metasploit | 8567ace64bbdd1dbb6a424a0780f8aea46d7ac1e9558dfd5dfcfc3e37aeb3be8

Analysis

max time kernel
148s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Size

220KB
MD5

f2fec6cd7fb126601698a2ed4113c522
SHA1

b546d286cc926df043ccabbb16c3469443f06539
SHA256

8567ace64bbdd1dbb6a424a0780f8aea46d7ac1e9558dfd5dfcfc3e37aeb3be8
SHA512

eb1225482e481fffb6cee4e3aa12c9146d7d05125cbc73c39a12f31fc3470fa7190df04800d6b80152d0b6518d240943714812981509c908dd523c78796fa55a
SSDEEP

3072:yawE8SILiT0V+iFtPji/pL9YV2gPsoKKGQlG7SKPUqOyqjN2R3cJukfUgf:jwE8ST/Z+2gUoK66ntOJ52FcJFMgf

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2684	intelgfx32.exe

Executes dropped EXE 64 IoCs

pid	Process
2656	intelgfx32.exe
2684	intelgfx32.exe
2504	intelgfx32.exe
2988	intelgfx32.exe
2028	intelgfx32.exe
1420	intelgfx32.exe
2804	intelgfx32.exe
1888	intelgfx32.exe
1000	intelgfx32.exe
1408	intelgfx32.exe
2424	intelgfx32.exe
1912	intelgfx32.exe
2096	intelgfx32.exe
2880	intelgfx32.exe
2712	intelgfx32.exe
1532	intelgfx32.exe
2896	intelgfx32.exe
2252	intelgfx32.exe
984	intelgfx32.exe
868	intelgfx32.exe
1580	intelgfx32.exe
1588	intelgfx32.exe
2668	intelgfx32.exe
3016	intelgfx32.exe
2480	intelgfx32.exe
1960	intelgfx32.exe
864	intelgfx32.exe
2128	intelgfx32.exe
1636	intelgfx32.exe
2272	intelgfx32.exe
2288	intelgfx32.exe
1756	intelgfx32.exe
1428	intelgfx32.exe
2916	intelgfx32.exe
2872	intelgfx32.exe
1800	intelgfx32.exe
3004	intelgfx32.exe
2736	intelgfx32.exe
1632	intelgfx32.exe
356	intelgfx32.exe
3064	intelgfx32.exe
380	intelgfx32.exe
2624	intelgfx32.exe
2156	intelgfx32.exe
2364	intelgfx32.exe
1548	intelgfx32.exe
2176	intelgfx32.exe
1688	intelgfx32.exe
2720	intelgfx32.exe
2204	intelgfx32.exe
2608	intelgfx32.exe
2732	intelgfx32.exe
2956	intelgfx32.exe
1892	intelgfx32.exe
1600	intelgfx32.exe
1676	intelgfx32.exe
2840	intelgfx32.exe
1952	intelgfx32.exe
2820	intelgfx32.exe
2036	intelgfx32.exe
2376	intelgfx32.exe
1592	intelgfx32.exe
1264	intelgfx32.exe
2196	intelgfx32.exe

Loads dropped DLL 64 IoCs

pid	Process
2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
2656	intelgfx32.exe
2656	intelgfx32.exe
2684	intelgfx32.exe
2684	intelgfx32.exe
2504	intelgfx32.exe
2504	intelgfx32.exe
2988	intelgfx32.exe
2988	intelgfx32.exe
2028	intelgfx32.exe
2028	intelgfx32.exe
1420	intelgfx32.exe
1420	intelgfx32.exe
2804	intelgfx32.exe
2804	intelgfx32.exe
1888	intelgfx32.exe
1888	intelgfx32.exe
1000	intelgfx32.exe
1000	intelgfx32.exe
1408	intelgfx32.exe
1408	intelgfx32.exe
2424	intelgfx32.exe
2424	intelgfx32.exe
1912	intelgfx32.exe
1912	intelgfx32.exe
2096	intelgfx32.exe
2096	intelgfx32.exe
2880	intelgfx32.exe
2880	intelgfx32.exe
2712	intelgfx32.exe
2712	intelgfx32.exe
1532	intelgfx32.exe
1532	intelgfx32.exe
2896	intelgfx32.exe
2896	intelgfx32.exe
2252	intelgfx32.exe
2252	intelgfx32.exe
984	intelgfx32.exe
984	intelgfx32.exe
868	intelgfx32.exe
868	intelgfx32.exe
1580	intelgfx32.exe
1580	intelgfx32.exe
1588	intelgfx32.exe
1588	intelgfx32.exe
2668	intelgfx32.exe
2668	intelgfx32.exe
3016	intelgfx32.exe
3016	intelgfx32.exe
2480	intelgfx32.exe
2480	intelgfx32.exe
1960	intelgfx32.exe
1960	intelgfx32.exe
864	intelgfx32.exe
864	intelgfx32.exe
2128	intelgfx32.exe
2128	intelgfx32.exe
1636	intelgfx32.exe
1636	intelgfx32.exe
2272	intelgfx32.exe
2272	intelgfx32.exe
2288	intelgfx32.exe
2288	intelgfx32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	intelgfx32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File opened for modification	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe
File created	C:\Windows\SysWOW64\intelgfx32.exe	intelgfx32.exe

Suspicious use of SetThreadContext 41 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2656 set thread context of 2684	2656	intelgfx32.exe	32
PID 2504 set thread context of 2988	2504	intelgfx32.exe	34
PID 2028 set thread context of 1420	2028	intelgfx32.exe	36
PID 2804 set thread context of 1888	2804	intelgfx32.exe	38
PID 1000 set thread context of 1408	1000	intelgfx32.exe	40
PID 2424 set thread context of 1912	2424	intelgfx32.exe	42
PID 2096 set thread context of 2880	2096	intelgfx32.exe	44
PID 2712 set thread context of 1532	2712	intelgfx32.exe	46
PID 2896 set thread context of 2252	2896	intelgfx32.exe	48
PID 984 set thread context of 868	984	intelgfx32.exe	50
PID 1580 set thread context of 1588	1580	intelgfx32.exe	52
PID 2668 set thread context of 3016	2668	intelgfx32.exe	54
PID 2480 set thread context of 1960	2480	intelgfx32.exe	56
PID 864 set thread context of 2128	864	intelgfx32.exe	58
PID 1636 set thread context of 2272	1636	intelgfx32.exe	60
PID 2288 set thread context of 1756	2288	intelgfx32.exe	62
PID 1428 set thread context of 2916	1428	intelgfx32.exe	64
PID 2872 set thread context of 1800	2872	intelgfx32.exe	66
PID 3004 set thread context of 2736	3004	intelgfx32.exe	68
PID 1632 set thread context of 356	1632	intelgfx32.exe	70
PID 3064 set thread context of 380	3064	intelgfx32.exe	72
PID 2624 set thread context of 2156	2624	intelgfx32.exe	74
PID 2364 set thread context of 1548	2364	intelgfx32.exe	76
PID 2176 set thread context of 1688	2176	intelgfx32.exe	78
PID 2720 set thread context of 2204	2720	intelgfx32.exe	80
PID 2608 set thread context of 2732	2608	intelgfx32.exe	82
PID 2956 set thread context of 1892	2956	intelgfx32.exe	84
PID 1600 set thread context of 1676	1600	intelgfx32.exe	86
PID 2840 set thread context of 1952	2840	intelgfx32.exe	88
PID 2820 set thread context of 2036	2820	intelgfx32.exe	90
PID 2376 set thread context of 1592	2376	intelgfx32.exe	92
PID 1264 set thread context of 2196	1264	intelgfx32.exe	94
PID 2584 set thread context of 1672	2584	intelgfx32.exe	96
PID 1196 set thread context of 1464	1196	intelgfx32.exe	98
PID 1872 set thread context of 2984	1872	intelgfx32.exe	100
PID 2856 set thread context of 2632	2856	intelgfx32.exe	102
PID 2696 set thread context of 2100	2696	intelgfx32.exe	104
PID 2176 set thread context of 3000	2176	intelgfx32.exe	106
PID 2720 set thread context of 2652	2720	intelgfx32.exe	108
PID 2460 set thread context of 2456	2460	intelgfx32.exe	110

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-2-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2308-3-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2308-7-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2308-6-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2308-8-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2308-9-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2308-22-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2684-33-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2684-34-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2684-35-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2684-40-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2988-53-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2988-52-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2988-54-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2988-60-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1420-71-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1420-72-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1420-79-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1888-91-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1888-90-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1888-92-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1888-98-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1408-116-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1912-135-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2880-153-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1532-172-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2252-190-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/868-203-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1588-215-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3016-223-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3016-228-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1960-236-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1960-241-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2128-253-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2272-265-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1756-277-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2916-285-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2916-290-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1800-302-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2736-314-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/356-326-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/380-338-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2156-350-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1548-362-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1688-374-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2204-386-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2732-398-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1892-410-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1676-422-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1952-434-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2036-442-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2036-447-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1592-455-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1592-460-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2196-472-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1672-484-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1464-496-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2984-508-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2632-520-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2100-532-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3000-544-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2652-556-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	intelgfx32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
2684	intelgfx32.exe
2684	intelgfx32.exe
2988	intelgfx32.exe
2988	intelgfx32.exe
1420	intelgfx32.exe
1420	intelgfx32.exe
1888	intelgfx32.exe
1888	intelgfx32.exe
1408	intelgfx32.exe
1408	intelgfx32.exe
1912	intelgfx32.exe
1912	intelgfx32.exe
2880	intelgfx32.exe
2880	intelgfx32.exe
1532	intelgfx32.exe
1532	intelgfx32.exe
2252	intelgfx32.exe
2252	intelgfx32.exe
868	intelgfx32.exe
868	intelgfx32.exe
1588	intelgfx32.exe
1588	intelgfx32.exe
3016	intelgfx32.exe
3016	intelgfx32.exe
1960	intelgfx32.exe
1960	intelgfx32.exe
2128	intelgfx32.exe
2128	intelgfx32.exe
2272	intelgfx32.exe
2272	intelgfx32.exe
1756	intelgfx32.exe
1756	intelgfx32.exe
2916	intelgfx32.exe
2916	intelgfx32.exe
1800	intelgfx32.exe
1800	intelgfx32.exe
2736	intelgfx32.exe
2736	intelgfx32.exe
356	intelgfx32.exe
356	intelgfx32.exe
380	intelgfx32.exe
380	intelgfx32.exe
2156	intelgfx32.exe
2156	intelgfx32.exe
1548	intelgfx32.exe
1548	intelgfx32.exe
1688	intelgfx32.exe
1688	intelgfx32.exe
2204	intelgfx32.exe
2204	intelgfx32.exe
2732	intelgfx32.exe
2732	intelgfx32.exe
1892	intelgfx32.exe
1892	intelgfx32.exe
1676	intelgfx32.exe
1676	intelgfx32.exe
1952	intelgfx32.exe
1952	intelgfx32.exe
2036	intelgfx32.exe
2036	intelgfx32.exe
1592	intelgfx32.exe
1592	intelgfx32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2212 wrote to memory of 2308	2212	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	30
PID 2308 wrote to memory of 2656	2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2656	2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2656	2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2656	2308	f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2684	2656	intelgfx32.exe	32
PID 2656 wrote to memory of 2684	2656	intelgfx32.exe	32
PID 2656 wrote to memory of 2684	2656	intelgfx32.exe	32
PID 2656 wrote to memory of 2684	2656	intelgfx32.exe	32
PID 2656 wrote to memory of 2684	2656	intelgfx32.exe	32
PID 2656 wrote to memory of 2684	2656	intelgfx32.exe	32
PID 2656 wrote to memory of 2684	2656	intelgfx32.exe	32
PID 2684 wrote to memory of 2504	2684	intelgfx32.exe	33
PID 2684 wrote to memory of 2504	2684	intelgfx32.exe	33
PID 2684 wrote to memory of 2504	2684	intelgfx32.exe	33
PID 2684 wrote to memory of 2504	2684	intelgfx32.exe	33
PID 2504 wrote to memory of 2988	2504	intelgfx32.exe	34
PID 2504 wrote to memory of 2988	2504	intelgfx32.exe	34
PID 2504 wrote to memory of 2988	2504	intelgfx32.exe	34
PID 2504 wrote to memory of 2988	2504	intelgfx32.exe	34
PID 2504 wrote to memory of 2988	2504	intelgfx32.exe	34
PID 2504 wrote to memory of 2988	2504	intelgfx32.exe	34
PID 2504 wrote to memory of 2988	2504	intelgfx32.exe	34
PID 2988 wrote to memory of 2028	2988	intelgfx32.exe	35
PID 2988 wrote to memory of 2028	2988	intelgfx32.exe	35
PID 2988 wrote to memory of 2028	2988	intelgfx32.exe	35
PID 2988 wrote to memory of 2028	2988	intelgfx32.exe	35
PID 2028 wrote to memory of 1420	2028	intelgfx32.exe	36
PID 2028 wrote to memory of 1420	2028	intelgfx32.exe	36
PID 2028 wrote to memory of 1420	2028	intelgfx32.exe	36
PID 2028 wrote to memory of 1420	2028	intelgfx32.exe	36
PID 2028 wrote to memory of 1420	2028	intelgfx32.exe	36
PID 2028 wrote to memory of 1420	2028	intelgfx32.exe	36
PID 2028 wrote to memory of 1420	2028	intelgfx32.exe	36
PID 1420 wrote to memory of 2804	1420	intelgfx32.exe	37
PID 1420 wrote to memory of 2804	1420	intelgfx32.exe	37
PID 1420 wrote to memory of 2804	1420	intelgfx32.exe	37
PID 1420 wrote to memory of 2804	1420	intelgfx32.exe	37
PID 2804 wrote to memory of 1888	2804	intelgfx32.exe	38
PID 2804 wrote to memory of 1888	2804	intelgfx32.exe	38
PID 2804 wrote to memory of 1888	2804	intelgfx32.exe	38
PID 2804 wrote to memory of 1888	2804	intelgfx32.exe	38
PID 2804 wrote to memory of 1888	2804	intelgfx32.exe	38
PID 2804 wrote to memory of 1888	2804	intelgfx32.exe	38
PID 2804 wrote to memory of 1888	2804	intelgfx32.exe	38
PID 1888 wrote to memory of 1000	1888	intelgfx32.exe	39
PID 1888 wrote to memory of 1000	1888	intelgfx32.exe	39
PID 1888 wrote to memory of 1000	1888	intelgfx32.exe	39
PID 1888 wrote to memory of 1000	1888	intelgfx32.exe	39
PID 1000 wrote to memory of 1408	1000	intelgfx32.exe	40
PID 1000 wrote to memory of 1408	1000	intelgfx32.exe	40
PID 1000 wrote to memory of 1408	1000	intelgfx32.exe	40
PID 1000 wrote to memory of 1408	1000	intelgfx32.exe	40
PID 1000 wrote to memory of 1408	1000	intelgfx32.exe	40
PID 1000 wrote to memory of 1408	1000	intelgfx32.exe	40
PID 1000 wrote to memory of 1408	1000	intelgfx32.exe	40
PID 1408 wrote to memory of 2424	1408	intelgfx32.exe	41
PID 1408 wrote to memory of 2424	1408	intelgfx32.exe	41

C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f2fec6cd7fb126601698a2ed4113c522_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\intelgfx32.exe
    "C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\F2FEC6~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\intelgfx32.exe
      "C:\Windows\system32\intelgfx32.exe" C:\Users\Admin\AppData\Local\Temp\F2FEC6~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2712
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2288
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1428
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        36⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2916
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        38⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3004
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        40⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        42⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:356
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        44⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:380
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        46⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        48⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        50⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        52⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        54⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        56⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1892
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        58⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        60⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        62⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        64⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        66⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        68⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        70⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        72⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        74⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2696
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        76⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2176
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        78⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        80⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\intelgfx32.exe
        
        "C:\Windows\system32\intelgfx32.exe" C:\Windows\SysWOW64\INTELG~1.EXE
        82⤵
        Maps connected drives based on registry
        
        PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\intelgfx32.exe

Filesize
220KB

MD5
f2fec6cd7fb126601698a2ed4113c522

SHA1
b546d286cc926df043ccabbb16c3469443f06539

SHA256
8567ace64bbdd1dbb6a424a0780f8aea46d7ac1e9558dfd5dfcfc3e37aeb3be8

SHA512
eb1225482e481fffb6cee4e3aa12c9146d7d05125cbc73c39a12f31fc3470fa7190df04800d6b80152d0b6518d240943714812981509c908dd523c78796fa55a

Download Submit
memory/356-326-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/380-338-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/868-203-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1408-116-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1420-72-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1420-79-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1420-71-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1464-496-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1532-172-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1548-362-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1588-215-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1592-455-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1592-460-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1672-484-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1676-422-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1688-374-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1756-277-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1800-302-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1888-98-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1888-91-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1888-90-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1888-92-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1892-410-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1912-135-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1952-434-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1960-236-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1960-241-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2036-447-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2036-442-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2100-532-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2128-253-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2156-350-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2196-472-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2204-386-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2252-190-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2272-265-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-7-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-22-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-9-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2308-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2632-520-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2652-556-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2684-33-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2684-40-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2684-34-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2684-35-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2732-398-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2736-314-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2880-153-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2916-285-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2916-290-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2984-508-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2988-54-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2988-60-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2988-52-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2988-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3000-544-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-228-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-223-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download