Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe
-
Size
329KB
-
MD5
02cb022f503bbef3b833f920dd8fb6c2
-
SHA1
170a1e8bd5505cdd9f4a4f47459af755ddf5de87
-
SHA256
3469692e0429097f567c960b9805a205c2b232fedb42fd47c2b0cc3a4f0eb00f
-
SHA512
88819fa7ce289de87255d50706fdcbb45d29c296f8590b2ebd244990c7f768de730f8d3af4c1db5d8eca16f8fc0e05a37c62086625f13a3109828eba5faca0f5
-
SSDEEP
6144:YRxVstLI005DXHkS5ziFiSw23emcscfL1K/9jumJOh+ulgxHamaZUyRQMJGQgtgw:YRotLIDXEezipjo5K/NZkhpls6CyJG3d
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
Processes:
igfxsvr86.exepid process 2716 igfxsvr86.exe -
Executes dropped EXE 49 IoCs
Processes:
igfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exepid process 2716 igfxsvr86.exe 2528 igfxsvr86.exe 1924 igfxsvr86.exe 2192 igfxsvr86.exe 2900 igfxsvr86.exe 2080 igfxsvr86.exe 1644 igfxsvr86.exe 2148 igfxsvr86.exe 1212 igfxsvr86.exe 2612 igfxsvr86.exe 2680 igfxsvr86.exe 1836 igfxsvr86.exe 1760 igfxsvr86.exe 2492 igfxsvr86.exe 1056 igfxsvr86.exe 1716 igfxsvr86.exe 2932 igfxsvr86.exe 2712 igfxsvr86.exe 2648 igfxsvr86.exe 2836 igfxsvr86.exe 2872 igfxsvr86.exe 1400 igfxsvr86.exe 2264 igfxsvr86.exe 2240 igfxsvr86.exe 3040 igfxsvr86.exe 1932 igfxsvr86.exe 2904 igfxsvr86.exe 1212 igfxsvr86.exe 2800 igfxsvr86.exe 2840 igfxsvr86.exe 1992 igfxsvr86.exe 2056 igfxsvr86.exe 3036 igfxsvr86.exe 2136 igfxsvr86.exe 988 igfxsvr86.exe 1380 igfxsvr86.exe 2520 igfxsvr86.exe 2544 igfxsvr86.exe 1028 igfxsvr86.exe 812 igfxsvr86.exe 2276 igfxsvr86.exe 1788 igfxsvr86.exe 2596 igfxsvr86.exe 1856 igfxsvr86.exe 1928 igfxsvr86.exe 1308 igfxsvr86.exe 2644 igfxsvr86.exe 372 igfxsvr86.exe 1884 igfxsvr86.exe -
Loads dropped DLL 64 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exepid process 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 2192 igfxsvr86.exe 2192 igfxsvr86.exe 2900 igfxsvr86.exe 2900 igfxsvr86.exe 2080 igfxsvr86.exe 2080 igfxsvr86.exe 1644 igfxsvr86.exe 1644 igfxsvr86.exe 2148 igfxsvr86.exe 2148 igfxsvr86.exe 1212 igfxsvr86.exe 1212 igfxsvr86.exe 2612 igfxsvr86.exe 2612 igfxsvr86.exe 2680 igfxsvr86.exe 2680 igfxsvr86.exe 1836 igfxsvr86.exe 1836 igfxsvr86.exe 1760 igfxsvr86.exe 1760 igfxsvr86.exe 2492 igfxsvr86.exe 2492 igfxsvr86.exe 1056 igfxsvr86.exe 1056 igfxsvr86.exe 1716 igfxsvr86.exe 1716 igfxsvr86.exe 2932 igfxsvr86.exe 2932 igfxsvr86.exe 2712 igfxsvr86.exe 2712 igfxsvr86.exe 2648 igfxsvr86.exe 2648 igfxsvr86.exe 2836 igfxsvr86.exe 2836 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 1400 igfxsvr86.exe 1400 igfxsvr86.exe 2264 igfxsvr86.exe 2264 igfxsvr86.exe 2240 igfxsvr86.exe 2240 igfxsvr86.exe 3040 igfxsvr86.exe 3040 igfxsvr86.exe 1932 igfxsvr86.exe 1932 igfxsvr86.exe 2904 igfxsvr86.exe 2904 igfxsvr86.exe 1212 igfxsvr86.exe 1212 igfxsvr86.exe 2800 igfxsvr86.exe 2800 igfxsvr86.exe 2840 igfxsvr86.exe 2840 igfxsvr86.exe 1992 igfxsvr86.exe 1992 igfxsvr86.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
igfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exe02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxsvr86.exe -
Drops file in System32 directory 64 IoCs
Processes:
igfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exe02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription ioc process File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 50 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exepid process 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2716 igfxsvr86.exe 2528 igfxsvr86.exe 1924 igfxsvr86.exe 2192 igfxsvr86.exe 2900 igfxsvr86.exe 2080 igfxsvr86.exe 1644 igfxsvr86.exe 2148 igfxsvr86.exe 1212 igfxsvr86.exe 2612 igfxsvr86.exe 2680 igfxsvr86.exe 1836 igfxsvr86.exe 1760 igfxsvr86.exe 2492 igfxsvr86.exe 1056 igfxsvr86.exe 1716 igfxsvr86.exe 2932 igfxsvr86.exe 2712 igfxsvr86.exe 2648 igfxsvr86.exe 2836 igfxsvr86.exe 2872 igfxsvr86.exe 1400 igfxsvr86.exe 2264 igfxsvr86.exe 2240 igfxsvr86.exe 3040 igfxsvr86.exe 1932 igfxsvr86.exe 2904 igfxsvr86.exe 1212 igfxsvr86.exe 2800 igfxsvr86.exe 2840 igfxsvr86.exe 1992 igfxsvr86.exe 2056 igfxsvr86.exe 3036 igfxsvr86.exe 2136 igfxsvr86.exe 988 igfxsvr86.exe 1380 igfxsvr86.exe 2520 igfxsvr86.exe 2544 igfxsvr86.exe 1028 igfxsvr86.exe 812 igfxsvr86.exe 2276 igfxsvr86.exe 1788 igfxsvr86.exe 2596 igfxsvr86.exe 1856 igfxsvr86.exe 1928 igfxsvr86.exe 1308 igfxsvr86.exe 2644 igfxsvr86.exe 372 igfxsvr86.exe 1884 igfxsvr86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exepid process 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2716 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 2528 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 1924 igfxsvr86.exe 2192 igfxsvr86.exe 2192 igfxsvr86.exe 2192 igfxsvr86.exe 2192 igfxsvr86.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription pid process target process PID 2880 wrote to memory of 2716 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe igfxsvr86.exe PID 2880 wrote to memory of 2716 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe igfxsvr86.exe PID 2880 wrote to memory of 2716 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe igfxsvr86.exe PID 2880 wrote to memory of 2716 2880 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe igfxsvr86.exe PID 2716 wrote to memory of 2528 2716 igfxsvr86.exe igfxsvr86.exe PID 2716 wrote to memory of 2528 2716 igfxsvr86.exe igfxsvr86.exe PID 2716 wrote to memory of 2528 2716 igfxsvr86.exe igfxsvr86.exe PID 2716 wrote to memory of 2528 2716 igfxsvr86.exe igfxsvr86.exe PID 2528 wrote to memory of 1924 2528 igfxsvr86.exe igfxsvr86.exe PID 2528 wrote to memory of 1924 2528 igfxsvr86.exe igfxsvr86.exe PID 2528 wrote to memory of 1924 2528 igfxsvr86.exe igfxsvr86.exe PID 2528 wrote to memory of 1924 2528 igfxsvr86.exe igfxsvr86.exe PID 1924 wrote to memory of 2192 1924 igfxsvr86.exe igfxsvr86.exe PID 1924 wrote to memory of 2192 1924 igfxsvr86.exe igfxsvr86.exe PID 1924 wrote to memory of 2192 1924 igfxsvr86.exe igfxsvr86.exe PID 1924 wrote to memory of 2192 1924 igfxsvr86.exe igfxsvr86.exe PID 2192 wrote to memory of 2900 2192 igfxsvr86.exe igfxsvr86.exe PID 2192 wrote to memory of 2900 2192 igfxsvr86.exe igfxsvr86.exe PID 2192 wrote to memory of 2900 2192 igfxsvr86.exe igfxsvr86.exe PID 2192 wrote to memory of 2900 2192 igfxsvr86.exe igfxsvr86.exe PID 2900 wrote to memory of 2080 2900 igfxsvr86.exe igfxsvr86.exe PID 2900 wrote to memory of 2080 2900 igfxsvr86.exe igfxsvr86.exe PID 2900 wrote to memory of 2080 2900 igfxsvr86.exe igfxsvr86.exe PID 2900 wrote to memory of 2080 2900 igfxsvr86.exe igfxsvr86.exe PID 2080 wrote to memory of 1644 2080 igfxsvr86.exe igfxsvr86.exe PID 2080 wrote to memory of 1644 2080 igfxsvr86.exe igfxsvr86.exe PID 2080 wrote to memory of 1644 2080 igfxsvr86.exe igfxsvr86.exe PID 2080 wrote to memory of 1644 2080 igfxsvr86.exe igfxsvr86.exe PID 1644 wrote to memory of 2148 1644 igfxsvr86.exe igfxsvr86.exe PID 1644 wrote to memory of 2148 1644 igfxsvr86.exe igfxsvr86.exe PID 1644 wrote to memory of 2148 1644 igfxsvr86.exe igfxsvr86.exe PID 1644 wrote to memory of 2148 1644 igfxsvr86.exe igfxsvr86.exe PID 2148 wrote to memory of 1212 2148 igfxsvr86.exe igfxsvr86.exe PID 2148 wrote to memory of 1212 2148 igfxsvr86.exe igfxsvr86.exe PID 2148 wrote to memory of 1212 2148 igfxsvr86.exe igfxsvr86.exe PID 2148 wrote to memory of 1212 2148 igfxsvr86.exe igfxsvr86.exe PID 1212 wrote to memory of 2612 1212 igfxsvr86.exe igfxsvr86.exe PID 1212 wrote to memory of 2612 1212 igfxsvr86.exe igfxsvr86.exe PID 1212 wrote to memory of 2612 1212 igfxsvr86.exe igfxsvr86.exe PID 1212 wrote to memory of 2612 1212 igfxsvr86.exe igfxsvr86.exe PID 2612 wrote to memory of 2680 2612 igfxsvr86.exe igfxsvr86.exe PID 2612 wrote to memory of 2680 2612 igfxsvr86.exe igfxsvr86.exe PID 2612 wrote to memory of 2680 2612 igfxsvr86.exe igfxsvr86.exe PID 2612 wrote to memory of 2680 2612 igfxsvr86.exe igfxsvr86.exe PID 2680 wrote to memory of 1836 2680 igfxsvr86.exe igfxsvr86.exe PID 2680 wrote to memory of 1836 2680 igfxsvr86.exe igfxsvr86.exe PID 2680 wrote to memory of 1836 2680 igfxsvr86.exe igfxsvr86.exe PID 2680 wrote to memory of 1836 2680 igfxsvr86.exe igfxsvr86.exe PID 1836 wrote to memory of 1760 1836 igfxsvr86.exe igfxsvr86.exe PID 1836 wrote to memory of 1760 1836 igfxsvr86.exe igfxsvr86.exe PID 1836 wrote to memory of 1760 1836 igfxsvr86.exe igfxsvr86.exe PID 1836 wrote to memory of 1760 1836 igfxsvr86.exe igfxsvr86.exe PID 1760 wrote to memory of 2492 1760 igfxsvr86.exe igfxsvr86.exe PID 1760 wrote to memory of 2492 1760 igfxsvr86.exe igfxsvr86.exe PID 1760 wrote to memory of 2492 1760 igfxsvr86.exe igfxsvr86.exe PID 1760 wrote to memory of 2492 1760 igfxsvr86.exe igfxsvr86.exe PID 2492 wrote to memory of 1056 2492 igfxsvr86.exe igfxsvr86.exe PID 2492 wrote to memory of 1056 2492 igfxsvr86.exe igfxsvr86.exe PID 2492 wrote to memory of 1056 2492 igfxsvr86.exe igfxsvr86.exe PID 2492 wrote to memory of 1056 2492 igfxsvr86.exe igfxsvr86.exe PID 1056 wrote to memory of 1716 1056 igfxsvr86.exe igfxsvr86.exe PID 1056 wrote to memory of 1716 1056 igfxsvr86.exe igfxsvr86.exe PID 1056 wrote to memory of 1716 1056 igfxsvr86.exe igfxsvr86.exe PID 1056 wrote to memory of 1716 1056 igfxsvr86.exe igfxsvr86.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Users\Admin\AppData\Local\Temp\02CB02~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE35⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE38⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE39⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE43⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE45⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE46⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE47⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE48⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE49⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE50⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\SysWOW64\igfxsvr86.exeFilesize
329KB
MD502cb022f503bbef3b833f920dd8fb6c2
SHA1170a1e8bd5505cdd9f4a4f47459af755ddf5de87
SHA2563469692e0429097f567c960b9805a205c2b232fedb42fd47c2b0cc3a4f0eb00f
SHA51288819fa7ce289de87255d50706fdcbb45d29c296f8590b2ebd244990c7f768de730f8d3af4c1db5d8eca16f8fc0e05a37c62086625f13a3109828eba5faca0f5
-
memory/812-230-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/812-232-0x0000000003550000-0x0000000003602000-memory.dmpFilesize
712KB
-
memory/812-234-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/988-211-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/988-214-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/988-212-0x0000000003530000-0x00000000035E2000-memory.dmpFilesize
712KB
-
memory/1028-228-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1028-226-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1056-120-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1056-124-0x00000000031C0000-0x0000000003272000-memory.dmpFilesize
712KB
-
memory/1056-127-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1212-83-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1212-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1212-183-0x0000000003490000-0x0000000003542000-memory.dmpFilesize
712KB
-
memory/1212-186-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1212-184-0x0000000003490000-0x0000000003542000-memory.dmpFilesize
712KB
-
memory/1380-218-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1400-153-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1400-158-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1644-69-0x0000000003450000-0x0000000003502000-memory.dmpFilesize
712KB
-
memory/1644-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1644-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1716-132-0x0000000004BD0000-0x0000000004C82000-memory.dmpFilesize
712KB
-
memory/1716-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1760-108-0x00000000034B0000-0x0000000003562000-memory.dmpFilesize
712KB
-
memory/1760-112-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1760-104-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1788-243-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1788-240-0x00000000031D0000-0x0000000003282000-memory.dmpFilesize
712KB
-
memory/1788-238-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1836-105-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1856-250-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1924-39-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1924-35-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1928-251-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1928-253-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1932-176-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1992-198-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1992-196-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-202-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2080-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2080-56-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2136-209-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2136-206-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2148-76-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2192-42-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2192-47-0x00000000032E0000-0x0000000003392000-memory.dmpFilesize
712KB
-
memory/2192-49-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2240-166-0x0000000003410000-0x00000000034C2000-memory.dmpFilesize
712KB
-
memory/2240-167-0x0000000003410000-0x00000000034C2000-memory.dmpFilesize
712KB
-
memory/2240-161-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2240-164-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2264-157-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2264-163-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2264-160-0x00000000033C0000-0x0000000003472000-memory.dmpFilesize
712KB
-
memory/2276-235-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2276-239-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2492-118-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2492-113-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2520-219-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2520-221-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2528-28-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2528-34-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2544-224-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2596-246-0x00000000037E0000-0x0000000003892000-memory.dmpFilesize
712KB
-
memory/2596-247-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2612-91-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2648-144-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2648-146-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-94-0x0000000004B30000-0x0000000004BE2000-memory.dmpFilesize
712KB
-
memory/2680-90-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2680-96-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2712-143-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2716-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2716-25-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2716-20-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2716-19-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2800-185-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2800-190-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2800-187-0x0000000003210000-0x00000000032C2000-memory.dmpFilesize
712KB
-
memory/2800-188-0x0000000003210000-0x00000000032C2000-memory.dmpFilesize
712KB
-
memory/2836-149-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2840-195-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2840-192-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2872-150-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2872-152-0x00000000033A0000-0x0000000003452000-memory.dmpFilesize
712KB
-
memory/2872-155-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2880-18-0x0000000000480000-0x00000000004A2000-memory.dmpFilesize
136KB
-
memory/2880-17-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2880-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2880-1-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2880-2-0x0000000000480000-0x00000000004A2000-memory.dmpFilesize
136KB
-
memory/2880-3-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2880-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2900-48-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2900-54-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2904-181-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2904-175-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2904-179-0x0000000004D40000-0x0000000004DF2000-memory.dmpFilesize
712KB
-
memory/2904-177-0x0000000004D40000-0x0000000004DF2000-memory.dmpFilesize
712KB
-
memory/2932-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2932-139-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3036-203-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3036-207-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3040-168-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3040-170-0x0000000003260000-0x0000000003312000-memory.dmpFilesize
712KB
-
memory/3040-172-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3040-169-0x0000000003260000-0x0000000003312000-memory.dmpFilesize
712KB