metasploit | c0cc8f045de288c4c5e92c0276fdd0ae98eb91bbe6185c8ab2f3f94cf1d731e8

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
Size

284KB
MD5

de44c57d1250801ba11dd8e99f9e4f03
SHA1

e33a1a4f3e7c6975ff349ef81fcbf642d2586616
SHA256

c0cc8f045de288c4c5e92c0276fdd0ae98eb91bbe6185c8ab2f3f94cf1d731e8
SHA512

f69fce485e025aa707c2e6681df3931917ee5aba376f73db9d9aec7e147770cb8ae12adeeaf0b65592956e711566fbdda80ed3da8290fab144a2f6a531d5e665
SSDEEP

3072:Z1VMYoCc7mydRtMjVfw5uXtB2yfScsvxFTNSoZ7EuoCc7mydRtMjVfw5uXtB2yfY:yNRtMjVf+affzc4ZNRtMjVf+affzc4Q

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 49 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	igfxtray32.exe

Deletes itself 1 IoCs

pid	Process
536	igfxtray32.exe

Executes dropped EXE 64 IoCs

pid	Process
1740	igfxtray32.exe
536	igfxtray32.exe
3280	igfxtray32.exe
1540	igfxtray32.exe
1460	igfxtray32.exe
3040	igfxtray32.exe
4140	igfxtray32.exe
4892	igfxtray32.exe
3088	igfxtray32.exe
3268	igfxtray32.exe
1344	igfxtray32.exe
3148	igfxtray32.exe
4128	igfxtray32.exe
3352	igfxtray32.exe
1940	igfxtray32.exe
4604	igfxtray32.exe
3664	igfxtray32.exe
4948	igfxtray32.exe
2104	igfxtray32.exe
2788	igfxtray32.exe
4968	igfxtray32.exe
3140	igfxtray32.exe
2648	igfxtray32.exe
4724	igfxtray32.exe
2632	igfxtray32.exe
640	igfxtray32.exe
5104	igfxtray32.exe
4708	igfxtray32.exe
3768	igfxtray32.exe
1580	igfxtray32.exe
1896	igfxtray32.exe
1900	igfxtray32.exe
3088	igfxtray32.exe
4412	igfxtray32.exe
4984	igfxtray32.exe
3804	igfxtray32.exe
3320	igfxtray32.exe
2276	igfxtray32.exe
2588	igfxtray32.exe
3188	igfxtray32.exe
2128	igfxtray32.exe
4712	igfxtray32.exe
3992	igfxtray32.exe
2288	igfxtray32.exe
5108	igfxtray32.exe
3860	igfxtray32.exe
3940	igfxtray32.exe
4968	igfxtray32.exe
4408	igfxtray32.exe
1788	igfxtray32.exe
1072	igfxtray32.exe
3960	igfxtray32.exe
212	igfxtray32.exe
3284	igfxtray32.exe
4492	igfxtray32.exe
2520	igfxtray32.exe
1840	igfxtray32.exe
3220	igfxtray32.exe
1196	igfxtray32.exe
4012	igfxtray32.exe
688	igfxtray32.exe
3224	igfxtray32.exe
4588	igfxtray32.exe
3252	igfxtray32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxtray32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxtray32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe
File created	C:\Windows\SysWOW64\igfxtray32.exe	igfxtray32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxtray32.exe

Suspicious use of SetThreadContext 50 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 1740 set thread context of 536	1740	igfxtray32.exe	84
PID 3280 set thread context of 1540	3280	igfxtray32.exe	86
PID 1460 set thread context of 3040	1460	igfxtray32.exe	88
PID 4140 set thread context of 4892	4140	igfxtray32.exe	94
PID 3088 set thread context of 3268	3088	igfxtray32.exe	97
PID 1344 set thread context of 3148	1344	igfxtray32.exe	101
PID 4128 set thread context of 3352	4128	igfxtray32.exe	103
PID 1940 set thread context of 4604	1940	igfxtray32.exe	105
PID 3664 set thread context of 4948	3664	igfxtray32.exe	107
PID 2104 set thread context of 2788	2104	igfxtray32.exe	109
PID 4968 set thread context of 3140	4968	igfxtray32.exe	113
PID 2648 set thread context of 4724	2648	igfxtray32.exe	115
PID 2632 set thread context of 640	2632	igfxtray32.exe	117
PID 5104 set thread context of 4708	5104	igfxtray32.exe	119
PID 3768 set thread context of 1580	3768	igfxtray32.exe	121
PID 1896 set thread context of 1900	1896	igfxtray32.exe	123
PID 3088 set thread context of 4412	3088	igfxtray32.exe	125
PID 4984 set thread context of 3804	4984	igfxtray32.exe	127
PID 3320 set thread context of 2276	3320	igfxtray32.exe	129
PID 2588 set thread context of 3188	2588	igfxtray32.exe	131
PID 2128 set thread context of 4712	2128	igfxtray32.exe	133
PID 3992 set thread context of 2288	3992	igfxtray32.exe	135
PID 5108 set thread context of 3860	5108	igfxtray32.exe	137
PID 3940 set thread context of 4968	3940	igfxtray32.exe	139
PID 4408 set thread context of 1788	4408	igfxtray32.exe	141
PID 1072 set thread context of 3960	1072	igfxtray32.exe	143
PID 212 set thread context of 3284	212	igfxtray32.exe	145
PID 4492 set thread context of 2520	4492	igfxtray32.exe	147
PID 1840 set thread context of 3220	1840	igfxtray32.exe	149
PID 1196 set thread context of 4012	1196	igfxtray32.exe	151
PID 688 set thread context of 3224	688	igfxtray32.exe	153
PID 4588 set thread context of 3252	4588	igfxtray32.exe	155
PID 2248 set thread context of 1828	2248	igfxtray32.exe	157
PID 1600 set thread context of 4032	1600	igfxtray32.exe	159
PID 4828 set thread context of 412	4828	igfxtray32.exe	161
PID 704 set thread context of 5040	704	igfxtray32.exe	163
PID 2852 set thread context of 3952	2852	igfxtray32.exe	165
PID 2336 set thread context of 3988	2336	igfxtray32.exe	167
PID 3212 set thread context of 2700	3212	igfxtray32.exe	169
PID 4348 set thread context of 4628	4348	igfxtray32.exe	171
PID 64 set thread context of 3564	64	igfxtray32.exe	173
PID 1884 set thread context of 1268	1884	igfxtray32.exe	175
PID 4932 set thread context of 4140	4932	igfxtray32.exe	177
PID 4040 set thread context of 3432	4040	igfxtray32.exe	179
PID 4756 set thread context of 5004	4756	igfxtray32.exe	181
PID 4508 set thread context of 1328	4508	igfxtray32.exe	183
PID 2384 set thread context of 332	2384	igfxtray32.exe	185
PID 4620 set thread context of 3428	4620	igfxtray32.exe	187
PID 4124 set thread context of 3452	4124	igfxtray32.exe	189

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2200-2-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2200-4-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2200-6-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2200-5-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2200-69-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/536-76-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/536-78-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/536-77-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/536-75-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/536-82-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1540-89-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1540-91-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1540-90-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1540-93-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3040-100-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3040-102-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3040-101-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3040-104-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4892-111-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4892-112-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4892-113-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4892-116-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3268-126-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3148-139-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3352-149-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4604-157-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4604-158-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4604-159-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4604-161-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4948-174-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2788-181-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2788-187-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3140-199-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4724-211-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/640-224-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4708-236-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1580-249-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1900-261-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4412-268-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4412-274-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3804-286-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2276-299-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3188-310-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4712-323-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2288-330-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2288-336-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3860-348-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4968-355-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4968-358-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1788-368-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3960-378-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3284-388-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2520-394-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2520-399-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3220-409-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4012-419-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3224-429-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3252-439-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1828-449-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4032-459-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/412-469-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/5040-479-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3952-489-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3988-499-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxtray32.exe

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxtray32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
2200	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
536	igfxtray32.exe
536	igfxtray32.exe
1540	igfxtray32.exe
1540	igfxtray32.exe
3040	igfxtray32.exe
3040	igfxtray32.exe
4892	igfxtray32.exe
4892	igfxtray32.exe
3268	igfxtray32.exe
3268	igfxtray32.exe
3148	igfxtray32.exe
3148	igfxtray32.exe
3352	igfxtray32.exe
3352	igfxtray32.exe
4604	igfxtray32.exe
4604	igfxtray32.exe
4948	igfxtray32.exe
4948	igfxtray32.exe
2788	igfxtray32.exe
2788	igfxtray32.exe
3140	igfxtray32.exe
3140	igfxtray32.exe
4724	igfxtray32.exe
4724	igfxtray32.exe
640	igfxtray32.exe
640	igfxtray32.exe
4708	igfxtray32.exe
4708	igfxtray32.exe
1580	igfxtray32.exe
1580	igfxtray32.exe
1900	igfxtray32.exe
1900	igfxtray32.exe
4412	igfxtray32.exe
4412	igfxtray32.exe
3804	igfxtray32.exe
3804	igfxtray32.exe
2276	igfxtray32.exe
2276	igfxtray32.exe
3188	igfxtray32.exe
3188	igfxtray32.exe
4712	igfxtray32.exe
4712	igfxtray32.exe
2288	igfxtray32.exe
2288	igfxtray32.exe
3860	igfxtray32.exe
3860	igfxtray32.exe
4968	igfxtray32.exe
4968	igfxtray32.exe
1788	igfxtray32.exe
1788	igfxtray32.exe
3960	igfxtray32.exe
3960	igfxtray32.exe
3284	igfxtray32.exe
3284	igfxtray32.exe
2520	igfxtray32.exe
2520	igfxtray32.exe
3220	igfxtray32.exe
3220	igfxtray32.exe
4012	igfxtray32.exe
4012	igfxtray32.exe
3224	igfxtray32.exe
3224	igfxtray32.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
1740	igfxtray32.exe
3280	igfxtray32.exe
1460	igfxtray32.exe
4140	igfxtray32.exe
3088	igfxtray32.exe
1344	igfxtray32.exe
4128	igfxtray32.exe
1940	igfxtray32.exe
3664	igfxtray32.exe
2104	igfxtray32.exe
4968	igfxtray32.exe
2648	igfxtray32.exe
2632	igfxtray32.exe
5104	igfxtray32.exe
3768	igfxtray32.exe
1896	igfxtray32.exe
3088	igfxtray32.exe
4984	igfxtray32.exe
3320	igfxtray32.exe
2588	igfxtray32.exe
2128	igfxtray32.exe
3992	igfxtray32.exe
5108	igfxtray32.exe
3940	igfxtray32.exe
4408	igfxtray32.exe
1072	igfxtray32.exe
212	igfxtray32.exe
4492	igfxtray32.exe
1840	igfxtray32.exe
1196	igfxtray32.exe
688	igfxtray32.exe
4588	igfxtray32.exe
2248	igfxtray32.exe
1600	igfxtray32.exe
4828	igfxtray32.exe
704	igfxtray32.exe
2852	igfxtray32.exe
2336	igfxtray32.exe
3212	igfxtray32.exe
4348	igfxtray32.exe
64	igfxtray32.exe
1884	igfxtray32.exe
4932	igfxtray32.exe
4040	igfxtray32.exe
4756	igfxtray32.exe
4508	igfxtray32.exe
2384	igfxtray32.exe
4620	igfxtray32.exe
4124	igfxtray32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2220 wrote to memory of 2200	2220	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	82
PID 2200 wrote to memory of 1740	2200	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	83
PID 2200 wrote to memory of 1740	2200	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	83
PID 2200 wrote to memory of 1740	2200	de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe	83
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 1740 wrote to memory of 536	1740	igfxtray32.exe	84
PID 536 wrote to memory of 3280	536	igfxtray32.exe	85
PID 536 wrote to memory of 3280	536	igfxtray32.exe	85
PID 536 wrote to memory of 3280	536	igfxtray32.exe	85
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 3280 wrote to memory of 1540	3280	igfxtray32.exe	86
PID 1540 wrote to memory of 1460	1540	igfxtray32.exe	87
PID 1540 wrote to memory of 1460	1540	igfxtray32.exe	87
PID 1540 wrote to memory of 1460	1540	igfxtray32.exe	87
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 1460 wrote to memory of 3040	1460	igfxtray32.exe	88
PID 3040 wrote to memory of 4140	3040	igfxtray32.exe	93
PID 3040 wrote to memory of 4140	3040	igfxtray32.exe	93
PID 3040 wrote to memory of 4140	3040	igfxtray32.exe	93
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4140 wrote to memory of 4892	4140	igfxtray32.exe	94
PID 4892 wrote to memory of 3088	4892	igfxtray32.exe	96
PID 4892 wrote to memory of 3088	4892	igfxtray32.exe	96
PID 4892 wrote to memory of 3088	4892	igfxtray32.exe	96
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3088 wrote to memory of 3268	3088	igfxtray32.exe	97
PID 3268 wrote to memory of 1344	3268	igfxtray32.exe	100

C:\Users\Admin\AppData\Local\Temp\de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\de44c57d1250801ba11dd8e99f9e4f03_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\igfxtray32.exe
    "C:\Windows\system32\igfxtray32.exe" C:\Users\Admin\AppData\Local\Temp\DE44C5~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\igfxtray32.exe
      "C:\Windows\SysWOW64\igfxtray32.exe " C:\Users\Admin\AppData\Local\Temp\DE44C5~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4128
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3352
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4948
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4968
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3140
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4724
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:640
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4708
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3088
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4984
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3320
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2276
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3188
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3860
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1788
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3960
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3284
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4492
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3220
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        68⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4828
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3212
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4348
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:64
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        84⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        86⤵
        Checks computer location settings
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4932
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        88⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        90⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        92⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4508
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        94⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        96⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        98⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\system32\igfxtray32.exe" C:\Windows\SysWOW64\IGFXTR~1.EXE
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4124
        
        C:\Windows\SysWOW64\igfxtray32.exe
        
        "C:\Windows\SysWOW64\igfxtray32.exe " C:\Windows\SysWOW64\IGFXTR~1.EXE
        100⤵
        
        PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxtray32.exe

Filesize
284KB

MD5
de44c57d1250801ba11dd8e99f9e4f03

SHA1
e33a1a4f3e7c6975ff349ef81fcbf642d2586616

SHA256
c0cc8f045de288c4c5e92c0276fdd0ae98eb91bbe6185c8ab2f3f94cf1d731e8

SHA512
f69fce485e025aa707c2e6681df3931917ee5aba376f73db9d9aec7e147770cb8ae12adeeaf0b65592956e711566fbdda80ed3da8290fab144a2f6a531d5e665

Download Submit
memory/332-589-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/412-469-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/536-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/536-78-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/536-77-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/536-75-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/536-82-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/640-224-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1268-539-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1328-579-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1540-89-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1540-90-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1540-93-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1540-91-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1580-249-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1788-368-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1828-449-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-261-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-69-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-299-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-336-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-330-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2520-399-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2520-394-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2700-510-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2788-181-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2788-187-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-102-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-101-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3040-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3140-199-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3148-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3188-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3220-409-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3224-429-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3252-439-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3268-126-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3284-388-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3352-149-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3428-599-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3432-559-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3564-529-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3804-286-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3860-348-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3952-489-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3960-378-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3988-499-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4012-419-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4032-459-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4140-549-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4412-274-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4412-268-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-157-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-158-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-161-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4628-519-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4708-236-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4712-323-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4724-211-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-116-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-113-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-112-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4892-111-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4948-174-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4968-358-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4968-355-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5004-569-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5040-479-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download