metasploit | 34180f040323dadcd3796156da28c26367132346377cf288e9622abb42db6b75

Analysis

max time kernel
148s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2025, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
Size

224KB
MD5

ba719dd297e477de82fbc9556e883f62
SHA1

380ecc17cab59d866431e0fa4cbab294e205f1b9
SHA256

34180f040323dadcd3796156da28c26367132346377cf288e9622abb42db6b75
SHA512

f4e88de105c0019d351a0d7e3ef8eeba836ea9b4251bb836d3cb44f0b09c97ebe612ec047c4a4df6bb72b920fefcf9cfd9161a91974c154b02695a55381b2b3b
SSDEEP

6144:rZ2qQKPL1qQPhp3Exz8vehZZDvgSeQ7tGJF:rZ2qHB15p3EHleh

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 33 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	igfxpr32.exe

Deletes itself 1 IoCs

pid	Process
1792	igfxpr32.exe

Executes dropped EXE 64 IoCs

pid	Process
4624	igfxpr32.exe
1792	igfxpr32.exe
4748	igfxpr32.exe
4836	igfxpr32.exe
2236	igfxpr32.exe
4880	igfxpr32.exe
4920	igfxpr32.exe
1612	igfxpr32.exe
4436	igfxpr32.exe
3000	igfxpr32.exe
4724	igfxpr32.exe
3472	igfxpr32.exe
3568	igfxpr32.exe
704	igfxpr32.exe
5188	igfxpr32.exe
5644	igfxpr32.exe
4080	igfxpr32.exe
2696	igfxpr32.exe
5608	igfxpr32.exe
1608	igfxpr32.exe
552	igfxpr32.exe
4404	igfxpr32.exe
2936	igfxpr32.exe
4496	igfxpr32.exe
2852	igfxpr32.exe
6112	igfxpr32.exe
4016	igfxpr32.exe
3156	igfxpr32.exe
5880	igfxpr32.exe
812	igfxpr32.exe
836	igfxpr32.exe
1108	igfxpr32.exe
5000	igfxpr32.exe
4440	igfxpr32.exe
2632	igfxpr32.exe
4336	igfxpr32.exe
5888	igfxpr32.exe
3308	igfxpr32.exe
3428	igfxpr32.exe
5320	igfxpr32.exe
4368	igfxpr32.exe
4788	igfxpr32.exe
4736	igfxpr32.exe
4476	igfxpr32.exe
3880	igfxpr32.exe
5068	igfxpr32.exe
3932	igfxpr32.exe
5848	igfxpr32.exe
4840	igfxpr32.exe
2180	igfxpr32.exe
4844	igfxpr32.exe
4872	igfxpr32.exe
448	igfxpr32.exe
2104	igfxpr32.exe
4292	igfxpr32.exe
2744	igfxpr32.exe
4332	igfxpr32.exe
1052	igfxpr32.exe
2012	igfxpr32.exe
1532	igfxpr32.exe
2068	igfxpr32.exe
4484	igfxpr32.exe
544	igfxpr32.exe
1128	igfxpr32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxpr32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File created	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe
File opened for modification	C:\Windows\SysWOW64\igfxpr32.exe	igfxpr32.exe

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 4432 set thread context of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 4624 set thread context of 1792	4624	igfxpr32.exe	92
PID 4748 set thread context of 4836	4748	igfxpr32.exe	94
PID 2236 set thread context of 4880	2236	igfxpr32.exe	96
PID 4920 set thread context of 1612	4920	igfxpr32.exe	98
PID 4436 set thread context of 3000	4436	igfxpr32.exe	100
PID 4724 set thread context of 3472	4724	igfxpr32.exe	105
PID 3568 set thread context of 704	3568	igfxpr32.exe	108
PID 5188 set thread context of 5644	5188	igfxpr32.exe	110
PID 4080 set thread context of 2696	4080	igfxpr32.exe	112
PID 5608 set thread context of 1608	5608	igfxpr32.exe	114
PID 552 set thread context of 4404	552	igfxpr32.exe	116
PID 2936 set thread context of 4496	2936	igfxpr32.exe	118
PID 2852 set thread context of 6112	2852	igfxpr32.exe	120
PID 4016 set thread context of 3156	4016	igfxpr32.exe	122
PID 5880 set thread context of 812	5880	igfxpr32.exe	124
PID 836 set thread context of 1108	836	igfxpr32.exe	126
PID 5000 set thread context of 4440	5000	igfxpr32.exe	128
PID 2632 set thread context of 4336	2632	igfxpr32.exe	130
PID 5888 set thread context of 3308	5888	igfxpr32.exe	132
PID 3428 set thread context of 5320	3428	igfxpr32.exe	134
PID 4368 set thread context of 4788	4368	igfxpr32.exe	137
PID 4736 set thread context of 4476	4736	igfxpr32.exe	139
PID 3880 set thread context of 5068	3880	igfxpr32.exe	141
PID 3932 set thread context of 5848	3932	igfxpr32.exe	143
PID 4840 set thread context of 2180	4840	igfxpr32.exe	145
PID 4844 set thread context of 4872	4844	igfxpr32.exe	147
PID 448 set thread context of 2104	448	igfxpr32.exe	149
PID 4292 set thread context of 2744	4292	igfxpr32.exe	151
PID 4332 set thread context of 1052	4332	igfxpr32.exe	153
PID 2012 set thread context of 1532	2012	igfxpr32.exe	155
PID 2068 set thread context of 4484	2068	igfxpr32.exe	157
PID 544 set thread context of 1128	544	igfxpr32.exe	159

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6072-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/6072-2-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/6072-3-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/6072-4-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/6072-40-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1792-46-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1792-48-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4836-55-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4880-62-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1612-68-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3000-76-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3472-83-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/704-88-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/704-91-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/5644-98-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2696-105-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1608-111-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4404-119-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4496-128-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/6112-132-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/6112-137-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3156-145-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/812-153-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1108-162-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4440-170-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4336-178-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/3308-186-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/5320-194-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4788-198-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4788-203-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4476-210-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/5068-213-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/5068-217-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/5848-223-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2180-229-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4872-235-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2104-241-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/2744-247-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1052-253-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1532-259-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/4484-265-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/memory/1128-271-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxpr32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxpr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6072	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
6072	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
6072	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
6072	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
1792	igfxpr32.exe
1792	igfxpr32.exe
1792	igfxpr32.exe
1792	igfxpr32.exe
4836	igfxpr32.exe
4836	igfxpr32.exe
4836	igfxpr32.exe
4836	igfxpr32.exe
4880	igfxpr32.exe
4880	igfxpr32.exe
4880	igfxpr32.exe
4880	igfxpr32.exe
1612	igfxpr32.exe
1612	igfxpr32.exe
1612	igfxpr32.exe
1612	igfxpr32.exe
3000	igfxpr32.exe
3000	igfxpr32.exe
3000	igfxpr32.exe
3000	igfxpr32.exe
3472	igfxpr32.exe
3472	igfxpr32.exe
3472	igfxpr32.exe
3472	igfxpr32.exe
704	igfxpr32.exe
704	igfxpr32.exe
704	igfxpr32.exe
704	igfxpr32.exe
5644	igfxpr32.exe
5644	igfxpr32.exe
5644	igfxpr32.exe
5644	igfxpr32.exe
2696	igfxpr32.exe
2696	igfxpr32.exe
2696	igfxpr32.exe
2696	igfxpr32.exe
1608	igfxpr32.exe
1608	igfxpr32.exe
1608	igfxpr32.exe
1608	igfxpr32.exe
4404	igfxpr32.exe
4404	igfxpr32.exe
4404	igfxpr32.exe
4404	igfxpr32.exe
4496	igfxpr32.exe
4496	igfxpr32.exe
4496	igfxpr32.exe
4496	igfxpr32.exe
6112	igfxpr32.exe
6112	igfxpr32.exe
6112	igfxpr32.exe
6112	igfxpr32.exe
3156	igfxpr32.exe
3156	igfxpr32.exe
3156	igfxpr32.exe
3156	igfxpr32.exe
812	igfxpr32.exe
812	igfxpr32.exe
812	igfxpr32.exe
812	igfxpr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 4432 wrote to memory of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 4432 wrote to memory of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 4432 wrote to memory of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 4432 wrote to memory of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 4432 wrote to memory of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 4432 wrote to memory of 6072	4432	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	89
PID 6072 wrote to memory of 4624	6072	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	91
PID 6072 wrote to memory of 4624	6072	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	91
PID 6072 wrote to memory of 4624	6072	JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe	91
PID 4624 wrote to memory of 1792	4624	igfxpr32.exe	92
PID 4624 wrote to memory of 1792	4624	igfxpr32.exe	92
PID 4624 wrote to memory of 1792	4624	igfxpr32.exe	92
PID 4624 wrote to memory of 1792	4624	igfxpr32.exe	92
PID 4624 wrote to memory of 1792	4624	igfxpr32.exe	92
PID 4624 wrote to memory of 1792	4624	igfxpr32.exe	92
PID 4624 wrote to memory of 1792	4624	igfxpr32.exe	92
PID 1792 wrote to memory of 4748	1792	igfxpr32.exe	93
PID 1792 wrote to memory of 4748	1792	igfxpr32.exe	93
PID 1792 wrote to memory of 4748	1792	igfxpr32.exe	93
PID 4748 wrote to memory of 4836	4748	igfxpr32.exe	94
PID 4748 wrote to memory of 4836	4748	igfxpr32.exe	94
PID 4748 wrote to memory of 4836	4748	igfxpr32.exe	94
PID 4748 wrote to memory of 4836	4748	igfxpr32.exe	94
PID 4748 wrote to memory of 4836	4748	igfxpr32.exe	94
PID 4748 wrote to memory of 4836	4748	igfxpr32.exe	94
PID 4748 wrote to memory of 4836	4748	igfxpr32.exe	94
PID 4836 wrote to memory of 2236	4836	igfxpr32.exe	95
PID 4836 wrote to memory of 2236	4836	igfxpr32.exe	95
PID 4836 wrote to memory of 2236	4836	igfxpr32.exe	95
PID 2236 wrote to memory of 4880	2236	igfxpr32.exe	96
PID 2236 wrote to memory of 4880	2236	igfxpr32.exe	96
PID 2236 wrote to memory of 4880	2236	igfxpr32.exe	96
PID 2236 wrote to memory of 4880	2236	igfxpr32.exe	96
PID 2236 wrote to memory of 4880	2236	igfxpr32.exe	96
PID 2236 wrote to memory of 4880	2236	igfxpr32.exe	96
PID 2236 wrote to memory of 4880	2236	igfxpr32.exe	96
PID 4880 wrote to memory of 4920	4880	igfxpr32.exe	97
PID 4880 wrote to memory of 4920	4880	igfxpr32.exe	97
PID 4880 wrote to memory of 4920	4880	igfxpr32.exe	97
PID 4920 wrote to memory of 1612	4920	igfxpr32.exe	98
PID 4920 wrote to memory of 1612	4920	igfxpr32.exe	98
PID 4920 wrote to memory of 1612	4920	igfxpr32.exe	98
PID 4920 wrote to memory of 1612	4920	igfxpr32.exe	98
PID 4920 wrote to memory of 1612	4920	igfxpr32.exe	98
PID 4920 wrote to memory of 1612	4920	igfxpr32.exe	98
PID 4920 wrote to memory of 1612	4920	igfxpr32.exe	98
PID 1612 wrote to memory of 4436	1612	igfxpr32.exe	99
PID 1612 wrote to memory of 4436	1612	igfxpr32.exe	99
PID 1612 wrote to memory of 4436	1612	igfxpr32.exe	99
PID 4436 wrote to memory of 3000	4436	igfxpr32.exe	100
PID 4436 wrote to memory of 3000	4436	igfxpr32.exe	100
PID 4436 wrote to memory of 3000	4436	igfxpr32.exe	100
PID 4436 wrote to memory of 3000	4436	igfxpr32.exe	100
PID 4436 wrote to memory of 3000	4436	igfxpr32.exe	100
PID 4436 wrote to memory of 3000	4436	igfxpr32.exe	100
PID 4436 wrote to memory of 3000	4436	igfxpr32.exe	100
PID 3000 wrote to memory of 4724	3000	igfxpr32.exe	101
PID 3000 wrote to memory of 4724	3000	igfxpr32.exe	101
PID 3000 wrote to memory of 4724	3000	igfxpr32.exe	101
PID 4724 wrote to memory of 3472	4724	igfxpr32.exe	105
PID 4724 wrote to memory of 3472	4724	igfxpr32.exe	105
PID 4724 wrote to memory of 3472	4724	igfxpr32.exe	105
PID 4724 wrote to memory of 3472	4724	igfxpr32.exe	105

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba719dd297e477de82fbc9556e883f62.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:6072
- - C:\Windows\SysWOW64\igfxpr32.exe
    "C:\Windows\system32\igfxpr32.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\igfxpr32.exe
      "C:\Windows\system32\igfxpr32.exe" C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4748
      - C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5644
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1608
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:6112
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:812
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:836
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\igfxpr32.exe
        
        "C:\Windows\system32\igfxpr32.exe" C:\Windows\SysWOW64\igfxpr32.exe
        67⤵
        
        PID:1300

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxpr32.exe

Filesize
224KB

MD5
ba719dd297e477de82fbc9556e883f62

SHA1
380ecc17cab59d866431e0fa4cbab294e205f1b9

SHA256
34180f040323dadcd3796156da28c26367132346377cf288e9622abb42db6b75

SHA512
f4e88de105c0019d351a0d7e3ef8eeba836ea9b4251bb836d3cb44f0b09c97ebe612ec047c4a4df6bb72b920fefcf9cfd9161a91974c154b02695a55381b2b3b

Download Submit
memory/704-91-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/704-88-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/812-153-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1052-253-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1108-162-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-271-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1532-259-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1608-111-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1612-68-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1792-48-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1792-46-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2104-241-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2180-229-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2696-105-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2744-247-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3000-76-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3156-145-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3308-186-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3472-83-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4336-178-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4404-119-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4440-170-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4476-210-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4484-265-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4496-128-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4788-203-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4788-198-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4836-55-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4872-235-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4880-62-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5068-213-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5068-217-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5320-194-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5644-98-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5848-223-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6072-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6072-40-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6072-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6072-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6072-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6112-137-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/6112-132-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download