelgfx32.exe	149
PID 3608 set thread context of 384	3608	intelgfx32.exe	151
PID 2220 set thread context of 4748	2220	intelgfx32.exe	153
PID 4928 set thread context of 1684	4928	intelgfx32.exe	155
PID 4800 set thread context of 2664	4800	intelgfx32.exe	157
PID 4872 set thread context of 456	4872	intelgfx32.exe	159
PID 5004 set thread context of 4740	5004	intelgfx32.exe	161
PID 4896 set thread context of 2164	4896	intelgfx32.exe	163
PID 3856 set thread context of 1708	3856	intelgfx32.exe	165
PID 4776 set thread context of 1236	4776	intelgfx32.exe	167
PID 4528 set thread context of 1692	4528	intelgfx32.exe	169
PID 1140 set thread context of 2104	1140	intelgfx32.exe	171

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3908-2-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3908-3-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3908-4-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3908-40-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1388-45-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1388-48-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/404-54-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/404-56-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/404-57-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4544-66-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2128-73-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1396-80-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3748-87-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/892-97-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2316-103-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1912-109-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2040-119-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/5044-125-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4932-134-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2472-142-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3488-150-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1932-158-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4308-166-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/5040-174-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3556-182-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3952-190-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4508-198-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2096-206-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/716-213-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4876-219-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2748-225-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3592-231-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/384-237-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4748-243-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1684-249-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2664-255-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/456-261-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4740-267-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2164-273-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1708-279-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1236-285-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1692-291-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	intelgfx32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3908	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
3908	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
3908	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
3908	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
1388	intelgfx32.exe
1388	intelgfx32.exe
1388	intelgfx32.exe
1388	intelgfx32.exe
404	intelgfx32.exe
404	intelgfx32.exe
404	intelgfx32.exe
404	intelgfx32.exe
4544	intelgfx32.exe
4544	intelgfx32.exe
4544	intelgfx32.exe
4544	intelgfx32.exe
2128	intelgfx32.exe
2128	intelgfx32.exe
2128	intelgfx32.exe
2128	intelgfx32.exe
1396	intelgfx32.exe
1396	intelgfx32.exe
1396	intelgfx32.exe
1396	intelgfx32.exe
3748	intelgfx32.exe
3748	intelgfx32.exe
3748	intelgfx32.exe
3748	intelgfx32.exe
892	intelgfx32.exe
892	intelgfx32.exe
892	intelgfx32.exe
892	intelgfx32.exe
2316	intelgfx32.exe
2316	intelgfx32.exe
2316	intelgfx32.exe
2316	intelgfx32.exe
1912	intelgfx32.exe
1912	intelgfx32.exe
1912	intelgfx32.exe
1912	intelgfx32.exe
2040	intelgfx32.exe
2040	intelgfx32.exe
2040	intelgfx32.exe
2040	intelgfx32.exe
5044	intelgfx32.exe
5044	intelgfx32.exe
5044	intelgfx32.exe
5044	intelgfx32.exe
4932	intelgfx32.exe
4932	intelgfx32.exe
4932	intelgfx32.exe
4932	intelgfx32.exe
2472	intelgfx32.exe
2472	intelgfx32.exe
2472	intelgfx32.exe
2472	intelgfx32.exe
3488	intelgfx32.exe
3488	intelgfx32.exe
3488	intelgfx32.exe
3488	intelgfx32.exe
1932	intelgfx32.exe
1932	intelgfx32.exe
1932	intelgfx32.exe
1932	intelgfx32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 3932 wrote to memory of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 3932 wrote to memory of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 3932 wrote to memory of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 3932 wrote to memory of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 3932 wrote to memory of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 3932 wrote to memory of 3908	3932	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	83
PID 3908 wrote to memory of 384	3908	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	84
PID 3908 wrote to memory of 384	3908	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	84
PID 3908 wrote to memory of 384	3908	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	84
PID 384 wrote to memory of 1388	384	intelgfx32.exe	85
PID 384 wrote to memory of 1388	384	intelgfx32.exe	85
PID 384 wrote to memory of 1388	384	intelgfx32.exe	85
PID 384 wrote to memory of 1388	384	intelgfx32.exe	85
PID 384 wrote to memory of 1388	384	intelgfx32.exe	85
PID 384 wrote to memory of 1388	384	intelgfx32.exe	85
PID 384 wrote to memory of 1388	384	intelgfx32.exe	85
PID 1388 wrote to memory of 2576	1388	intelgfx32.exe	86
PID 1388 wrote to memory of 2576	1388	intelgfx32.exe	86
PID 1388 wrote to memory of 2576	1388	intelgfx32.exe	86
PID 2576 wrote to memory of 404	2576	intelgfx32.exe	87
PID 2576 wrote to memory of 404	2576	intelgfx32.exe	87
PID 2576 wrote to memory of 404	2576	intelgfx32.exe	87
PID 2576 wrote to memory of 404	2576	intelgfx32.exe	87
PID 2576 wrote to memory of 404	2576	intelgfx32.exe	87
PID 2576 wrote to memory of 404	2576	intelgfx32.exe	87
PID 2576 wrote to memory of 404	2576	intelgfx32.exe	87
PID 404 wrote to memory of 3488	404	intelgfx32.exe	90
PID 404 wrote to memory of 3488	404	intelgfx32.exe	90
PID 404 wrote to memory of 3488	404	intelgfx32.exe	90
PID 3488 wrote to memory of 4544	3488	intelgfx32.exe	91
PID 3488 wrote to memory of 4544	3488	intelgfx32.exe	91
PID 3488 wrote to memory of 4544	3488	intelgfx32.exe	91
PID 3488 wrote to memory of 4544	3488	intelgfx32.exe	91
PID 3488 wrote to memory of 4544	3488	intelgfx32.exe	91
PID 3488 wrote to memory of 4544	3488	intelgfx32.exe	91
PID 3488 wrote to memory of 4544	3488	intelgfx32.exe	91
PID 4544 wrote to memory of 3344	4544	intelgfx32.exe	98
PID 4544 wrote to memory of 3344	4544	intelgfx32.exe	98
PID 4544 wrote to memory of 3344	4544	intelgfx32.exe	98
PID 3344 wrote to memory of 2128	3344	intelgfx32.exe	99
PID 3344 wrote to memory of 2128	3344	intelgfx32.exe	99
PID 3344 wrote to memory of 2128	3344	intelgfx32.exe	99
PID 3344 wrote to memory of 2128	3344	intelgfx32.exe	99
PID 3344 wrote to memory of 2128	3344	intelgfx32.exe	99
PID 3344 wrote to memory of 2128	3344	intelgfx32.exe	99
PID 3344 wrote to memory of 2128	3344	intelgfx32.exe	99
PID 2128 wrote to memory of 5040	2128	intelgfx32.exe	104
PID 2128 wrote to memory of 5040	2128	intelgfx32.exe	104
PID 2128 wrote to memory of 5040	2128	intelgfx32.exe	104
PID 5040 wrote to memory of 1396	5040	intelgfx32.exe	105
PID 5040 wrote to memory of 1396	5040	intelgfx32.exe	105
PID 5040 wrote to memory of 1396	5040	intelgfx32.exe	105
PID 5040 wrote to memory of 1396	5040	intelgfx32.exe	105
PID 5040 wrote to memory of 1396	5040	intelgfx32.exe	105
PID 5040 wrote to memory of 1396	5040	intelgfx32.exe	105
PID 5040 wrote to memory of 1396	5040	intelgfx32.exe	105
PID 1396 wrote to memory of 2924	1396	intelgfx32.exe	106
PID 1396 wrote to memory of 2924	1396	intelgfx32.exe	106
PID 1396 wrote to memory of 2924	1396	intelgfx32.exe	106
PID 2924 wrote to memory of 3748	2924	intelgfx32.exe	107
PID 2924 wrote to memory of 3748	2924	intelgfx32.exe	107
PID 2924 wrote to memory of 3748	2924	intelgfx32.exe	107
PID 2924 wrote to memory of 3748	2924	intelgfx32.exe	107

C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\intelgfx32.exe
    "C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\F2FEC6~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\intelgfx32.exe
      "C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\F2FEC6~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2408
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3608
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4928
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4896
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        74⤵
        Maps connected drives based on registry
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\intelgfx32.exe

Filesize
220KB

MD5
f2fec6cd7fb126601698a2ed4113c522

SHA1
b546d286cc926df043ccabbb16c3469443f06539

SHA256
8567ace64bbdd1dbb6a424a0780f8aea46d7ac1e9558dfd5dfcfc3e37aeb3be8

SHA512
eb1225482e481fffb6cee4e3aa12c9146d7d05125cbc73c39a12f31fc3470fa7190df04800d6b80152d0b6518d240943714812981509c908dd523c78796fa55a

Download Submit
memory/384-237-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/404-56-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/404-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/404-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/456-261-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/716-213-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/892-97-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1236-285-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1388-45-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1388-48-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1396-80-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1684-249-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1692-291-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1708-279-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1912-109-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1932-158-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2040-119-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2096-206-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2128-73-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2164-273-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2316-103-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2472-142-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2664-255-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2748-225-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3488-150-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3556-182-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3592-231-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3748-87-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3908-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3908-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3908-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3908-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3908-40-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3952-190-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4308-166-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4508-198-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4544-66-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4740-267-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4748-243-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4876-219-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4932-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5040-174-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5044-125-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download