metasploit | 68623f085d7f715b372067e01a38196402857560ebc617da8bf0c0be045ee2ab

Analysis

max time kernel
139s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
Size

232KB
MD5

985999993fffddc99fd1a4ea76759ff1
SHA1

39d023c4898cb8acd2725f91ff0969ff763aeafc
SHA256

68623f085d7f715b372067e01a38196402857560ebc617da8bf0c0be045ee2ab
SHA512

be21cdf001fad5d3000e7c76084cfd9385edf8ac3feb48d16b105db88b076365d51c5b6005d47b1e73f5be9ecd0157d6e054f1915985edbba7feecc1892b0d3b
SSDEEP

6144:dSSBgo/oaUevQfIiew0T6S3PzFHvusUjQ:dSEgWoaUeqcT6azxusU

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 38 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	igfxpcv32.exe

Deletes itself 1 IoCs

pid	Process
4864	igfxpcv32.exe

Executes dropped EXE 38 IoCs

pid	Process
4864	igfxpcv32.exe
5484	igfxpcv32.exe
1592	igfxpcv32.exe
5856	igfxpcv32.exe
2856	igfxpcv32.exe
1136	igfxpcv32.exe
4316	igfxpcv32.exe
2224	igfxpcv32.exe
5200	igfxpcv32.exe
3000	igfxpcv32.exe
2880	igfxpcv32.exe
2676	igfxpcv32.exe
220	igfxpcv32.exe
5412	igfxpcv32.exe
5004	igfxpcv32.exe
400	igfxpcv32.exe
3612	igfxpcv32.exe
3932	igfxpcv32.exe
4588	igfxpcv32.exe
5932	igfxpcv32.exe
1640	igfxpcv32.exe
4940	igfxpcv32.exe
4860	igfxpcv32.exe
5268	igfxpcv32.exe
5020	igfxpcv32.exe
1448	igfxpcv32.exe
2220	igfxpcv32.exe
2684	igfxpcv32.exe
5416	igfxpcv32.exe
4260	igfxpcv32.exe
2864	igfxpcv32.exe
5548	igfxpcv32.exe
5736	igfxpcv32.exe
1136	igfxpcv32.exe
6032	igfxpcv32.exe
1904	igfxpcv32.exe
4064	igfxpcv32.exe
4648	igfxpcv32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpcv32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpcv32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe
File created	C:\Windows\SysWOW64\igfxpcv32.exe	igfxpcv32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5276	4648	WerFault.exe	144

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpcv32.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpcv32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe
4864	igfxpcv32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4864	1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe	90
PID 1416 wrote to memory of 4864	1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe	90
PID 1416 wrote to memory of 4864	1416	JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe	90
PID 4864 wrote to memory of 5484	4864	igfxpcv32.exe	95
PID 4864 wrote to memory of 5484	4864	igfxpcv32.exe	95
PID 4864 wrote to memory of 5484	4864	igfxpcv32.exe	95
PID 5484 wrote to memory of 1592	5484	igfxpcv32.exe	97
PID 5484 wrote to memory of 1592	5484	igfxpcv32.exe	97
PID 5484 wrote to memory of 1592	5484	igfxpcv32.exe	97
PID 1592 wrote to memory of 5856	1592	igfxpcv32.exe	100
PID 1592 wrote to memory of 5856	1592	igfxpcv32.exe	100
PID 1592 wrote to memory of 5856	1592	igfxpcv32.exe	100
PID 5856 wrote to memory of 2856	5856	igfxpcv32.exe	101
PID 5856 wrote to memory of 2856	5856	igfxpcv32.exe	101
PID 5856 wrote to memory of 2856	5856	igfxpcv32.exe	101
PID 2856 wrote to memory of 1136	2856	igfxpcv32.exe	102
PID 2856 wrote to memory of 1136	2856	igfxpcv32.exe	102
PID 2856 wrote to memory of 1136	2856	igfxpcv32.exe	102
PID 1136 wrote to memory of 4316	1136	igfxpcv32.exe	103
PID 1136 wrote to memory of 4316	1136	igfxpcv32.exe	103
PID 1136 wrote to memory of 4316	1136	igfxpcv32.exe	103
PID 4316 wrote to memory of 2224	4316	igfxpcv32.exe	104
PID 4316 wrote to memory of 2224	4316	igfxpcv32.exe	104
PID 4316 wrote to memory of 2224	4316	igfxpcv32.exe	104
PID 2224 wrote to memory of 5200	2224	igfxpcv32.exe	107
PID 2224 wrote to memory of 5200	2224	igfxpcv32.exe	107
PID 2224 wrote to memory of 5200	2224	igfxpcv32.exe	107
PID 5200 wrote to memory of 3000	5200	igfxpcv32.exe	111
PID 5200 wrote to memory of 3000	5200	igfxpcv32.exe	111
PID 5200 wrote to memory of 3000	5200	igfxpcv32.exe	111
PID 3000 wrote to memory of 2880	3000	igfxpcv32.exe	116
PID 3000 wrote to memory of 2880	3000	igfxpcv32.exe	116
PID 3000 wrote to memory of 2880	3000	igfxpcv32.exe	116
PID 2880 wrote to memory of 2676	2880	igfxpcv32.exe	117
PID 2880 wrote to memory of 2676	2880	igfxpcv32.exe	117
PID 2880 wrote to memory of 2676	2880	igfxpcv32.exe	117
PID 2676 wrote to memory of 220	2676	igfxpcv32.exe	118
PID 2676 wrote to memory of 220	2676	igfxpcv32.exe	118
PID 2676 wrote to memory of 220	2676	igfxpcv32.exe	118
PID 220 wrote to memory of 5412	220	igfxpcv32.exe	119
PID 220 wrote to memory of 5412	220	igfxpcv32.exe	119
PID 220 wrote to memory of 5412	220	igfxpcv32.exe	119
PID 5412 wrote to memory of 5004	5412	igfxpcv32.exe	120
PID 5412 wrote to memory of 5004	5412	igfxpcv32.exe	120
PID 5412 wrote to memory of 5004	5412	igfxpcv32.exe	120
PID 5004 wrote to memory of 400	5004	igfxpcv32.exe	121
PID 5004 wrote to memory of 400	5004	igfxpcv32.exe	121
PID 5004 wrote to memory of 400	5004	igfxpcv32.exe	121
PID 400 wrote to memory of 3612	400	igfxpcv32.exe	122
PID 400 wrote to memory of 3612	400	igfxpcv32.exe	122
PID 400 wrote to memory of 3612	400	igfxpcv32.exe	122
PID 3612 wrote to memory of 3932	3612	igfxpcv32.exe	123
PID 3612 wrote to memory of 3932	3612	igfxpcv32.exe	123
PID 3612 wrote to memory of 3932	3612	igfxpcv32.exe	123
PID 3932 wrote to memory of 4588	3932	igfxpcv32.exe	124
PID 3932 wrote to memory of 4588	3932	igfxpcv32.exe	124
PID 3932 wrote to memory of 4588	3932	igfxpcv32.exe	124
PID 4588 wrote to memory of 5932	4588	igfxpcv32.exe	126
PID 4588 wrote to memory of 5932	4588	igfxpcv32.exe	126
PID 4588 wrote to memory of 5932	4588	igfxpcv32.exe	126
PID 5932 wrote to memory of 1640	5932	igfxpcv32.exe	127
PID 5932 wrote to memory of 1640	5932	igfxpcv32.exe	127
PID 5932 wrote to memory of 1640	5932	igfxpcv32.exe	127
PID 1640 wrote to memory of 4940	1640	igfxpcv32.exe	128

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_985999993fffddc99fd1a4ea76759ff1.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\SysWOW64\igfxpcv32.exe
  "C:\Windows\system32\igfxpcv32.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\igfxpcv32.exe
    "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5484
  - - C:\Windows\SysWOW64\igfxpcv32.exe
      "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5856
      - C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5200
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5932
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\igfxpcv32.exe
        
        "C:\Windows\system32\igfxpcv32.exe" C:\Windows\SysWOW64\IGFXPC~1.EXE
        39⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 572
        40⤵
        Program crash
        
        PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4648 -ip 4648
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxpcv32.exe

Filesize
232KB

MD5
985999993fffddc99fd1a4ea76759ff1

SHA1
39d023c4898cb8acd2725f91ff0969ff763aeafc

SHA256
68623f085d7f715b372067e01a38196402857560ebc617da8bf0c0be045ee2ab

SHA512
be21cdf001fad5d3000e7c76084cfd9385edf8ac3feb48d16b105db88b076365d51c5b6005d47b1e73f5be9ecd0157d6e054f1915985edbba7feecc1892b0d3b

Download Submit
memory/220-100-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/400-113-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1136-185-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1136-69-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1416-3-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1416-41-0x0000000000471000-0x0000000000483000-memory.dmp

Filesize
72KB

Download
memory/1416-40-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1416-0-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1416-2-0x0000000000471000-0x0000000000483000-memory.dmp

Filesize
72KB

Download
memory/1416-1-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1448-154-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1592-56-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1640-133-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1904-191-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2220-159-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2224-72-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2224-79-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2676-96-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2684-157-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2684-162-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2856-64-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2864-174-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2880-90-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3000-87-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3612-117-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/3932-121-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4064-194-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4260-171-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4260-165-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4316-74-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4316-67-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4588-125-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4648-196-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4860-142-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4864-47-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4864-38-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4864-42-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/4940-137-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5004-103-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5004-109-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5020-150-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5200-83-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5200-77-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5268-140-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5268-146-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5412-105-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5416-167-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5484-52-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5484-45-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5484-48-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5548-179-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5736-182-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5856-60-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5932-129-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/6032-188-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download