Malware Analysis Report

2025-08-06 04:05

Sample ID 240121-x1hexahca6
Target 6dd2c71fa4b1627af5f2f5c2297114c9
SHA256 544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba
Tags
metasploit backdoor trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba

Threat Level: Known bad

The file 6dd2c71fa4b1627af5f2f5c2297114c9 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan upx

MetaSploit

Deletes itself

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 19:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 19:19

Reported

2024-01-21 19:21

Platform

win7-20231215-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2768 set thread context of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 set thread context of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 set thread context of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 set thread context of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 set thread context of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 536 set thread context of 1312 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1356 set thread context of 2568 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1320 set thread context of 2468 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1236 set thread context of 2324 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1612 set thread context of 1828 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2812 set thread context of 2624 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 376 set thread context of 2696 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3064 set thread context of 2948 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1668 set thread context of 2488 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2708 set thread context of 1200 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2236 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2236 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2236 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2236 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2236 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2236 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 2196 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2196 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2196 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2196 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2768 wrote to memory of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2768 wrote to memory of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2768 wrote to memory of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2768 wrote to memory of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2768 wrote to memory of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2768 wrote to memory of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2768 wrote to memory of 2448 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2448 wrote to memory of 2616 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2448 wrote to memory of 2616 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2448 wrote to memory of 2616 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2448 wrote to memory of 2616 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2616 wrote to memory of 1372 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1372 wrote to memory of 2156 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1372 wrote to memory of 2156 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1372 wrote to memory of 2156 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1372 wrote to memory of 2156 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 wrote to memory of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 wrote to memory of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 wrote to memory of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 wrote to memory of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 wrote to memory of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 wrote to memory of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2156 wrote to memory of 2280 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2280 wrote to memory of 1028 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2280 wrote to memory of 1028 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2280 wrote to memory of 1028 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2280 wrote to memory of 1028 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 wrote to memory of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 wrote to memory of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 wrote to memory of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 wrote to memory of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 wrote to memory of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 wrote to memory of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1028 wrote to memory of 2688 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2688 wrote to memory of 1444 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2688 wrote to memory of 1444 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2688 wrote to memory of 1444 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2688 wrote to memory of 1444 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 wrote to memory of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 wrote to memory of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 wrote to memory of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 wrote to memory of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 wrote to memory of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 wrote to memory of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1444 wrote to memory of 2996 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2996 wrote to memory of 536 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 2996 wrote to memory of 536 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe

"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"

C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe

"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

Network

N/A

Files

memory/2196-3-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2196-8-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2196-7-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2196-6-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2196-4-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2196-2-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2196-0-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwd32.exe

MD5 6dd2c71fa4b1627af5f2f5c2297114c9
SHA1 a5d3e31ba83afab3d5fd7f2155632e1384fcdefb
SHA256 544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba
SHA512 8fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3

memory/2196-16-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2448-28-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2448-27-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2448-30-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2448-29-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2448-33-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1372-46-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1372-49-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1372-51-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2280-67-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2688-78-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2688-82-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2996-100-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1312-112-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1312-119-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2568-135-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2468-151-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2324-167-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1828-178-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1828-180-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1828-187-0x0000000000400000-0x0000000000466000-memory.dmp

\Windows\SysWOW64\igfxwd32.exe

MD5 9714289f7e9227b339926af779ddbd05
SHA1 0f3bbecae85d903f3751ba382e32d320d37f48ba
SHA256 4b4e247920aed7daa2722d4aa98205d7aaa58d3c3a336f7193d85f0f4d83d9e7
SHA512 3785c62c1a2b94a130a78185abe1e3de749414971fb3e6a79c85931fff9f09d03f2146b136779bcdbfcae1c27f822b9258d7a0645c880d3983be9c1f6cd5f434

C:\Windows\SysWOW64\igfxwd32.exe

MD5 04371106792ae9a5be46c97a45f02ef0
SHA1 f4a9994b0439e34bb032bd7ffc9b18d38d710087
SHA256 6c9bac57479bb762d144b6f9b92e6ceca6bafd5479acfc23e602310fa3752841
SHA512 6bfae38aac0ba5741b3dea0f8c764dfdc4944832310d22c3121693152a73fc943f4121c6acd36cb1bb826162b9ab382f9b4e5821ac7dd2cf5d6e999c1ecaff2c

memory/2624-197-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2624-204-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2696-220-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2948-230-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2948-235-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2488-247-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1200-255-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1200-260-0x0000000000400000-0x0000000000466000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 19:19

Reported

2024-01-21 19:21

Platform

win10v2004-20231222-en

Max time kernel

39s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwd32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxwd32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File created C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwd32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 756 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 756 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 756 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 756 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 756 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 756 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe
PID 528 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 528 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 528 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 5016 wrote to memory of 4824 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 5016 wrote to memory of 4824 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 5016 wrote to memory of 4824 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 5016 wrote to memory of 4824 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 5016 wrote to memory of 4824 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 5016 wrote to memory of 4824 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 5016 wrote to memory of 4824 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 4824 wrote to memory of 3708 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 4824 wrote to memory of 3708 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 4824 wrote to memory of 3708 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3708 wrote to memory of 1692 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1692 wrote to memory of 3592 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1692 wrote to memory of 3592 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 1692 wrote to memory of 3592 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3592 wrote to memory of 2248 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3592 wrote to memory of 2248 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3592 wrote to memory of 2248 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3592 wrote to memory of 2248 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3592 wrote to memory of 2248 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3592 wrote to memory of 2248 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe
PID 3592 wrote to memory of 2248 N/A C:\Windows\SysWOW64\igfxwd32.exe C:\Windows\SysWOW64\igfxwd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe

"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"

C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe

"C:\Users\Admin\AppData\Local\Temp\6dd2c71fa4b1627af5f2f5c2297114c9.exe"

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Users\Admin\AppData\Local\Temp\6DD2C7~1.EXE

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

C:\Windows\SysWOW64\igfxwd32.exe

"C:\Windows\system32\igfxwd32.exe" C:\Windows\SysWOW64\igfxwd32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
GB 2.18.110.57:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 60.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 2.18.110.57:80 tcp
NL 20.103.156.88:443 tcp
NL 20.103.156.88:443 tcp
NL 20.103.156.88:443 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 2.18.110.57:80 tcp

Files

memory/528-0-0x0000000000400000-0x0000000000466000-memory.dmp

memory/528-2-0x0000000000400000-0x0000000000466000-memory.dmp

memory/528-3-0x0000000000400000-0x0000000000466000-memory.dmp

memory/528-4-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwd32.exe

MD5 6dd2c71fa4b1627af5f2f5c2297114c9
SHA1 a5d3e31ba83afab3d5fd7f2155632e1384fcdefb
SHA256 544c6fb7cd6551ed69623b5f1f728b46e20e183e871328bbb731988602bcb1ba
SHA512 8fe0586578b7ca04374d7c4d1107cc2aa55cc804a6cabeddcda9487322a3495d101c74e40bfe3bd50db4303931012ef59eac55f476ce37d8a978b0ce055b4ee3

memory/528-38-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4824-44-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4824-47-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1692-54-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1692-56-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-61-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-64-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-63-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-62-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-66-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2932-72-0x0000000000400000-0x0000000000466000-memory.dmp

memory/696-78-0x0000000000400000-0x0000000000466000-memory.dmp

memory/696-80-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwd32.exe

MD5 f122e75424056c351bde23b03ccda54a
SHA1 41e2b65593cfa8b19bbfb800ea22645a9b65da1f
SHA256 426e6b5f8e290027c9df6cf1ff36c20e65d935991c8de27a5c9451214e637810
SHA512 ffc7b555c2e5fc12045e363d27a321dc42cd87ff981db76fba67042668e8ce4da8094b75b469a7c396d519b7bfbc145a81457073f2988374b04d746ffe625045

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/696-83-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3440-90-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3440-92-0x0000000000400000-0x0000000000466000-memory.dmp

memory/980-99-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwd32.exe

MD5 f9d1606ea0d50328cbd064375e313f57
SHA1 5c31c9c7f538410ed80b1e8cba9c233701239c51
SHA256 396feef00703a2b18050f5476c30fb3d8642f4863220657cc698c72e88408243
SHA512 61f71613e26a069e156bde026f6853415f46aefd525b132fee1f60c20c1997af1bde2d4faa8d87ff80cf03cd8669aa9e4cc1b4977b147889d9e05f00bf754b93

C:\Windows\SysWOW64\igfxwd32.exe

MD5 887a275bab55e069027c8f1e6b81f3a5
SHA1 3ca6e636f22c457ad6d8d440647162b07b8bca41
SHA256 5e94765935b531a236b10b7117a5c2dfd35a6158cf4c7093e8d1928ecf9e535e
SHA512 e41220829c5cbab1b5de80d7e758113e77e9beca028c3de3f215f91fdaf6d4a542b925d90780d5860f54164c9d6af96cf73f142858785605eb00348a9f23c6d1

memory/980-101-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1572-107-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1572-110-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4056-117-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4056-120-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1280-127-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1280-129-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3912-136-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3912-140-0x0000000000400000-0x0000000000466000-memory.dmp

memory/632-146-0x0000000000400000-0x0000000000466000-memory.dmp

memory/632-151-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2052-156-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwd32.exe

MD5 66e891de6087d139bf4eb069fdb3a98b
SHA1 de6774b4c31f75f7dc7a9fc5dce0c5ddcabd1dc2
SHA256 8d5e241cc8934584300aaaf669355112ea37e380f6180e15ac7c2bbd1826a780
SHA512 b811defc5db17451fb523eddccfc2758fb08215f8b5c98f98edb302fe759d1e3d248519f3074442b1d16cbc13c73bce23c04f2985308034e2cf7109faab4790a

C:\Windows\SysWOW64\igfxwd32.exe

MD5 a51cda2fc00d7318b48cd5eab1f95372
SHA1 d5a923852f67d526ac640432a09c73d59ef78980
SHA256 4f26df4e3e044633d59686f13da90de96f96e7056f8b98ec129caedc2119a5f0
SHA512 331397260edb482f4f7248d08b5b2cb2076df74feb6d2dd830e527410c9291716ea9b504106fad248d569af28bacf19859a3f395e902c7dec622b09b0a1f5563

memory/2052-161-0x0000000000400000-0x0000000000466000-memory.dmp

memory/5048-167-0x0000000000400000-0x0000000000466000-memory.dmp

memory/5048-171-0x0000000000400000-0x0000000000466000-memory.dmp