metasploit | f53ec0d23818613b780d630e985a96cc27f8c15206bca27480fce13f24b134ea

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
Size

224KB
MD5

02bcd02ac649b47c88df945125551f16
SHA1

431a617ff4ff5a5ba599262eec35073fca7f79bd
SHA256

f53ec0d23818613b780d630e985a96cc27f8c15206bca27480fce13f24b134ea
SHA512

046daf4b9732bbf237b541c4fdc88ed0461e20466712cd5ae5359180c78c497c1c7e980cf2f767d92cc98da8db39a0bed9f049ed216f8b6c86344114708faf40
SSDEEP

6144:uqvXfDrFUBEUOK6ielBslV35zErFUBEUOK6+:VrV1B0dErVi

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	igfxsvr64.exe

Deletes itself 1 IoCs

pid	Process
1900	igfxsvr64.exe

Executes dropped EXE 64 IoCs

pid	Process
1608	igfxsvr64.exe
1900	igfxsvr64.exe
2624	igfxsvr64.exe
3060	igfxsvr64.exe
4744	igfxsvr64.exe
4888	igfxsvr64.exe
1784	igfxsvr64.exe
3996	igfxsvr64.exe
3172	igfxsvr64.exe
3464	igfxsvr64.exe
1196	igfxsvr64.exe
2596	igfxsvr64.exe
3164	igfxsvr64.exe
3148	igfxsvr64.exe
3944	igfxsvr64.exe
1216	igfxsvr64.exe
5016	igfxsvr64.exe
908	igfxsvr64.exe
3052	igfxsvr64.exe
880	igfxsvr64.exe
1792	igfxsvr64.exe
5060	igfxsvr64.exe
1392	igfxsvr64.exe
4680	igfxsvr64.exe
3192	igfxsvr64.exe
2620	igfxsvr64.exe
3268	igfxsvr64.exe
5032	igfxsvr64.exe
1984	igfxsvr64.exe
2168	igfxsvr64.exe
2068	igfxsvr64.exe
824	igfxsvr64.exe
2748	igfxsvr64.exe
3320	igfxsvr64.exe
2328	igfxsvr64.exe
1020	igfxsvr64.exe
3696	igfxsvr64.exe
3424	igfxsvr64.exe
4328	igfxsvr64.exe
2192	igfxsvr64.exe
4908	igfxsvr64.exe
636	igfxsvr64.exe
1804	igfxsvr64.exe
4592	igfxsvr64.exe
4688	igfxsvr64.exe
1180	igfxsvr64.exe
3648	igfxsvr64.exe
5076	igfxsvr64.exe
4316	igfxsvr64.exe
4964	igfxsvr64.exe
3808	igfxsvr64.exe
3752	igfxsvr64.exe
4764	igfxsvr64.exe
820	igfxsvr64.exe
4084	igfxsvr64.exe
2068	igfxsvr64.exe
208	igfxsvr64.exe
4220	igfxsvr64.exe
4836	igfxsvr64.exe
3064	igfxsvr64.exe
4536	igfxsvr64.exe
1744	igfxsvr64.exe
4276	igfxsvr64.exe
996	igfxsvr64.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxsvr64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxsvr64.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File opened for modification	C:\Windows\SysWOW64\	igfxsvr64.exe
File created	C:\Windows\SysWOW64\igfxsvr64.exe	igfxsvr64.exe

Suspicious use of SetThreadContext 49 IoCs

description	pid	Process	procid_target
PID 3180 set thread context of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 1608 set thread context of 1900	1608	igfxsvr64.exe	84
PID 2624 set thread context of 3060	2624	igfxsvr64.exe	86
PID 4744 set thread context of 4888	4744	igfxsvr64.exe	88
PID 1784 set thread context of 3996	1784	igfxsvr64.exe	94
PID 3172 set thread context of 3464	3172	igfxsvr64.exe	97
PID 1196 set thread context of 2596	1196	igfxsvr64.exe	101
PID 3164 set thread context of 3148	3164	igfxsvr64.exe	103
PID 3944 set thread context of 1216	3944	igfxsvr64.exe	105
PID 5016 set thread context of 908	5016	igfxsvr64.exe	107
PID 3052 set thread context of 880	3052	igfxsvr64.exe	110
PID 1792 set thread context of 5060	1792	igfxsvr64.exe	113
PID 1392 set thread context of 4680	1392	igfxsvr64.exe	115
PID 3192 set thread context of 2620	3192	igfxsvr64.exe	117
PID 3268 set thread context of 5032	3268	igfxsvr64.exe	119
PID 1984 set thread context of 2168	1984	igfxsvr64.exe	121
PID 2068 set thread context of 824	2068	igfxsvr64.exe	123
PID 2748 set thread context of 3320	2748	igfxsvr64.exe	125
PID 2328 set thread context of 1020	2328	igfxsvr64.exe	127
PID 3696 set thread context of 3424	3696	igfxsvr64.exe	129
PID 4328 set thread context of 2192	4328	igfxsvr64.exe	131
PID 4908 set thread context of 636	4908	igfxsvr64.exe	133
PID 1804 set thread context of 4592	1804	igfxsvr64.exe	135
PID 4688 set thread context of 1180	4688	igfxsvr64.exe	137
PID 3648 set thread context of 5076	3648	igfxsvr64.exe	139
PID 4316 set thread context of 4964	4316	igfxsvr64.exe	141
PID 3808 set thread context of 3752	3808	igfxsvr64.exe	143
PID 4764 set thread context of 820	4764	igfxsvr64.exe	145
PID 4084 set thread context of 2068	4084	igfxsvr64.exe	147
PID 208 set thread context of 4220	208	igfxsvr64.exe	149
PID 4836 set thread context of 3064	4836	igfxsvr64.exe	151
PID 4536 set thread context of 1744	4536	igfxsvr64.exe	153
PID 4276 set thread context of 996	4276	igfxsvr64.exe	155
PID 2840 set thread context of 4568	2840	igfxsvr64.exe	157
PID 4848 set thread context of 3036	4848	igfxsvr64.exe	159
PID 5024 set thread context of 3744	5024	igfxsvr64.exe	161
PID 3844 set thread context of 2720	3844	igfxsvr64.exe	163
PID 3460 set thread context of 1100	3460	igfxsvr64.exe	165
PID 2136 set thread context of 4008	2136	igfxsvr64.exe	167
PID 4060 set thread context of 2044	4060	igfxsvr64.exe	169
PID 4312 set thread context of 732	4312	igfxsvr64.exe	171
PID 520 set thread context of 4580	520	igfxsvr64.exe	173
PID 3444 set thread context of 4360	3444	igfxsvr64.exe	175
PID 4244 set thread context of 2648	4244	igfxsvr64.exe	177
PID 3428 set thread context of 1156	3428	igfxsvr64.exe	179
PID 3448 set thread context of 4728	3448	igfxsvr64.exe	181
PID 2876 set thread context of 3068	2876	igfxsvr64.exe	183
PID 4516 set thread context of 4760	4516	igfxsvr64.exe	185
PID 4396 set thread context of 2396	4396	igfxsvr64.exe	187

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4124-2-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4124-4-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4124-5-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4124-6-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4124-67-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1900-74-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1900-76-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1900-75-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1900-77-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3060-85-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3060-88-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3060-86-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3060-87-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3060-93-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4888-103-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3996-115-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3464-123-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3464-124-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3464-122-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3464-125-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2596-139-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3148-146-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3148-150-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1216-161-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/908-176-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/880-188-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/5060-200-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4680-207-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4680-213-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2620-225-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/5032-237-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2168-250-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/824-262-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3320-275-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1020-287-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3424-296-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3424-300-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2192-312-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/636-319-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/636-325-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4592-338-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1180-350-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/5076-360-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4964-370-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3752-380-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/820-390-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2068-400-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4220-408-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4220-411-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3064-421-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1744-431-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/996-441-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4568-451-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3036-461-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/3744-471-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2720-481-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1100-491-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4008-501-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2044-511-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/732-521-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4580-531-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/4360-541-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/2648-551-0x0000000000400000-0x000000000045E000-memory.dmp	upx
behavioral2/memory/1156-561-0x0000000000400000-0x000000000045E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxsvr64.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxsvr64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
4124	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
1900	igfxsvr64.exe
1900	igfxsvr64.exe
3060	igfxsvr64.exe
3060	igfxsvr64.exe
4888	igfxsvr64.exe
4888	igfxsvr64.exe
3996	igfxsvr64.exe
3996	igfxsvr64.exe
3464	igfxsvr64.exe
3464	igfxsvr64.exe
2596	igfxsvr64.exe
2596	igfxsvr64.exe
3148	igfxsvr64.exe
3148	igfxsvr64.exe
1216	igfxsvr64.exe
1216	igfxsvr64.exe
908	igfxsvr64.exe
908	igfxsvr64.exe
880	igfxsvr64.exe
880	igfxsvr64.exe
5060	igfxsvr64.exe
5060	igfxsvr64.exe
4680	igfxsvr64.exe
4680	igfxsvr64.exe
2620	igfxsvr64.exe
2620	igfxsvr64.exe
5032	igfxsvr64.exe
5032	igfxsvr64.exe
2168	igfxsvr64.exe
2168	igfxsvr64.exe
824	igfxsvr64.exe
824	igfxsvr64.exe
3320	igfxsvr64.exe
3320	igfxsvr64.exe
1020	igfxsvr64.exe
1020	igfxsvr64.exe
3424	igfxsvr64.exe
3424	igfxsvr64.exe
2192	igfxsvr64.exe
2192	igfxsvr64.exe
636	igfxsvr64.exe
636	igfxsvr64.exe
4592	igfxsvr64.exe
4592	igfxsvr64.exe
1180	igfxsvr64.exe
1180	igfxsvr64.exe
5076	igfxsvr64.exe
5076	igfxsvr64.exe
4964	igfxsvr64.exe
4964	igfxsvr64.exe
3752	igfxsvr64.exe
3752	igfxsvr64.exe
820	igfxsvr64.exe
820	igfxsvr64.exe
2068	igfxsvr64.exe
2068	igfxsvr64.exe
4220	igfxsvr64.exe
4220	igfxsvr64.exe
3064	igfxsvr64.exe
3064	igfxsvr64.exe
1744	igfxsvr64.exe
1744	igfxsvr64.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
1608	igfxsvr64.exe
2624	igfxsvr64.exe
4744	igfxsvr64.exe
1784	igfxsvr64.exe
3172	igfxsvr64.exe
1196	igfxsvr64.exe
3164	igfxsvr64.exe
3944	igfxsvr64.exe
5016	igfxsvr64.exe
3052	igfxsvr64.exe
1792	igfxsvr64.exe
1392	igfxsvr64.exe
3192	igfxsvr64.exe
3268	igfxsvr64.exe
1984	igfxsvr64.exe
2068	igfxsvr64.exe
2748	igfxsvr64.exe
2328	igfxsvr64.exe
3696	igfxsvr64.exe
4328	igfxsvr64.exe
4908	igfxsvr64.exe
1804	igfxsvr64.exe
4688	igfxsvr64.exe
3648	igfxsvr64.exe
4316	igfxsvr64.exe
3808	igfxsvr64.exe
4764	igfxsvr64.exe
4084	igfxsvr64.exe
208	igfxsvr64.exe
4836	igfxsvr64.exe
4536	igfxsvr64.exe
4276	igfxsvr64.exe
2840	igfxsvr64.exe
4848	igfxsvr64.exe
5024	igfxsvr64.exe
3844	igfxsvr64.exe
3460	igfxsvr64.exe
2136	igfxsvr64.exe
4060	igfxsvr64.exe
4312	igfxsvr64.exe
520	igfxsvr64.exe
3444	igfxsvr64.exe
4244	igfxsvr64.exe
3428	igfxsvr64.exe
3448	igfxsvr64.exe
2876	igfxsvr64.exe
4516	igfxsvr64.exe
4396	igfxsvr64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 3180 wrote to memory of 4124	3180	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	82
PID 4124 wrote to memory of 1608	4124	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	83
PID 4124 wrote to memory of 1608	4124	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	83
PID 4124 wrote to memory of 1608	4124	JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe	83
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1608 wrote to memory of 1900	1608	igfxsvr64.exe	84
PID 1900 wrote to memory of 2624	1900	igfxsvr64.exe	85
PID 1900 wrote to memory of 2624	1900	igfxsvr64.exe	85
PID 1900 wrote to memory of 2624	1900	igfxsvr64.exe	85
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 2624 wrote to memory of 3060	2624	igfxsvr64.exe	86
PID 3060 wrote to memory of 4744	3060	igfxsvr64.exe	87
PID 3060 wrote to memory of 4744	3060	igfxsvr64.exe	87
PID 3060 wrote to memory of 4744	3060	igfxsvr64.exe	87
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4744 wrote to memory of 4888	4744	igfxsvr64.exe	88
PID 4888 wrote to memory of 1784	4888	igfxsvr64.exe	93
PID 4888 wrote to memory of 1784	4888	igfxsvr64.exe	93
PID 4888 wrote to memory of 1784	4888	igfxsvr64.exe	93
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 1784 wrote to memory of 3996	1784	igfxsvr64.exe	94
PID 3996 wrote to memory of 3172	3996	igfxsvr64.exe	96
PID 3996 wrote to memory of 3172	3996	igfxsvr64.exe	96
PID 3996 wrote to memory of 3172	3996	igfxsvr64.exe	96
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3172 wrote to memory of 3464	3172	igfxsvr64.exe	97
PID 3464 wrote to memory of 1196	3464	igfxsvr64.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02bcd02ac649b47c88df945125551f16.exe
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\SysWOW64\igfxsvr64.exe
    "C:\Windows\system32\igfxsvr64.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\igfxsvr64.exe
      "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5060
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3192
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3268
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5032
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:824
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3696
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3424
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:636
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4688
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1180
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3648
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4316
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3808
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3752
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:208
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4220
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3844
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4060
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4312
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        84⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3444
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        86⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4244
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        88⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        90⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        92⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        94⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4516
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        96⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\system32\igfxsvr64.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4396
        
        C:\Windows\SysWOW64\igfxsvr64.exe
        
        "C:\Windows\SysWOW64\igfxsvr64.exe " C:\Windows\SysWOW64\IGFXSV~1.EXE
        98⤵
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxsvr64.exe

Filesize
224KB

MD5
02bcd02ac649b47c88df945125551f16

SHA1
431a617ff4ff5a5ba599262eec35073fca7f79bd

SHA256
f53ec0d23818613b780d630e985a96cc27f8c15206bca27480fce13f24b134ea

SHA512
046daf4b9732bbf237b541c4fdc88ed0461e20466712cd5ae5359180c78c497c1c7e980cf2f767d92cc98da8db39a0bed9f049ed216f8b6c86344114708faf40

Download Submit
memory/636-325-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/636-319-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/732-521-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/820-390-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/824-262-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/880-188-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/908-176-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/996-441-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1020-287-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1100-491-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1156-561-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1180-350-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1216-161-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1744-431-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1900-74-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1900-76-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1900-75-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1900-77-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2044-511-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2068-400-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2168-250-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2192-312-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2596-139-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2620-225-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-551-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2720-481-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3036-461-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3060-88-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3060-87-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3060-93-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3060-86-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3060-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3064-421-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3068-581-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3148-150-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3148-146-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3320-275-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3424-296-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3424-300-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3464-124-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3464-123-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3464-125-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3464-122-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3744-471-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3752-380-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3996-115-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4008-501-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-67-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4124-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4220-411-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4220-408-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4360-541-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4568-451-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4580-531-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4592-338-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4680-213-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4680-207-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4728-571-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4760-591-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4888-103-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4964-370-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5032-237-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5060-200-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5076-360-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download