Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2025, 06:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe
-
Size
192KB
-
MD5
b96adc6ab75fe4caff4e8c2cc0bb1f80
-
SHA1
b0ca42d369f0dbf0f5de1790c9ee7426a020eef0
-
SHA256
f6b09658c8949c969d17881eea8e7e5288a93c5f2074731579712e4a6658b72a
-
SHA512
cf01cc88aa61c20aaaeb719928138a0d37faa9384b0cf2b600e9846f7f7e6e0f1728bfc64482e5383f06ac143a02fceda36188436b121e8930d6ce73bc82b91f
-
SSDEEP
3072:P8CASbrfeSrZslbiZZ+PiMs5V1McooCY76jmBf5f/ttuuSG8kTvjCP307u4wi3Yn:P7ASnfz/Z+PiMs3WXoCYWjchf/frSG8R
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Checks computer location settings 2 TTPs 26 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation intelgfx32.exe -
Deletes itself 1 IoCs
pid Process 2468 intelgfx32.exe -
Executes dropped EXE 52 IoCs
pid Process 5016 intelgfx32.exe 2468 intelgfx32.exe 3168 intelgfx32.exe 4216 intelgfx32.exe 3268 intelgfx32.exe 2288 intelgfx32.exe 3512 intelgfx32.exe 5640 intelgfx32.exe 2748 intelgfx32.exe 3900 intelgfx32.exe 1772 intelgfx32.exe 1344 intelgfx32.exe 4592 intelgfx32.exe 4572 intelgfx32.exe 3468 intelgfx32.exe 2900 intelgfx32.exe 3660 intelgfx32.exe 548 intelgfx32.exe 4796 intelgfx32.exe 3624 intelgfx32.exe 1856 intelgfx32.exe 3120 intelgfx32.exe 64 intelgfx32.exe 1152 intelgfx32.exe 5828 intelgfx32.exe 4308 intelgfx32.exe 224 intelgfx32.exe 4384 intelgfx32.exe 1768 intelgfx32.exe 1824 intelgfx32.exe 2012 intelgfx32.exe 5284 intelgfx32.exe 5404 intelgfx32.exe 1572 intelgfx32.exe 464 intelgfx32.exe 4984 intelgfx32.exe 6132 intelgfx32.exe 1104 intelgfx32.exe 5744 intelgfx32.exe 5212 intelgfx32.exe 4556 intelgfx32.exe 4764 intelgfx32.exe 4540 intelgfx32.exe 4580 intelgfx32.exe 4932 intelgfx32.exe 4772 intelgfx32.exe 4820 intelgfx32.exe 4876 intelgfx32.exe 2232 intelgfx32.exe 5396 intelgfx32.exe 3768 intelgfx32.exe 4004 intelgfx32.exe -
Maps connected drives based on registry 3 TTPs 54 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\ intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File opened for modification C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe File created C:\Windows\SysWOW64\intelgfx32.exe intelgfx32.exe -
Suspicious use of SetThreadContext 27 IoCs
description pid Process procid_target PID 4764 set thread context of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 5016 set thread context of 2468 5016 intelgfx32.exe 93 PID 3168 set thread context of 4216 3168 intelgfx32.exe 95 PID 3268 set thread context of 2288 3268 intelgfx32.exe 97 PID 3512 set thread context of 5640 3512 intelgfx32.exe 99 PID 2748 set thread context of 3900 2748 intelgfx32.exe 101 PID 1772 set thread context of 1344 1772 intelgfx32.exe 106 PID 4592 set thread context of 4572 4592 intelgfx32.exe 108 PID 3468 set thread context of 2900 3468 intelgfx32.exe 111 PID 3660 set thread context of 548 3660 intelgfx32.exe 113 PID 4796 set thread context of 3624 4796 intelgfx32.exe 115 PID 1856 set thread context of 3120 1856 intelgfx32.exe 117 PID 64 set thread context of 1152 64 intelgfx32.exe 119 PID 5828 set thread context of 4308 5828 intelgfx32.exe 121 PID 224 set thread context of 4384 224 intelgfx32.exe 123 PID 1768 set thread context of 1824 1768 intelgfx32.exe 125 PID 2012 set thread context of 5284 2012 intelgfx32.exe 127 PID 5404 set thread context of 1572 5404 intelgfx32.exe 129 PID 464 set thread context of 4984 464 intelgfx32.exe 131 PID 6132 set thread context of 1104 6132 intelgfx32.exe 133 PID 5744 set thread context of 5212 5744 intelgfx32.exe 135 PID 4556 set thread context of 4764 4556 intelgfx32.exe 137 PID 4540 set thread context of 4580 4540 intelgfx32.exe 139 PID 4932 set thread context of 4772 4932 intelgfx32.exe 141 PID 4820 set thread context of 4876 4820 intelgfx32.exe 143 PID 2232 set thread context of 5396 2232 intelgfx32.exe 145 PID 3768 set thread context of 4004 3768 intelgfx32.exe 147 -
resource yara_rule behavioral1/memory/4656-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4656-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4656-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4656-5-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4656-39-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2468-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4216-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4216-56-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2288-67-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/5640-73-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3900-79-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1344-87-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4572-94-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2900-102-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/548-109-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3624-115-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/3120-125-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1152-133-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4308-141-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4384-146-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4384-150-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1824-158-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/5284-166-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1572-174-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4984-182-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1104-190-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/5212-198-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4764-206-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4580-214-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4772-220-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/4876-226-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/5396-232-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 54 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intelgfx32.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ intelgfx32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4656 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 4656 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 4656 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 4656 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 2468 intelgfx32.exe 2468 intelgfx32.exe 2468 intelgfx32.exe 2468 intelgfx32.exe 4216 intelgfx32.exe 4216 intelgfx32.exe 4216 intelgfx32.exe 4216 intelgfx32.exe 2288 intelgfx32.exe 2288 intelgfx32.exe 2288 intelgfx32.exe 2288 intelgfx32.exe 5640 intelgfx32.exe 5640 intelgfx32.exe 5640 intelgfx32.exe 5640 intelgfx32.exe 3900 intelgfx32.exe 3900 intelgfx32.exe 3900 intelgfx32.exe 3900 intelgfx32.exe 1344 intelgfx32.exe 1344 intelgfx32.exe 1344 intelgfx32.exe 1344 intelgfx32.exe 4572 intelgfx32.exe 4572 intelgfx32.exe 4572 intelgfx32.exe 4572 intelgfx32.exe 2900 intelgfx32.exe 2900 intelgfx32.exe 2900 intelgfx32.exe 2900 intelgfx32.exe 548 intelgfx32.exe 548 intelgfx32.exe 548 intelgfx32.exe 548 intelgfx32.exe 3624 intelgfx32.exe 3624 intelgfx32.exe 3624 intelgfx32.exe 3624 intelgfx32.exe 3120 intelgfx32.exe 3120 intelgfx32.exe 3120 intelgfx32.exe 3120 intelgfx32.exe 1152 intelgfx32.exe 1152 intelgfx32.exe 1152 intelgfx32.exe 1152 intelgfx32.exe 4308 intelgfx32.exe 4308 intelgfx32.exe 4308 intelgfx32.exe 4308 intelgfx32.exe 4384 intelgfx32.exe 4384 intelgfx32.exe 4384 intelgfx32.exe 4384 intelgfx32.exe 1824 intelgfx32.exe 1824 intelgfx32.exe 1824 intelgfx32.exe 1824 intelgfx32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 4764 wrote to memory of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 4764 wrote to memory of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 4764 wrote to memory of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 4764 wrote to memory of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 4764 wrote to memory of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 4764 wrote to memory of 4656 4764 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 89 PID 4656 wrote to memory of 5016 4656 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 92 PID 4656 wrote to memory of 5016 4656 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 92 PID 4656 wrote to memory of 5016 4656 JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe 92 PID 5016 wrote to memory of 2468 5016 intelgfx32.exe 93 PID 5016 wrote to memory of 2468 5016 intelgfx32.exe 93 PID 5016 wrote to memory of 2468 5016 intelgfx32.exe 93 PID 5016 wrote to memory of 2468 5016 intelgfx32.exe 93 PID 5016 wrote to memory of 2468 5016 intelgfx32.exe 93 PID 5016 wrote to memory of 2468 5016 intelgfx32.exe 93 PID 5016 wrote to memory of 2468 5016 intelgfx32.exe 93 PID 2468 wrote to memory of 3168 2468 intelgfx32.exe 94 PID 2468 wrote to memory of 3168 2468 intelgfx32.exe 94 PID 2468 wrote to memory of 3168 2468 intelgfx32.exe 94 PID 3168 wrote to memory of 4216 3168 intelgfx32.exe 95 PID 3168 wrote to memory of 4216 3168 intelgfx32.exe 95 PID 3168 wrote to memory of 4216 3168 intelgfx32.exe 95 PID 3168 wrote to memory of 4216 3168 intelgfx32.exe 95 PID 3168 wrote to memory of 4216 3168 intelgfx32.exe 95 PID 3168 wrote to memory of 4216 3168 intelgfx32.exe 95 PID 3168 wrote to memory of 4216 3168 intelgfx32.exe 95 PID 4216 wrote to memory of 3268 4216 intelgfx32.exe 96 PID 4216 wrote to memory of 3268 4216 intelgfx32.exe 96 PID 4216 wrote to memory of 3268 4216 intelgfx32.exe 96 PID 3268 wrote to memory of 2288 3268 intelgfx32.exe 97 PID 3268 wrote to memory of 2288 3268 intelgfx32.exe 97 PID 3268 wrote to memory of 2288 3268 intelgfx32.exe 97 PID 3268 wrote to memory of 2288 3268 intelgfx32.exe 97 PID 3268 wrote to memory of 2288 3268 intelgfx32.exe 97 PID 3268 wrote to memory of 2288 3268 intelgfx32.exe 97 PID 3268 wrote to memory of 2288 3268 intelgfx32.exe 97 PID 2288 wrote to memory of 3512 2288 intelgfx32.exe 98 PID 2288 wrote to memory of 3512 2288 intelgfx32.exe 98 PID 2288 wrote to memory of 3512 2288 intelgfx32.exe 98 PID 3512 wrote to memory of 5640 3512 intelgfx32.exe 99 PID 3512 wrote to memory of 5640 3512 intelgfx32.exe 99 PID 3512 wrote to memory of 5640 3512 intelgfx32.exe 99 PID 3512 wrote to memory of 5640 3512 intelgfx32.exe 99 PID 3512 wrote to memory of 5640 3512 intelgfx32.exe 99 PID 3512 wrote to memory of 5640 3512 intelgfx32.exe 99 PID 3512 wrote to memory of 5640 3512 intelgfx32.exe 99 PID 5640 wrote to memory of 2748 5640 intelgfx32.exe 100 PID 5640 wrote to memory of 2748 5640 intelgfx32.exe 100 PID 5640 wrote to memory of 2748 5640 intelgfx32.exe 100 PID 2748 wrote to memory of 3900 2748 intelgfx32.exe 101 PID 2748 wrote to memory of 3900 2748 intelgfx32.exe 101 PID 2748 wrote to memory of 3900 2748 intelgfx32.exe 101 PID 2748 wrote to memory of 3900 2748 intelgfx32.exe 101 PID 2748 wrote to memory of 3900 2748 intelgfx32.exe 101 PID 2748 wrote to memory of 3900 2748 intelgfx32.exe 101 PID 2748 wrote to memory of 3900 2748 intelgfx32.exe 101 PID 3900 wrote to memory of 1772 3900 intelgfx32.exe 105 PID 3900 wrote to memory of 1772 3900 intelgfx32.exe 105 PID 3900 wrote to memory of 1772 3900 intelgfx32.exe 105 PID 1772 wrote to memory of 1344 1772 intelgfx32.exe 106 PID 1772 wrote to memory of 1344 1772 intelgfx32.exe 106 PID 1772 wrote to memory of 1344 1772 intelgfx32.exe 106 PID 1772 wrote to memory of 1344 1772 intelgfx32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b96adc6ab75fe4caff4e8c2cc0bb1f80.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5640 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1344 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4572 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3660 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:548 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4796 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3624 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3120 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:64 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1152 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5828 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4308 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:224 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4384 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1824 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5284 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5404 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:464 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4984 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5212 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4764 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4580 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4772 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5396 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3768 -
C:\Windows\SysWOW64\intelgfx32.exe"C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE54⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5b96adc6ab75fe4caff4e8c2cc0bb1f80
SHA1b0ca42d369f0dbf0f5de1790c9ee7426a020eef0
SHA256f6b09658c8949c969d17881eea8e7e5288a93c5f2074731579712e4a6658b72a
SHA512cf01cc88aa61c20aaaeb719928138a0d37faa9384b0cf2b600e9846f7f7e6e0f1728bfc64482e5383f06ac143a02fceda36188436b121e8930d6ce73bc82b91f