Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16/01/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
5f0c5a0aeb09dba85a0b7cc898b12af5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5f0c5a0aeb09dba85a0b7cc898b12af5.exe
Resource
win10v2004-20231215-en
General
-
Target
5f0c5a0aeb09dba85a0b7cc898b12af5.exe
-
Size
576KB
-
MD5
5f0c5a0aeb09dba85a0b7cc898b12af5
-
SHA1
64da1f2d6be354241921b1f171fa7f09f06fdd2f
-
SHA256
78c12762ca9d4eab23c2712cc2a09d54c1cd5b44ae9498225f9e52ca7768be44
-
SHA512
8c4b9509691dfd928069da3004368098e061994f61a0087397481abe26b562ebe73806f09460f7483b07fa25b3d9a1efe15e3fd59ba7c07dfa94cc1c0dd28c25
-
SSDEEP
6144:FsSKU3H/2P3rvLhrtXOdlsCMHxci/DTSAKIATI1NRhsBoIy:6ZUXoD1rtSlszF1hAc1NRqB
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2788 igfxdwx32.exe -
Executes dropped EXE 42 IoCs
pid Process 2788 igfxdwx32.exe 2804 igfxdwx32.exe 2740 igfxdwx32.exe 3028 igfxdwx32.exe 596 igfxdwx32.exe 1524 igfxdwx32.exe 2892 igfxdwx32.exe 2516 igfxdwx32.exe 1904 igfxdwx32.exe 2852 igfxdwx32.exe 2400 igfxdwx32.exe 2452 igfxdwx32.exe 2184 igfxdwx32.exe 280 igfxdwx32.exe 3060 igfxdwx32.exe 2944 igfxdwx32.exe 3064 igfxdwx32.exe 1592 igfxdwx32.exe 2660 igfxdwx32.exe 1076 igfxdwx32.exe 2592 igfxdwx32.exe 2816 igfxdwx32.exe 2736 igfxdwx32.exe 2548 igfxdwx32.exe 692 igfxdwx32.exe 572 igfxdwx32.exe 2252 igfxdwx32.exe 1180 igfxdwx32.exe 2248 igfxdwx32.exe 1620 igfxdwx32.exe 1116 igfxdwx32.exe 1760 igfxdwx32.exe 2164 igfxdwx32.exe 1480 igfxdwx32.exe 1636 igfxdwx32.exe 1664 igfxdwx32.exe 1220 igfxdwx32.exe 1796 igfxdwx32.exe 1320 igfxdwx32.exe 3056 igfxdwx32.exe 2528 igfxdwx32.exe 2480 igfxdwx32.exe -
Loads dropped DLL 64 IoCs
pid Process 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 3028 igfxdwx32.exe 3028 igfxdwx32.exe 596 igfxdwx32.exe 596 igfxdwx32.exe 1524 igfxdwx32.exe 1524 igfxdwx32.exe 2892 igfxdwx32.exe 2892 igfxdwx32.exe 2516 igfxdwx32.exe 2516 igfxdwx32.exe 1904 igfxdwx32.exe 1904 igfxdwx32.exe 2852 igfxdwx32.exe 2852 igfxdwx32.exe 2400 igfxdwx32.exe 2400 igfxdwx32.exe 2452 igfxdwx32.exe 2452 igfxdwx32.exe 2184 igfxdwx32.exe 2184 igfxdwx32.exe 280 igfxdwx32.exe 280 igfxdwx32.exe 3060 igfxdwx32.exe 3060 igfxdwx32.exe 2944 igfxdwx32.exe 2944 igfxdwx32.exe 3064 igfxdwx32.exe 3064 igfxdwx32.exe 1592 igfxdwx32.exe 1592 igfxdwx32.exe 2660 igfxdwx32.exe 2660 igfxdwx32.exe 1076 igfxdwx32.exe 1076 igfxdwx32.exe 2592 igfxdwx32.exe 2592 igfxdwx32.exe 2816 igfxdwx32.exe 2816 igfxdwx32.exe 2736 igfxdwx32.exe 2736 igfxdwx32.exe 2548 igfxdwx32.exe 2548 igfxdwx32.exe 692 igfxdwx32.exe 692 igfxdwx32.exe 572 igfxdwx32.exe 572 igfxdwx32.exe 2252 igfxdwx32.exe 2252 igfxdwx32.exe 1180 igfxdwx32.exe 1180 igfxdwx32.exe 2248 igfxdwx32.exe 2248 igfxdwx32.exe 1620 igfxdwx32.exe 1620 igfxdwx32.exe 1116 igfxdwx32.exe 1116 igfxdwx32.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5f0c5a0aeb09dba85a0b7cc898b12af5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 5f0c5a0aeb09dba85a0b7cc898b12af5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxdwx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe 5f0c5a0aeb09dba85a0b7cc898b12af5.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ 5f0c5a0aeb09dba85a0b7cc898b12af5.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 43 IoCs
pid Process 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 2788 igfxdwx32.exe 2804 igfxdwx32.exe 2740 igfxdwx32.exe 3028 igfxdwx32.exe 596 igfxdwx32.exe 1524 igfxdwx32.exe 2892 igfxdwx32.exe 2516 igfxdwx32.exe 1904 igfxdwx32.exe 2852 igfxdwx32.exe 2400 igfxdwx32.exe 2452 igfxdwx32.exe 2184 igfxdwx32.exe 280 igfxdwx32.exe 3060 igfxdwx32.exe 2944 igfxdwx32.exe 3064 igfxdwx32.exe 1592 igfxdwx32.exe 2660 igfxdwx32.exe 1076 igfxdwx32.exe 2592 igfxdwx32.exe 2816 igfxdwx32.exe 2736 igfxdwx32.exe 2548 igfxdwx32.exe 692 igfxdwx32.exe 572 igfxdwx32.exe 2252 igfxdwx32.exe 1180 igfxdwx32.exe 2248 igfxdwx32.exe 1620 igfxdwx32.exe 1116 igfxdwx32.exe 1760 igfxdwx32.exe 2164 igfxdwx32.exe 1480 igfxdwx32.exe 1636 igfxdwx32.exe 1664 igfxdwx32.exe 1220 igfxdwx32.exe 1796 igfxdwx32.exe 1320 igfxdwx32.exe 3056 igfxdwx32.exe 2528 igfxdwx32.exe 2480 igfxdwx32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2788 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2804 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 2740 igfxdwx32.exe 3028 igfxdwx32.exe 3028 igfxdwx32.exe 3028 igfxdwx32.exe 3028 igfxdwx32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1836 wrote to memory of 2788 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 28 PID 1836 wrote to memory of 2788 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 28 PID 1836 wrote to memory of 2788 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 28 PID 1836 wrote to memory of 2788 1836 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 28 PID 2788 wrote to memory of 2804 2788 igfxdwx32.exe 29 PID 2788 wrote to memory of 2804 2788 igfxdwx32.exe 29 PID 2788 wrote to memory of 2804 2788 igfxdwx32.exe 29 PID 2788 wrote to memory of 2804 2788 igfxdwx32.exe 29 PID 2804 wrote to memory of 2740 2804 igfxdwx32.exe 30 PID 2804 wrote to memory of 2740 2804 igfxdwx32.exe 30 PID 2804 wrote to memory of 2740 2804 igfxdwx32.exe 30 PID 2804 wrote to memory of 2740 2804 igfxdwx32.exe 30 PID 2740 wrote to memory of 3028 2740 igfxdwx32.exe 31 PID 2740 wrote to memory of 3028 2740 igfxdwx32.exe 31 PID 2740 wrote to memory of 3028 2740 igfxdwx32.exe 31 PID 2740 wrote to memory of 3028 2740 igfxdwx32.exe 31 PID 3028 wrote to memory of 596 3028 igfxdwx32.exe 32 PID 3028 wrote to memory of 596 3028 igfxdwx32.exe 32 PID 3028 wrote to memory of 596 3028 igfxdwx32.exe 32 PID 3028 wrote to memory of 596 3028 igfxdwx32.exe 32 PID 596 wrote to memory of 1524 596 igfxdwx32.exe 33 PID 596 wrote to memory of 1524 596 igfxdwx32.exe 33 PID 596 wrote to memory of 1524 596 igfxdwx32.exe 33 PID 596 wrote to memory of 1524 596 igfxdwx32.exe 33 PID 1524 wrote to memory of 2892 1524 igfxdwx32.exe 34 PID 1524 wrote to memory of 2892 1524 igfxdwx32.exe 34 PID 1524 wrote to memory of 2892 1524 igfxdwx32.exe 34 PID 1524 wrote to memory of 2892 1524 igfxdwx32.exe 34 PID 2892 wrote to memory of 2516 2892 igfxdwx32.exe 35 PID 2892 wrote to memory of 2516 2892 igfxdwx32.exe 35 PID 2892 wrote to memory of 2516 2892 igfxdwx32.exe 35 PID 2892 wrote to memory of 2516 2892 igfxdwx32.exe 35 PID 2516 wrote to memory of 1904 2516 igfxdwx32.exe 36 PID 2516 wrote to memory of 1904 2516 igfxdwx32.exe 36 PID 2516 wrote to memory of 1904 2516 igfxdwx32.exe 36 PID 2516 wrote to memory of 1904 2516 igfxdwx32.exe 36 PID 1904 wrote to memory of 2852 1904 igfxdwx32.exe 39 PID 1904 wrote to memory of 2852 1904 igfxdwx32.exe 39 PID 1904 wrote to memory of 2852 1904 igfxdwx32.exe 39 PID 1904 wrote to memory of 2852 1904 igfxdwx32.exe 39 PID 2852 wrote to memory of 2400 2852 igfxdwx32.exe 40 PID 2852 wrote to memory of 2400 2852 igfxdwx32.exe 40 PID 2852 wrote to memory of 2400 2852 igfxdwx32.exe 40 PID 2852 wrote to memory of 2400 2852 igfxdwx32.exe 40 PID 2400 wrote to memory of 2452 2400 igfxdwx32.exe 41 PID 2400 wrote to memory of 2452 2400 igfxdwx32.exe 41 PID 2400 wrote to memory of 2452 2400 igfxdwx32.exe 41 PID 2400 wrote to memory of 2452 2400 igfxdwx32.exe 41 PID 2452 wrote to memory of 2184 2452 igfxdwx32.exe 42 PID 2452 wrote to memory of 2184 2452 igfxdwx32.exe 42 PID 2452 wrote to memory of 2184 2452 igfxdwx32.exe 42 PID 2452 wrote to memory of 2184 2452 igfxdwx32.exe 42 PID 2184 wrote to memory of 280 2184 igfxdwx32.exe 43 PID 2184 wrote to memory of 280 2184 igfxdwx32.exe 43 PID 2184 wrote to memory of 280 2184 igfxdwx32.exe 43 PID 2184 wrote to memory of 280 2184 igfxdwx32.exe 43 PID 280 wrote to memory of 3060 280 igfxdwx32.exe 44 PID 280 wrote to memory of 3060 280 igfxdwx32.exe 44 PID 280 wrote to memory of 3060 280 igfxdwx32.exe 44 PID 280 wrote to memory of 3060 280 igfxdwx32.exe 44 PID 3060 wrote to memory of 2944 3060 igfxdwx32.exe 45 PID 3060 wrote to memory of 2944 3060 igfxdwx32.exe 45 PID 3060 wrote to memory of 2944 3060 igfxdwx32.exe 45 PID 3060 wrote to memory of 2944 3060 igfxdwx32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0c5a0aeb09dba85a0b7cc898b12af5.exe"C:\Users\Admin\AppData\Local\Temp\5f0c5a0aeb09dba85a0b7cc898b12af5.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Users\Admin\AppData\Local\Temp\5F0C5A~1.EXE2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2944 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3064 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1592 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2660 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1076 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2592 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2816 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2736 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2548 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:692 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:572 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2252 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE29⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1180 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2248 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE31⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1620 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1116 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE33⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1760 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE34⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2164 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE35⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1480 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE36⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1636 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE37⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1664 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE38⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1220 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE39⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1796 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE40⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1320 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE41⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3056 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE42⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2528 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE43⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2480
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD55f0c5a0aeb09dba85a0b7cc898b12af5
SHA164da1f2d6be354241921b1f171fa7f09f06fdd2f
SHA25678c12762ca9d4eab23c2712cc2a09d54c1cd5b44ae9498225f9e52ca7768be44
SHA5128c4b9509691dfd928069da3004368098e061994f61a0087397481abe26b562ebe73806f09460f7483b07fa25b3d9a1efe15e3fd59ba7c07dfa94cc1c0dd28c25