Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 23:58
Static task
static1
Behavioral task
behavioral1
Sample
igfxctv32.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
igfxctv32.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
wmpctv32.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
wmpctv32.exe
Resource
win10v2004-20231222-en
General
-
Target
igfxctv32.exe
-
Size
139KB
-
MD5
b5202ea069462c2e8b64ff72100faa28
-
SHA1
7ffd5668f76d34515eb979bc38dde3b4daf84f74
-
SHA256
d445f21a4bd3aa1d61ad5e26df3535e611d44b1d9c70149987ee6979f8e9d3e4
-
SHA512
02a1edf3721d8c471f254dcb7dbf0a5b7ed7448e8f37e218fe5f8429b81dff501eb9edf97b628f4eaa4c204ed809349bd3434d6fde8c7988084689a1366670a1
-
SSDEEP
3072:1whYNSrlVZOlVbKLbHLAxY1RThXrz6hI+hc99r4T183HtlNNuA:Sm6oVbu74Y1RThXr914wH9QA
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2696 igfxctv32.exe -
Executes dropped EXE 26 IoCs
pid Process 2720 igfxctv32.exe 2696 igfxctv32.exe 2392 igfxctv32.exe 2516 igfxctv32.exe 1052 igfxctv32.exe 2468 igfxctv32.exe 588 igfxctv32.exe 2740 igfxctv32.exe 2040 igfxctv32.exe 2072 igfxctv32.exe 2088 igfxctv32.exe 1036 igfxctv32.exe 1724 igfxctv32.exe 1764 igfxctv32.exe 2052 igfxctv32.exe 760 igfxctv32.exe 1736 igfxctv32.exe 1704 igfxctv32.exe 2848 igfxctv32.exe 2724 igfxctv32.exe 2596 igfxctv32.exe 2616 igfxctv32.exe 2876 igfxctv32.exe 2884 igfxctv32.exe 1680 igfxctv32.exe 552 igfxctv32.exe -
Loads dropped DLL 52 IoCs
pid Process 3068 igfxctv32.exe 3068 igfxctv32.exe 2720 igfxctv32.exe 2720 igfxctv32.exe 2696 igfxctv32.exe 2696 igfxctv32.exe 2392 igfxctv32.exe 2392 igfxctv32.exe 2516 igfxctv32.exe 2516 igfxctv32.exe 1052 igfxctv32.exe 1052 igfxctv32.exe 2468 igfxctv32.exe 2468 igfxctv32.exe 588 igfxctv32.exe 588 igfxctv32.exe 2740 igfxctv32.exe 2740 igfxctv32.exe 2040 igfxctv32.exe 2040 igfxctv32.exe 2072 igfxctv32.exe 2072 igfxctv32.exe 2088 igfxctv32.exe 2088 igfxctv32.exe 1036 igfxctv32.exe 1036 igfxctv32.exe 1724 igfxctv32.exe 1724 igfxctv32.exe 1764 igfxctv32.exe 1764 igfxctv32.exe 2052 igfxctv32.exe 2052 igfxctv32.exe 760 igfxctv32.exe 760 igfxctv32.exe 1736 igfxctv32.exe 1736 igfxctv32.exe 1704 igfxctv32.exe 1704 igfxctv32.exe 2848 igfxctv32.exe 2848 igfxctv32.exe 2724 igfxctv32.exe 2724 igfxctv32.exe 2596 igfxctv32.exe 2596 igfxctv32.exe 2616 igfxctv32.exe 2616 igfxctv32.exe 2876 igfxctv32.exe 2876 igfxctv32.exe 2884 igfxctv32.exe 2884 igfxctv32.exe 1680 igfxctv32.exe 1680 igfxctv32.exe -
resource yara_rule behavioral1/memory/3068-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3068-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3068-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3068-7-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3068-8-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3068-6-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/3068-24-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2696-31-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2696-33-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2696-32-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2696-38-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2516-59-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2468-72-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2740-91-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2072-120-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1036-138-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/760-158-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1764-157-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/760-172-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1704-188-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2724-203-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2616-218-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2884-220-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/2884-232-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 28 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxctv32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2284 set thread context of 3068 2284 igfxctv32.exe 28 PID 2720 set thread context of 2696 2720 igfxctv32.exe 30 PID 2392 set thread context of 2516 2392 igfxctv32.exe 32 PID 1052 set thread context of 2468 1052 igfxctv32.exe 34 PID 588 set thread context of 2740 588 igfxctv32.exe 38 PID 2040 set thread context of 2072 2040 igfxctv32.exe 40 PID 2088 set thread context of 1036 2088 igfxctv32.exe 42 PID 1724 set thread context of 1764 1724 igfxctv32.exe 44 PID 2052 set thread context of 760 2052 igfxctv32.exe 46 PID 1736 set thread context of 1704 1736 igfxctv32.exe 48 PID 2848 set thread context of 2724 2848 igfxctv32.exe 50 PID 2596 set thread context of 2616 2596 igfxctv32.exe 52 PID 2876 set thread context of 2884 2876 igfxctv32.exe 54 PID 1680 set thread context of 552 1680 igfxctv32.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 3068 igfxctv32.exe 3068 igfxctv32.exe 2696 igfxctv32.exe 2696 igfxctv32.exe 2516 igfxctv32.exe 2516 igfxctv32.exe 2468 igfxctv32.exe 2468 igfxctv32.exe 2740 igfxctv32.exe 2740 igfxctv32.exe 2072 igfxctv32.exe 2072 igfxctv32.exe 1036 igfxctv32.exe 1036 igfxctv32.exe 1764 igfxctv32.exe 1764 igfxctv32.exe 760 igfxctv32.exe 760 igfxctv32.exe 1704 igfxctv32.exe 1704 igfxctv32.exe 2724 igfxctv32.exe 2724 igfxctv32.exe 2616 igfxctv32.exe 2616 igfxctv32.exe 2884 igfxctv32.exe 2884 igfxctv32.exe 552 igfxctv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2284 wrote to memory of 3068 2284 igfxctv32.exe 28 PID 2284 wrote to memory of 3068 2284 igfxctv32.exe 28 PID 2284 wrote to memory of 3068 2284 igfxctv32.exe 28 PID 2284 wrote to memory of 3068 2284 igfxctv32.exe 28 PID 2284 wrote to memory of 3068 2284 igfxctv32.exe 28 PID 2284 wrote to memory of 3068 2284 igfxctv32.exe 28 PID 2284 wrote to memory of 3068 2284 igfxctv32.exe 28 PID 3068 wrote to memory of 2720 3068 igfxctv32.exe 29 PID 3068 wrote to memory of 2720 3068 igfxctv32.exe 29 PID 3068 wrote to memory of 2720 3068 igfxctv32.exe 29 PID 3068 wrote to memory of 2720 3068 igfxctv32.exe 29 PID 2720 wrote to memory of 2696 2720 igfxctv32.exe 30 PID 2720 wrote to memory of 2696 2720 igfxctv32.exe 30 PID 2720 wrote to memory of 2696 2720 igfxctv32.exe 30 PID 2720 wrote to memory of 2696 2720 igfxctv32.exe 30 PID 2720 wrote to memory of 2696 2720 igfxctv32.exe 30 PID 2720 wrote to memory of 2696 2720 igfxctv32.exe 30 PID 2720 wrote to memory of 2696 2720 igfxctv32.exe 30 PID 2696 wrote to memory of 2392 2696 igfxctv32.exe 31 PID 2696 wrote to memory of 2392 2696 igfxctv32.exe 31 PID 2696 wrote to memory of 2392 2696 igfxctv32.exe 31 PID 2696 wrote to memory of 2392 2696 igfxctv32.exe 31 PID 2392 wrote to memory of 2516 2392 igfxctv32.exe 32 PID 2392 wrote to memory of 2516 2392 igfxctv32.exe 32 PID 2392 wrote to memory of 2516 2392 igfxctv32.exe 32 PID 2392 wrote to memory of 2516 2392 igfxctv32.exe 32 PID 2392 wrote to memory of 2516 2392 igfxctv32.exe 32 PID 2392 wrote to memory of 2516 2392 igfxctv32.exe 32 PID 2392 wrote to memory of 2516 2392 igfxctv32.exe 32 PID 2516 wrote to memory of 1052 2516 igfxctv32.exe 33 PID 2516 wrote to memory of 1052 2516 igfxctv32.exe 33 PID 2516 wrote to memory of 1052 2516 igfxctv32.exe 33 PID 2516 wrote to memory of 1052 2516 igfxctv32.exe 33 PID 1052 wrote to memory of 2468 1052 igfxctv32.exe 34 PID 1052 wrote to memory of 2468 1052 igfxctv32.exe 34 PID 1052 wrote to memory of 2468 1052 igfxctv32.exe 34 PID 1052 wrote to memory of 2468 1052 igfxctv32.exe 34 PID 1052 wrote to memory of 2468 1052 igfxctv32.exe 34 PID 1052 wrote to memory of 2468 1052 igfxctv32.exe 34 PID 1052 wrote to memory of 2468 1052 igfxctv32.exe 34 PID 2468 wrote to memory of 588 2468 igfxctv32.exe 36 PID 2468 wrote to memory of 588 2468 igfxctv32.exe 36 PID 2468 wrote to memory of 588 2468 igfxctv32.exe 36 PID 2468 wrote to memory of 588 2468 igfxctv32.exe 36 PID 588 wrote to memory of 2740 588 igfxctv32.exe 38 PID 588 wrote to memory of 2740 588 igfxctv32.exe 38 PID 588 wrote to memory of 2740 588 igfxctv32.exe 38 PID 588 wrote to memory of 2740 588 igfxctv32.exe 38 PID 588 wrote to memory of 2740 588 igfxctv32.exe 38 PID 588 wrote to memory of 2740 588 igfxctv32.exe 38 PID 588 wrote to memory of 2740 588 igfxctv32.exe 38 PID 2740 wrote to memory of 2040 2740 igfxctv32.exe 39 PID 2740 wrote to memory of 2040 2740 igfxctv32.exe 39 PID 2740 wrote to memory of 2040 2740 igfxctv32.exe 39 PID 2740 wrote to memory of 2040 2740 igfxctv32.exe 39 PID 2040 wrote to memory of 2072 2040 igfxctv32.exe 40 PID 2040 wrote to memory of 2072 2040 igfxctv32.exe 40 PID 2040 wrote to memory of 2072 2040 igfxctv32.exe 40 PID 2040 wrote to memory of 2072 2040 igfxctv32.exe 40 PID 2040 wrote to memory of 2072 2040 igfxctv32.exe 40 PID 2040 wrote to memory of 2072 2040 igfxctv32.exe 40 PID 2040 wrote to memory of 2072 2040 igfxctv32.exe 40 PID 2072 wrote to memory of 2088 2072 igfxctv32.exe 41 PID 2072 wrote to memory of 2088 2072 igfxctv32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2088 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1036 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1724 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1764 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2052 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:760 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1736 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2848 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2596 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2876 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1680 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE28⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5b5202ea069462c2e8b64ff72100faa28
SHA17ffd5668f76d34515eb979bc38dde3b4daf84f74
SHA256d445f21a4bd3aa1d61ad5e26df3535e611d44b1d9c70149987ee6979f8e9d3e4
SHA51202a1edf3721d8c471f254dcb7dbf0a5b7ed7448e8f37e218fe5f8429b81dff501eb9edf97b628f4eaa4c204ed809349bd3434d6fde8c7988084689a1366670a1
-
Filesize
126KB
MD50bd7111935b72b16d91b78f6f34b7bbc
SHA1cad6d64970fca1abdf1c9f449a66fc12c04d5615
SHA256954915b0a36d0c6609a0e4c4a29a2b54e0f4052514ca754cfcf9d12e1d3b6fcf
SHA512fb685ba7c3f23d13e31716a481a7e6568116e1e0edf7aad63c97053e7fdb5a9a8beafe0977d66988ec1746cd5c40d8cf997a528a5a22b6c8ea06978c760bf977
-
Filesize
85KB
MD5b9b900d9241ae57f65809474f1809245
SHA173c170773f31ee9f5210322448fec4ede2043db5
SHA25665ee5bb848d4e2f48b32a44bf7b1df75586decd4e1c79bedef059eddb12c78c5
SHA512a2537cc2c69f0b5db21d97cebc0f4e8c91e338dcdcc04f34b4a06b99a16f896aa073ecb95e26b0909a5a0a75ba200c48c872d598d2fe66ed9796cf2f8f235747
-
Filesize
107KB
MD5b47e1ac6a488aa96889a0efd4df24832
SHA1fb9b5f6c2655487359337128eeb09cc0a76a5324
SHA2567eb9118510bdd904fdddb784577eb76c688ced943328b2706d438c91b0a58826
SHA512c4399906647d459a034e8a476b9233f7deb93c3165097b754b9e58bb83f5814aa3948786e0409f0d9d324727b06c95566587576dbab68e13d865c59b33f7d6aa