Analysis
-
max time kernel
152s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
5f0c5a0aeb09dba85a0b7cc898b12af5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5f0c5a0aeb09dba85a0b7cc898b12af5.exe
Resource
win10v2004-20231215-en
General
-
Target
5f0c5a0aeb09dba85a0b7cc898b12af5.exe
-
Size
576KB
-
MD5
5f0c5a0aeb09dba85a0b7cc898b12af5
-
SHA1
64da1f2d6be354241921b1f171fa7f09f06fdd2f
-
SHA256
78c12762ca9d4eab23c2712cc2a09d54c1cd5b44ae9498225f9e52ca7768be44
-
SHA512
8c4b9509691dfd928069da3004368098e061994f61a0087397481abe26b562ebe73806f09460f7483b07fa25b3d9a1efe15e3fd59ba7c07dfa94cc1c0dd28c25
-
SSDEEP
6144:FsSKU3H/2P3rvLhrtXOdlsCMHxci/DTSAKIATI1NRhsBoIy:6ZUXoD1rtSlszF1hAc1NRqB
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 36 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 5f0c5a0aeb09dba85a0b7cc898b12af5.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxdwx32.exe -
Deletes itself 1 IoCs
pid Process 3676 igfxdwx32.exe -
Executes dropped EXE 36 IoCs
pid Process 3676 igfxdwx32.exe 4988 igfxdwx32.exe 2456 igfxdwx32.exe 1636 igfxdwx32.exe 3812 igfxdwx32.exe 376 igfxdwx32.exe 4748 igfxdwx32.exe 4548 igfxdwx32.exe 3288 igfxdwx32.exe 1544 igfxdwx32.exe 3672 igfxdwx32.exe 772 igfxdwx32.exe 1912 igfxdwx32.exe 3712 igfxdwx32.exe 2260 igfxdwx32.exe 456 igfxdwx32.exe 4568 igfxdwx32.exe 3160 igfxdwx32.exe 2148 igfxdwx32.exe 5056 igfxdwx32.exe 2924 igfxdwx32.exe 2760 igfxdwx32.exe 3932 igfxdwx32.exe 1968 igfxdwx32.exe 2180 igfxdwx32.exe 2352 igfxdwx32.exe 3960 igfxdwx32.exe 1220 igfxdwx32.exe 220 igfxdwx32.exe 2288 igfxdwx32.exe 4540 igfxdwx32.exe 1312 igfxdwx32.exe 4924 igfxdwx32.exe 4916 igfxdwx32.exe 264 igfxdwx32.exe 4660 igfxdwx32.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 5f0c5a0aeb09dba85a0b7cc898b12af5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdwx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe 5f0c5a0aeb09dba85a0b7cc898b12af5.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ 5f0c5a0aeb09dba85a0b7cc898b12af5.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe File opened for modification C:\Windows\SysWOW64\ igfxdwx32.exe File created C:\Windows\SysWOW64\igfxdwx32.exe igfxdwx32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
pid Process 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3676 igfxdwx32.exe 4988 igfxdwx32.exe 2456 igfxdwx32.exe 1636 igfxdwx32.exe 3812 igfxdwx32.exe 376 igfxdwx32.exe 4748 igfxdwx32.exe 4548 igfxdwx32.exe 3288 igfxdwx32.exe 1544 igfxdwx32.exe 3672 igfxdwx32.exe 772 igfxdwx32.exe 1912 igfxdwx32.exe 3712 igfxdwx32.exe 2260 igfxdwx32.exe 456 igfxdwx32.exe 4568 igfxdwx32.exe 3160 igfxdwx32.exe 2148 igfxdwx32.exe 5056 igfxdwx32.exe 2924 igfxdwx32.exe 2760 igfxdwx32.exe 3932 igfxdwx32.exe 1968 igfxdwx32.exe 2180 igfxdwx32.exe 2352 igfxdwx32.exe 3960 igfxdwx32.exe 1220 igfxdwx32.exe 220 igfxdwx32.exe 2288 igfxdwx32.exe 4540 igfxdwx32.exe 1312 igfxdwx32.exe 4924 igfxdwx32.exe 4916 igfxdwx32.exe 264 igfxdwx32.exe 4660 igfxdwx32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5f0c5a0aeb09dba85a0b7cc898b12af5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdwx32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 3676 igfxdwx32.exe 4988 igfxdwx32.exe 4988 igfxdwx32.exe 4988 igfxdwx32.exe 4988 igfxdwx32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3424 wrote to memory of 3676 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 90 PID 3424 wrote to memory of 3676 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 90 PID 3424 wrote to memory of 3676 3424 5f0c5a0aeb09dba85a0b7cc898b12af5.exe 90 PID 3676 wrote to memory of 4988 3676 igfxdwx32.exe 95 PID 3676 wrote to memory of 4988 3676 igfxdwx32.exe 95 PID 3676 wrote to memory of 4988 3676 igfxdwx32.exe 95 PID 4988 wrote to memory of 2456 4988 igfxdwx32.exe 97 PID 4988 wrote to memory of 2456 4988 igfxdwx32.exe 97 PID 4988 wrote to memory of 2456 4988 igfxdwx32.exe 97 PID 2456 wrote to memory of 1636 2456 igfxdwx32.exe 100 PID 2456 wrote to memory of 1636 2456 igfxdwx32.exe 100 PID 2456 wrote to memory of 1636 2456 igfxdwx32.exe 100 PID 1636 wrote to memory of 3812 1636 igfxdwx32.exe 101 PID 1636 wrote to memory of 3812 1636 igfxdwx32.exe 101 PID 1636 wrote to memory of 3812 1636 igfxdwx32.exe 101 PID 3812 wrote to memory of 376 3812 igfxdwx32.exe 102 PID 3812 wrote to memory of 376 3812 igfxdwx32.exe 102 PID 3812 wrote to memory of 376 3812 igfxdwx32.exe 102 PID 376 wrote to memory of 4748 376 igfxdwx32.exe 104 PID 376 wrote to memory of 4748 376 igfxdwx32.exe 104 PID 376 wrote to memory of 4748 376 igfxdwx32.exe 104 PID 4748 wrote to memory of 4548 4748 igfxdwx32.exe 105 PID 4748 wrote to memory of 4548 4748 igfxdwx32.exe 105 PID 4748 wrote to memory of 4548 4748 igfxdwx32.exe 105 PID 4548 wrote to memory of 3288 4548 igfxdwx32.exe 106 PID 4548 wrote to memory of 3288 4548 igfxdwx32.exe 106 PID 4548 wrote to memory of 3288 4548 igfxdwx32.exe 106 PID 3288 wrote to memory of 1544 3288 igfxdwx32.exe 107 PID 3288 wrote to memory of 1544 3288 igfxdwx32.exe 107 PID 3288 wrote to memory of 1544 3288 igfxdwx32.exe 107 PID 1544 wrote to memory of 3672 1544 igfxdwx32.exe 108 PID 1544 wrote to memory of 3672 1544 igfxdwx32.exe 108 PID 1544 wrote to memory of 3672 1544 igfxdwx32.exe 108 PID 3672 wrote to memory of 772 3672 igfxdwx32.exe 109 PID 3672 wrote to memory of 772 3672 igfxdwx32.exe 109 PID 3672 wrote to memory of 772 3672 igfxdwx32.exe 109 PID 772 wrote to memory of 1912 772 igfxdwx32.exe 110 PID 772 wrote to memory of 1912 772 igfxdwx32.exe 110 PID 772 wrote to memory of 1912 772 igfxdwx32.exe 110 PID 1912 wrote to memory of 3712 1912 igfxdwx32.exe 111 PID 1912 wrote to memory of 3712 1912 igfxdwx32.exe 111 PID 1912 wrote to memory of 3712 1912 igfxdwx32.exe 111 PID 3712 wrote to memory of 2260 3712 igfxdwx32.exe 112 PID 3712 wrote to memory of 2260 3712 igfxdwx32.exe 112 PID 3712 wrote to memory of 2260 3712 igfxdwx32.exe 112 PID 2260 wrote to memory of 456 2260 igfxdwx32.exe 113 PID 2260 wrote to memory of 456 2260 igfxdwx32.exe 113 PID 2260 wrote to memory of 456 2260 igfxdwx32.exe 113 PID 456 wrote to memory of 4568 456 igfxdwx32.exe 114 PID 456 wrote to memory of 4568 456 igfxdwx32.exe 114 PID 456 wrote to memory of 4568 456 igfxdwx32.exe 114 PID 4568 wrote to memory of 3160 4568 igfxdwx32.exe 115 PID 4568 wrote to memory of 3160 4568 igfxdwx32.exe 115 PID 4568 wrote to memory of 3160 4568 igfxdwx32.exe 115 PID 3160 wrote to memory of 2148 3160 igfxdwx32.exe 116 PID 3160 wrote to memory of 2148 3160 igfxdwx32.exe 116 PID 3160 wrote to memory of 2148 3160 igfxdwx32.exe 116 PID 2148 wrote to memory of 5056 2148 igfxdwx32.exe 117 PID 2148 wrote to memory of 5056 2148 igfxdwx32.exe 117 PID 2148 wrote to memory of 5056 2148 igfxdwx32.exe 117 PID 5056 wrote to memory of 2924 5056 igfxdwx32.exe 118 PID 5056 wrote to memory of 2924 5056 igfxdwx32.exe 118 PID 5056 wrote to memory of 2924 5056 igfxdwx32.exe 118 PID 2924 wrote to memory of 2760 2924 igfxdwx32.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0c5a0aeb09dba85a0b7cc898b12af5.exe"C:\Users\Admin\AppData\Local\Temp\5f0c5a0aeb09dba85a0b7cc898b12af5.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Users\Admin\AppData\Local\Temp\5F0C5A~1.EXE2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE7⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE9⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE11⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE13⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE15⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE17⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE19⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE21⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE23⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE25⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE27⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE29⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE31⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4540 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE33⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4924 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE35⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:4916 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\igfxdwx32.exe"C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE37⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5394f43efe4bcea53596601a3de577d0e
SHA1739e71644090be7e9f4c9e947d4450bdadb5cdc0
SHA25670c6bcefd5cf6dccf6c23abf93cd1281906b6aa874a181c29148b3fa55ca3c78
SHA51239ffda86b7f5a61f96d17a788efc48ec63bb787eba5ffba8586d4ba198a8b2fd1cdce79cabd071127e730d32af97cff03c79bfbed49c3fffb4bd957aac04d592
-
Filesize
576KB
MD55f0c5a0aeb09dba85a0b7cc898b12af5
SHA164da1f2d6be354241921b1f171fa7f09f06fdd2f
SHA25678c12762ca9d4eab23c2712cc2a09d54c1cd5b44ae9498225f9e52ca7768be44
SHA5128c4b9509691dfd928069da3004368098e061994f61a0087397481abe26b562ebe73806f09460f7483b07fa25b3d9a1efe15e3fd59ba7c07dfa94cc1c0dd28c25