Malware Analysis Report

2025-08-06 04:05

Sample ID 240121-k99vasagb2
Target 6ceef262ae79d08819ff56e76ea48dca
SHA256 386607167eaf8859eb668cfb05f11fb43cd2f6510b29cac1e1a301986580ea71
Tags
metasploit backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

386607167eaf8859eb668cfb05f11fb43cd2f6510b29cac1e1a301986580ea71

Threat Level: Known bad

The file 6ceef262ae79d08819ff56e76ea48dca was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence trojan upx

Modifies firewall policy service

MetaSploit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Deletes itself

Checks computer location settings

Maps connected drives based on registry

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 09:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 09:19

Reported

2024-01-21 09:21

Platform

win7-20231215-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxdt86.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxdt86.exe = "C:\\Windows\\SysWOW64\\igfxdt86.exe:*:Enabled:Intel Wifi Protocal" C:\Windows\SysWOW64\igfxdt86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxdt86.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxdt86.exe = "C:\\Windows\\SysWOW64\\igfxdt86.exe:*:Enabled:Intel Wifi Protocal" C:\Windows\SysWOW64\igfxdt86.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxdt86.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxdt86.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxdt86.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Wifi Protocal = "C:\\Windows\\SysWOW64\\igfxdt86.exe" C:\Windows\SysWOW64\igfxdt86.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxdt86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxdt86.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\igfxdt86.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxdt86.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxdt86.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2444 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2768 set thread context of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 1988 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 1988 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 1988 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 1988 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2768 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2768 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2768 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2768 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2768 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2768 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2768 wrote to memory of 2696 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2696 wrote to memory of 1068 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\Explorer.EXE
PID 2696 wrote to memory of 1068 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\Explorer.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe

"C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe

"C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe"

C:\Windows\SysWOW64\igfxdt86.exe

"C:\Windows\SysWOW64\igfxdt86.exe" C:\Users\Admin\AppData\Local\Temp\6CEEF2~1.EXE

C:\Windows\SysWOW64\igfxdt86.exe

"C:\Windows\SysWOW64\igfxdt86.exe" C:\Users\Admin\AppData\Local\Temp\6CEEF2~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 j52.coax-quantum-media.su udp
KR 143.248.35.28:80 tcp
KR 143.248.35.28:80 tcp

Files

memory/1988-0-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-2-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-4-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-5-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-7-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-8-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-9-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-10-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-11-0x0000000000400000-0x000000000044C000-memory.dmp

\Windows\SysWOW64\igfxdt86.exe

MD5 6ceef262ae79d08819ff56e76ea48dca
SHA1 26e363aa952bab7a55b70640964c43acc9983303
SHA256 386607167eaf8859eb668cfb05f11fb43cd2f6510b29cac1e1a301986580ea71
SHA512 a5f74fd5a27c41a03173b198ed66d465d982add9da32b0782038716ca1f8406e9acd1c09e2728cf1955323ad2653a90af33dc083d5668c3d3d40f27858530d7c

memory/2696-31-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1988-33-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2696-37-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1068-38-0x0000000002B00000-0x0000000002B1E000-memory.dmp

memory/1068-39-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2696-40-0x0000000000400000-0x000000000044C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 09:19

Reported

2024-01-21 09:21

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxdt86.exe = "C:\\Windows\\SysWOW64\\igfxdt86.exe:*:Enabled:Intel Wifi Protocal" C:\Windows\SysWOW64\igfxdt86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxdt86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\igfxdt86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\igfxdt86.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\igfxdt86.exe = "C:\\Windows\\SysWOW64\\igfxdt86.exe:*:Enabled:Intel Wifi Protocal" C:\Windows\SysWOW64\igfxdt86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List C:\Windows\SysWOW64\igfxdt86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\SysWOW64\igfxdt86.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications C:\Windows\SysWOW64\igfxdt86.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxdt86.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxdt86.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxdt86.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel Wifi Protocal = "C:\\Windows\\SysWOW64\\igfxdt86.exe" C:\Windows\SysWOW64\igfxdt86.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxdt86.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxdt86.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxdt86.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
File created C:\Windows\SysWOW64\igfxdt86.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxdt86.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3552 set thread context of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 2552 set thread context of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 3552 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 3552 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 3552 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 3552 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 3552 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 3552 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe
PID 1068 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 1068 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 1068 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2552 wrote to memory of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2552 wrote to memory of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2552 wrote to memory of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2552 wrote to memory of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2552 wrote to memory of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2552 wrote to memory of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 2552 wrote to memory of 5096 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\SysWOW64\igfxdt86.exe
PID 5096 wrote to memory of 3344 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\Explorer.EXE
PID 5096 wrote to memory of 3344 N/A C:\Windows\SysWOW64\igfxdt86.exe C:\Windows\Explorer.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe

"C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe

"C:\Users\Admin\AppData\Local\Temp\6ceef262ae79d08819ff56e76ea48dca.exe"

C:\Windows\SysWOW64\igfxdt86.exe

"C:\Windows\SysWOW64\igfxdt86.exe" C:\Users\Admin\AppData\Local\Temp\6CEEF2~1.EXE

C:\Windows\SysWOW64\igfxdt86.exe

"C:\Windows\SysWOW64\igfxdt86.exe" C:\Users\Admin\AppData\Local\Temp\6CEEF2~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 j30.bull-quantum-media.su udp
KR 143.248.35.28:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/1068-0-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1068-2-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1068-3-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1068-4-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Windows\SysWOW64\igfxdt86.exe

MD5 6ceef262ae79d08819ff56e76ea48dca
SHA1 26e363aa952bab7a55b70640964c43acc9983303
SHA256 386607167eaf8859eb668cfb05f11fb43cd2f6510b29cac1e1a301986580ea71
SHA512 a5f74fd5a27c41a03173b198ed66d465d982add9da32b0782038716ca1f8406e9acd1c09e2728cf1955323ad2653a90af33dc083d5668c3d3d40f27858530d7c

memory/5096-43-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1068-44-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1068-45-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5096-46-0x0000000000400000-0x000000000044C000-memory.dmp

memory/5096-47-0x0000000000400000-0x000000000044C000-memory.dmp