Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 23:58
Static task
static1
Behavioral task
behavioral1
Sample
igfxctv32.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
igfxctv32.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
wmpctv32.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
wmpctv32.exe
Resource
win10v2004-20231222-en
General
-
Target
igfxctv32.exe
-
Size
139KB
-
MD5
b5202ea069462c2e8b64ff72100faa28
-
SHA1
7ffd5668f76d34515eb979bc38dde3b4daf84f74
-
SHA256
d445f21a4bd3aa1d61ad5e26df3535e611d44b1d9c70149987ee6979f8e9d3e4
-
SHA512
02a1edf3721d8c471f254dcb7dbf0a5b7ed7448e8f37e218fe5f8429b81dff501eb9edf97b628f4eaa4c204ed809349bd3434d6fde8c7988084689a1366670a1
-
SSDEEP
3072:1whYNSrlVZOlVbKLbHLAxY1RThXrz6hI+hc99r4T183HtlNNuA:Sm6oVbu74Y1RThXr914wH9QA
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxctv32.exe -
Deletes itself 1 IoCs
pid Process 900 igfxctv32.exe -
Executes dropped EXE 28 IoCs
pid Process 1160 igfxctv32.exe 900 igfxctv32.exe 4508 igfxctv32.exe 2500 igfxctv32.exe 3168 igfxctv32.exe 3180 igfxctv32.exe 4136 igfxctv32.exe 3480 igfxctv32.exe 3868 igfxctv32.exe 720 igfxctv32.exe 1420 igfxctv32.exe 856 igfxctv32.exe 5060 igfxctv32.exe 872 igfxctv32.exe 4448 igfxctv32.exe 4952 igfxctv32.exe 5000 igfxctv32.exe 1844 igfxctv32.exe 1880 igfxctv32.exe 1420 igfxctv32.exe 1920 igfxctv32.exe 4380 igfxctv32.exe 2324 igfxctv32.exe 920 igfxctv32.exe 2404 igfxctv32.exe 1324 igfxctv32.exe 1456 igfxctv32.exe 1960 igfxctv32.exe -
resource yara_rule behavioral2/memory/4700-0-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4700-4-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4700-3-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4700-2-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/900-43-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4700-44-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/900-51-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2500-52-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/900-54-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2500-59-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/2500-64-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3180-62-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3180-70-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3480-73-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3180-75-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3480-81-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/720-83-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3480-85-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/720-90-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/720-92-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/856-99-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/872-102-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/856-104-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/872-110-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/872-114-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4952-112-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4952-120-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1844-122-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1844-124-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4952-127-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1420-134-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1844-138-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4380-146-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1420-149-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/920-157-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4380-160-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1324-169-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/920-172-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1960-179-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/1324-183-0x0000000000400000-0x000000000045A000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxctv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxctv32.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File opened for modification C:\Windows\SysWOW64\ igfxctv32.exe File created C:\Windows\SysWOW64\igfxctv32.exe igfxctv32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 3480 set thread context of 4700 3480 igfxctv32.exe 92 PID 1160 set thread context of 900 1160 igfxctv32.exe 104 PID 4508 set thread context of 2500 4508 igfxctv32.exe 107 PID 3168 set thread context of 3180 3168 igfxctv32.exe 110 PID 4136 set thread context of 3480 4136 igfxctv32.exe 113 PID 3868 set thread context of 720 3868 igfxctv32.exe 115 PID 1420 set thread context of 856 1420 igfxctv32.exe 117 PID 5060 set thread context of 872 5060 igfxctv32.exe 120 PID 4448 set thread context of 4952 4448 igfxctv32.exe 122 PID 5000 set thread context of 1844 5000 igfxctv32.exe 124 PID 1880 set thread context of 1420 1880 igfxctv32.exe 134 PID 1920 set thread context of 4380 1920 igfxctv32.exe 136 PID 2324 set thread context of 920 2324 igfxctv32.exe 138 PID 2404 set thread context of 1324 2404 igfxctv32.exe 143 PID 1456 set thread context of 1960 1456 igfxctv32.exe 145 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxctv32.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4700 igfxctv32.exe 4700 igfxctv32.exe 4700 igfxctv32.exe 4700 igfxctv32.exe 900 igfxctv32.exe 900 igfxctv32.exe 900 igfxctv32.exe 900 igfxctv32.exe 2500 igfxctv32.exe 2500 igfxctv32.exe 2500 igfxctv32.exe 2500 igfxctv32.exe 3180 igfxctv32.exe 3180 igfxctv32.exe 3180 igfxctv32.exe 3180 igfxctv32.exe 3480 igfxctv32.exe 3480 igfxctv32.exe 3480 igfxctv32.exe 3480 igfxctv32.exe 720 igfxctv32.exe 720 igfxctv32.exe 720 igfxctv32.exe 720 igfxctv32.exe 856 igfxctv32.exe 856 igfxctv32.exe 856 igfxctv32.exe 856 igfxctv32.exe 872 igfxctv32.exe 872 igfxctv32.exe 872 igfxctv32.exe 872 igfxctv32.exe 4952 igfxctv32.exe 4952 igfxctv32.exe 4952 igfxctv32.exe 4952 igfxctv32.exe 1844 igfxctv32.exe 1844 igfxctv32.exe 1844 igfxctv32.exe 1844 igfxctv32.exe 1420 igfxctv32.exe 1420 igfxctv32.exe 1420 igfxctv32.exe 1420 igfxctv32.exe 4380 igfxctv32.exe 4380 igfxctv32.exe 4380 igfxctv32.exe 4380 igfxctv32.exe 920 igfxctv32.exe 920 igfxctv32.exe 920 igfxctv32.exe 920 igfxctv32.exe 1324 igfxctv32.exe 1324 igfxctv32.exe 1324 igfxctv32.exe 1324 igfxctv32.exe 1960 igfxctv32.exe 1960 igfxctv32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3480 wrote to memory of 4700 3480 igfxctv32.exe 92 PID 3480 wrote to memory of 4700 3480 igfxctv32.exe 92 PID 3480 wrote to memory of 4700 3480 igfxctv32.exe 92 PID 3480 wrote to memory of 4700 3480 igfxctv32.exe 92 PID 3480 wrote to memory of 4700 3480 igfxctv32.exe 92 PID 3480 wrote to memory of 4700 3480 igfxctv32.exe 92 PID 3480 wrote to memory of 4700 3480 igfxctv32.exe 92 PID 4700 wrote to memory of 1160 4700 igfxctv32.exe 103 PID 4700 wrote to memory of 1160 4700 igfxctv32.exe 103 PID 4700 wrote to memory of 1160 4700 igfxctv32.exe 103 PID 1160 wrote to memory of 900 1160 igfxctv32.exe 104 PID 1160 wrote to memory of 900 1160 igfxctv32.exe 104 PID 1160 wrote to memory of 900 1160 igfxctv32.exe 104 PID 1160 wrote to memory of 900 1160 igfxctv32.exe 104 PID 1160 wrote to memory of 900 1160 igfxctv32.exe 104 PID 1160 wrote to memory of 900 1160 igfxctv32.exe 104 PID 1160 wrote to memory of 900 1160 igfxctv32.exe 104 PID 900 wrote to memory of 4508 900 igfxctv32.exe 106 PID 900 wrote to memory of 4508 900 igfxctv32.exe 106 PID 900 wrote to memory of 4508 900 igfxctv32.exe 106 PID 4508 wrote to memory of 2500 4508 igfxctv32.exe 107 PID 4508 wrote to memory of 2500 4508 igfxctv32.exe 107 PID 4508 wrote to memory of 2500 4508 igfxctv32.exe 107 PID 4508 wrote to memory of 2500 4508 igfxctv32.exe 107 PID 4508 wrote to memory of 2500 4508 igfxctv32.exe 107 PID 4508 wrote to memory of 2500 4508 igfxctv32.exe 107 PID 4508 wrote to memory of 2500 4508 igfxctv32.exe 107 PID 2500 wrote to memory of 3168 2500 igfxctv32.exe 109 PID 2500 wrote to memory of 3168 2500 igfxctv32.exe 109 PID 2500 wrote to memory of 3168 2500 igfxctv32.exe 109 PID 3168 wrote to memory of 3180 3168 igfxctv32.exe 110 PID 3168 wrote to memory of 3180 3168 igfxctv32.exe 110 PID 3168 wrote to memory of 3180 3168 igfxctv32.exe 110 PID 3168 wrote to memory of 3180 3168 igfxctv32.exe 110 PID 3168 wrote to memory of 3180 3168 igfxctv32.exe 110 PID 3168 wrote to memory of 3180 3168 igfxctv32.exe 110 PID 3168 wrote to memory of 3180 3168 igfxctv32.exe 110 PID 3180 wrote to memory of 4136 3180 igfxctv32.exe 112 PID 3180 wrote to memory of 4136 3180 igfxctv32.exe 112 PID 3180 wrote to memory of 4136 3180 igfxctv32.exe 112 PID 4136 wrote to memory of 3480 4136 igfxctv32.exe 113 PID 4136 wrote to memory of 3480 4136 igfxctv32.exe 113 PID 4136 wrote to memory of 3480 4136 igfxctv32.exe 113 PID 4136 wrote to memory of 3480 4136 igfxctv32.exe 113 PID 4136 wrote to memory of 3480 4136 igfxctv32.exe 113 PID 4136 wrote to memory of 3480 4136 igfxctv32.exe 113 PID 4136 wrote to memory of 3480 4136 igfxctv32.exe 113 PID 3480 wrote to memory of 3868 3480 igfxctv32.exe 114 PID 3480 wrote to memory of 3868 3480 igfxctv32.exe 114 PID 3480 wrote to memory of 3868 3480 igfxctv32.exe 114 PID 3868 wrote to memory of 720 3868 igfxctv32.exe 115 PID 3868 wrote to memory of 720 3868 igfxctv32.exe 115 PID 3868 wrote to memory of 720 3868 igfxctv32.exe 115 PID 3868 wrote to memory of 720 3868 igfxctv32.exe 115 PID 3868 wrote to memory of 720 3868 igfxctv32.exe 115 PID 3868 wrote to memory of 720 3868 igfxctv32.exe 115 PID 3868 wrote to memory of 720 3868 igfxctv32.exe 115 PID 720 wrote to memory of 1420 720 igfxctv32.exe 116 PID 720 wrote to memory of 1420 720 igfxctv32.exe 116 PID 720 wrote to memory of 1420 720 igfxctv32.exe 116 PID 1420 wrote to memory of 856 1420 igfxctv32.exe 117 PID 1420 wrote to memory of 856 1420 igfxctv32.exe 117 PID 1420 wrote to memory of 856 1420 igfxctv32.exe 117 PID 1420 wrote to memory of 856 1420 igfxctv32.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"C:\Users\Admin\AppData\Local\Temp\igfxctv32.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Users\Admin\AppData\Local\Temp\IGFXCT~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:856 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5060 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:872 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4448 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4952 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5000 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1844 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1880 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1920 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4380 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2324 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:920 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2404 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1456 -
C:\Windows\SysWOW64\igfxctv32.exe"C:\Windows\system32\igfxctv32.exe" C:\Windows\SysWOW64\IGFXCT~1.EXE30⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5b5202ea069462c2e8b64ff72100faa28
SHA17ffd5668f76d34515eb979bc38dde3b4daf84f74
SHA256d445f21a4bd3aa1d61ad5e26df3535e611d44b1d9c70149987ee6979f8e9d3e4
SHA51202a1edf3721d8c471f254dcb7dbf0a5b7ed7448e8f37e218fe5f8429b81dff501eb9edf97b628f4eaa4c204ed809349bd3434d6fde8c7988084689a1366670a1