metasploit | 0a011d41ad1664fddeb76d929e0ab5e746a08af71cedddc5c2efcda49e6d5bba

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
Size

268KB
MD5

c74dd01a21871c8a57a96b51bf164f0c
SHA1

93689e714be0e4930799e661acd40fcd1ccb55b1
SHA256

0a011d41ad1664fddeb76d929e0ab5e746a08af71cedddc5c2efcda49e6d5bba
SHA512

55c09c40a84f9bdd7e72906dc999465f3802dc9e26e8828107bc847267691347df269b5679ce7123c7210ec0b6b2a4890dab00df42c88b9337302c1e8fee0744
SSDEEP

3072:U6STyZ3kFoa3/fQRACWZSbxPjWQEvql7tw2HDox2nKe4yKmEVUgQm+eGxfARfizE:P6Foa3/fQgSV5ECl7GCoyKeLKm1g0mQY

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 47 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	igfxdfp32.exe

Deletes itself 1 IoCs

pid	Process
4052	igfxdfp32.exe

Executes dropped EXE 64 IoCs

pid	Process
3028	igfxdfp32.exe
4052	igfxdfp32.exe
2188	igfxdfp32.exe
4268	igfxdfp32.exe
3448	igfxdfp32.exe
2336	igfxdfp32.exe
1904	igfxdfp32.exe
4204	igfxdfp32.exe
992	igfxdfp32.exe
1776	igfxdfp32.exe
2292	igfxdfp32.exe
736	igfxdfp32.exe
4908	igfxdfp32.exe
4328	igfxdfp32.exe
3612	igfxdfp32.exe
1180	igfxdfp32.exe
772	igfxdfp32.exe
2036	igfxdfp32.exe
4812	igfxdfp32.exe
4632	igfxdfp32.exe
4952	igfxdfp32.exe
4496	igfxdfp32.exe
3140	igfxdfp32.exe
1728	igfxdfp32.exe
3408	igfxdfp32.exe
2472	igfxdfp32.exe
1656	igfxdfp32.exe
3000	igfxdfp32.exe
3356	igfxdfp32.exe
264	igfxdfp32.exe
1312	igfxdfp32.exe
4532	igfxdfp32.exe
4960	igfxdfp32.exe
3568	igfxdfp32.exe
5036	igfxdfp32.exe
2456	igfxdfp32.exe
3876	igfxdfp32.exe
4764	igfxdfp32.exe
2284	igfxdfp32.exe
1876	igfxdfp32.exe
2392	igfxdfp32.exe
1768	igfxdfp32.exe
1624	igfxdfp32.exe
3144	igfxdfp32.exe
2548	igfxdfp32.exe
4608	igfxdfp32.exe
3572	igfxdfp32.exe
1216	igfxdfp32.exe
2536	igfxdfp32.exe
756	igfxdfp32.exe
3368	igfxdfp32.exe
1336	igfxdfp32.exe
4848	igfxdfp32.exe
2752	igfxdfp32.exe
5008	igfxdfp32.exe
5032	igfxdfp32.exe
1312	igfxdfp32.exe
2444	igfxdfp32.exe
3244	igfxdfp32.exe
4256	igfxdfp32.exe
2000	igfxdfp32.exe
1696	igfxdfp32.exe
4352	igfxdfp32.exe
4316	igfxdfp32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdfp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe
File created	C:\Windows\SysWOW64\igfxdfp32.exe	igfxdfp32.exe

Suspicious use of SetThreadContext 48 IoCs

description	pid	Process	procid_target
PID 3920 set thread context of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3028 set thread context of 4052	3028	igfxdfp32.exe	85
PID 2188 set thread context of 4268	2188	igfxdfp32.exe	88
PID 3448 set thread context of 2336	3448	igfxdfp32.exe	92
PID 1904 set thread context of 4204	1904	igfxdfp32.exe	98
PID 992 set thread context of 1776	992	igfxdfp32.exe	102
PID 2292 set thread context of 736	2292	igfxdfp32.exe	108
PID 4908 set thread context of 4328	4908	igfxdfp32.exe	110
PID 3612 set thread context of 1180	3612	igfxdfp32.exe	112
PID 772 set thread context of 2036	772	igfxdfp32.exe	114
PID 4812 set thread context of 4632	4812	igfxdfp32.exe	118
PID 4952 set thread context of 4496	4952	igfxdfp32.exe	120
PID 3140 set thread context of 1728	3140	igfxdfp32.exe	123
PID 3408 set thread context of 2472	3408	igfxdfp32.exe	125
PID 1656 set thread context of 3000	1656	igfxdfp32.exe	127
PID 3356 set thread context of 264	3356	igfxdfp32.exe	129
PID 1312 set thread context of 4532	1312	igfxdfp32.exe	131
PID 4960 set thread context of 3568	4960	igfxdfp32.exe	133
PID 5036 set thread context of 2456	5036	igfxdfp32.exe	135
PID 3876 set thread context of 4764	3876	igfxdfp32.exe	137
PID 2284 set thread context of 1876	2284	igfxdfp32.exe	139
PID 2392 set thread context of 1768	2392	igfxdfp32.exe	141
PID 1624 set thread context of 3144	1624	igfxdfp32.exe	143
PID 2548 set thread context of 4608	2548	igfxdfp32.exe	145
PID 3572 set thread context of 1216	3572	igfxdfp32.exe	147
PID 2536 set thread context of 756	2536	igfxdfp32.exe	149
PID 3368 set thread context of 1336	3368	igfxdfp32.exe	151
PID 4848 set thread context of 2752	4848	igfxdfp32.exe	153
PID 5008 set thread context of 5032	5008	igfxdfp32.exe	155
PID 1312 set thread context of 2444	1312	igfxdfp32.exe	157
PID 3244 set thread context of 4256	3244	igfxdfp32.exe	159
PID 2000 set thread context of 1696	2000	igfxdfp32.exe	161
PID 4352 set thread context of 4316	4352	igfxdfp32.exe	163
PID 3612 set thread context of 4964	3612	igfxdfp32.exe	165
PID 2032 set thread context of 3892	2032	igfxdfp32.exe	167
PID 2392 set thread context of 1176	2392	igfxdfp32.exe	169
PID 4152 set thread context of 4008	4152	igfxdfp32.exe	171
PID 3656 set thread context of 2332	3656	igfxdfp32.exe	173
PID 1544 set thread context of 2812	1544	igfxdfp32.exe	175
PID 4112 set thread context of 3408	4112	igfxdfp32.exe	177
PID 1916 set thread context of 4768	1916	igfxdfp32.exe	179
PID 2756 set thread context of 2636	2756	igfxdfp32.exe	181
PID 264 set thread context of 4612	264	igfxdfp32.exe	183
PID 4772 set thread context of 5100	4772	igfxdfp32.exe	185
PID 212 set thread context of 1420	212	igfxdfp32.exe	187
PID 4336 set thread context of 4728	4336	igfxdfp32.exe	189
PID 1224 set thread context of 1168	1224	igfxdfp32.exe	191
PID 1408 set thread context of 1388	1408	igfxdfp32.exe	193

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/408-2-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/408-4-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/408-6-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/408-5-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/408-69-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4052-75-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4052-77-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4052-76-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4052-79-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4268-87-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4268-88-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4268-86-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4268-90-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2336-97-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2336-98-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2336-99-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2336-103-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4204-109-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4204-111-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4204-110-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4204-115-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1776-125-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/736-136-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4328-146-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1180-157-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1180-158-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2036-172-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4632-184-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4496-193-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4496-197-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1728-209-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2472-221-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/3000-233-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/264-246-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4532-258-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/3568-270-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2456-282-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4764-295-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1876-307-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1768-319-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/3144-330-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4608-340-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1216-350-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/756-360-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1336-370-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2752-380-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/5032-390-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2444-400-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4256-410-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1696-418-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1696-421-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4316-431-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4964-441-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/3892-451-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1176-462-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4008-471-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2332-481-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2812-491-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/3408-501-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4768-511-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/2636-521-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/4612-531-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/5100-541-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral2/memory/1420-551-0x0000000000400000-0x000000000045F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdfp32.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdfp32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
408	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
408	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
4052	igfxdfp32.exe
4052	igfxdfp32.exe
4268	igfxdfp32.exe
4268	igfxdfp32.exe
2336	igfxdfp32.exe
2336	igfxdfp32.exe
4204	igfxdfp32.exe
4204	igfxdfp32.exe
1776	igfxdfp32.exe
1776	igfxdfp32.exe
736	igfxdfp32.exe
736	igfxdfp32.exe
4328	igfxdfp32.exe
4328	igfxdfp32.exe
1180	igfxdfp32.exe
1180	igfxdfp32.exe
2036	igfxdfp32.exe
2036	igfxdfp32.exe
4632	igfxdfp32.exe
4632	igfxdfp32.exe
4496	igfxdfp32.exe
4496	igfxdfp32.exe
1728	igfxdfp32.exe
1728	igfxdfp32.exe
2472	igfxdfp32.exe
2472	igfxdfp32.exe
3000	igfxdfp32.exe
3000	igfxdfp32.exe
264	igfxdfp32.exe
264	igfxdfp32.exe
4532	igfxdfp32.exe
4532	igfxdfp32.exe
3568	igfxdfp32.exe
3568	igfxdfp32.exe
2456	igfxdfp32.exe
2456	igfxdfp32.exe
4764	igfxdfp32.exe
4764	igfxdfp32.exe
1876	igfxdfp32.exe
1876	igfxdfp32.exe
1768	igfxdfp32.exe
1768	igfxdfp32.exe
3144	igfxdfp32.exe
3144	igfxdfp32.exe
4608	igfxdfp32.exe
4608	igfxdfp32.exe
1216	igfxdfp32.exe
1216	igfxdfp32.exe
756	igfxdfp32.exe
756	igfxdfp32.exe
1336	igfxdfp32.exe
1336	igfxdfp32.exe
2752	igfxdfp32.exe
2752	igfxdfp32.exe
5032	igfxdfp32.exe
5032	igfxdfp32.exe
2444	igfxdfp32.exe
2444	igfxdfp32.exe
4256	igfxdfp32.exe
4256	igfxdfp32.exe
1696	igfxdfp32.exe
1696	igfxdfp32.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
3028	igfxdfp32.exe
2188	igfxdfp32.exe
3448	igfxdfp32.exe
1904	igfxdfp32.exe
992	igfxdfp32.exe
2292	igfxdfp32.exe
4908	igfxdfp32.exe
3612	igfxdfp32.exe
772	igfxdfp32.exe
4812	igfxdfp32.exe
4952	igfxdfp32.exe
3140	igfxdfp32.exe
3408	igfxdfp32.exe
1656	igfxdfp32.exe
3356	igfxdfp32.exe
1312	igfxdfp32.exe
4960	igfxdfp32.exe
5036	igfxdfp32.exe
3876	igfxdfp32.exe
2284	igfxdfp32.exe
2392	igfxdfp32.exe
1624	igfxdfp32.exe
2548	igfxdfp32.exe
3572	igfxdfp32.exe
2536	igfxdfp32.exe
3368	igfxdfp32.exe
4848	igfxdfp32.exe
5008	igfxdfp32.exe
1312	igfxdfp32.exe
3244	igfxdfp32.exe
2000	igfxdfp32.exe
4352	igfxdfp32.exe
3612	igfxdfp32.exe
2032	igfxdfp32.exe
2392	igfxdfp32.exe
4152	igfxdfp32.exe
3656	igfxdfp32.exe
1544	igfxdfp32.exe
4112	igfxdfp32.exe
1916	igfxdfp32.exe
2756	igfxdfp32.exe
264	igfxdfp32.exe
4772	igfxdfp32.exe
212	igfxdfp32.exe
4336	igfxdfp32.exe
1224	igfxdfp32.exe
1408	igfxdfp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 3920 wrote to memory of 408	3920	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	83
PID 408 wrote to memory of 3028	408	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	84
PID 408 wrote to memory of 3028	408	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	84
PID 408 wrote to memory of 3028	408	c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe	84
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 3028 wrote to memory of 4052	3028	igfxdfp32.exe	85
PID 4052 wrote to memory of 2188	4052	igfxdfp32.exe	87
PID 4052 wrote to memory of 2188	4052	igfxdfp32.exe	87
PID 4052 wrote to memory of 2188	4052	igfxdfp32.exe	87
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 2188 wrote to memory of 4268	2188	igfxdfp32.exe	88
PID 4268 wrote to memory of 3448	4268	igfxdfp32.exe	91
PID 4268 wrote to memory of 3448	4268	igfxdfp32.exe	91
PID 4268 wrote to memory of 3448	4268	igfxdfp32.exe	91
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 3448 wrote to memory of 2336	3448	igfxdfp32.exe	92
PID 2336 wrote to memory of 1904	2336	igfxdfp32.exe	97
PID 2336 wrote to memory of 1904	2336	igfxdfp32.exe	97
PID 2336 wrote to memory of 1904	2336	igfxdfp32.exe	97
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 1904 wrote to memory of 4204	1904	igfxdfp32.exe	98
PID 4204 wrote to memory of 992	4204	igfxdfp32.exe	101
PID 4204 wrote to memory of 992	4204	igfxdfp32.exe	101
PID 4204 wrote to memory of 992	4204	igfxdfp32.exe	101
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 992 wrote to memory of 1776	992	igfxdfp32.exe	102
PID 1776 wrote to memory of 2292	1776	igfxdfp32.exe	107

C:\Users\Admin\AppData\Local\Temp\c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c74dd01a21871c8a57a96b51bf164f0c_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\igfxdfp32.exe
    "C:\Windows\system32\igfxdfp32.exe" C:\Users\Admin\AppData\Local\Temp\C74DD0~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\igfxdfp32.exe
      "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Users\Admin\AppData\Local\Temp\C74DD0~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3612
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1180
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4632
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3140
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3408
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3356
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:264
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4532
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4960
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2456
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3876
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1768
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3144
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3572
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:756
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3368
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1336
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5032
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3244
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4256
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4352
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3612
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3656
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        78⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4112
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        84⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        86⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4772
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        88⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        90⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4336
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        92⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        94⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\system32\igfxdfp32.exe" C:\Windows\SysWOW64\IGFXDF~1.EXE
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\igfxdfp32.exe
        
        "C:\Windows\SysWOW64\igfxdfp32.exe " C:\Windows\SysWOW64\IGFXDF~1.EXE
        96⤵
        
        PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxdfp32.exe

Filesize
268KB

MD5
c74dd01a21871c8a57a96b51bf164f0c

SHA1
93689e714be0e4930799e661acd40fcd1ccb55b1

SHA256
0a011d41ad1664fddeb76d929e0ab5e746a08af71cedddc5c2efcda49e6d5bba

SHA512
55c09c40a84f9bdd7e72906dc999465f3802dc9e26e8828107bc847267691347df269b5679ce7123c7210ec0b6b2a4890dab00df42c88b9337302c1e8fee0744

Download Submit
memory/264-246-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/408-4-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/408-6-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/408-5-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/408-69-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/408-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/736-136-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/756-360-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1168-571-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1176-462-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1180-158-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1180-157-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1216-350-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1336-370-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1420-551-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1696-421-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1696-418-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1728-209-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1768-319-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1776-125-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1876-307-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2036-172-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2332-481-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2336-99-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2336-98-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2336-103-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2336-97-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2444-400-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2456-282-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2472-221-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2636-521-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2752-380-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2812-491-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3000-233-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3144-330-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3408-501-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3568-270-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3892-451-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4008-471-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4052-77-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4052-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4052-75-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4052-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4204-110-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4204-109-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4204-111-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4204-115-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4256-410-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4268-87-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4268-88-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4268-86-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4268-90-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4316-431-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4328-146-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4496-197-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4496-193-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4532-258-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4608-340-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4612-531-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4632-184-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4728-561-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4764-295-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4768-511-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4964-441-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5032-390-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5100-541-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download