Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
6ea94e3ef956c8567aad333e0c6e6190.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6ea94e3ef956c8567aad333e0c6e6190.exe
Resource
win10v2004-20231215-en
General
-
Target
6ea94e3ef956c8567aad333e0c6e6190.exe
-
Size
169KB
-
MD5
6ea94e3ef956c8567aad333e0c6e6190
-
SHA1
8ffdb2eb888b727ab63b639131395cb72cac6f6c
-
SHA256
34c74776e99de0b4c0e6beb741a47922aba72203aab945e744d3c8f85fef2afb
-
SHA512
4b3d75aa22a330825fd1e508c93b149b99f4735c0f87114b6de63bc2129eecb05b8df68739bc5f34f81f9954f38a93ab0ef113d7c548f313bfe0416d92e4b442
-
SSDEEP
3072:U6OobBSE5zhZKyoF2w3uUBKtPB3iQjFhYl6xTI+gzJZLlOwP7ASAh3ntiirq7:HBDhgyoF2IuUEtPB3iQjrYl6iRzUWcSb
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 6ea94e3ef956c8567aad333e0c6e6190.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 656 igfxwk32.exe -
Executes dropped EXE 25 IoCs
pid Process 2652 igfxwk32.exe 656 igfxwk32.exe 112 igfxwk32.exe 2100 igfxwk32.exe 4252 igfxwk32.exe 4208 igfxwk32.exe 1984 igfxwk32.exe 1576 igfxwk32.exe 4488 igfxwk32.exe 4608 igfxwk32.exe 4448 igfxwk32.exe 5092 igfxwk32.exe 1832 igfxwk32.exe 3464 igfxwk32.exe 548 igfxwk32.exe 1564 igfxwk32.exe 2652 igfxwk32.exe 4628 igfxwk32.exe 1716 igfxwk32.exe 556 igfxwk32.exe 3624 igfxwk32.exe 2256 igfxwk32.exe 4952 igfxwk32.exe 784 igfxwk32.exe 3692 igfxwk32.exe -
resource yara_rule behavioral2/memory/3756-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3756-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3756-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3756-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3756-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/656-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/656-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2100-53-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2100-55-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4208-62-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4208-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1576-71-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1576-74-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4608-80-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4608-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5092-89-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5092-92-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3464-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1564-107-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1564-109-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4628-115-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4628-116-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4628-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4628-118-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/556-126-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/556-131-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2256-136-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2256-141-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/784-146-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/784-151-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 26 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6ea94e3ef956c8567aad333e0c6e6190.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6ea94e3ef956c8567aad333e0c6e6190.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe 6ea94e3ef956c8567aad333e0c6e6190.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe 6ea94e3ef956c8567aad333e0c6e6190.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ 6ea94e3ef956c8567aad333e0c6e6190.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe -
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 4076 set thread context of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 2652 set thread context of 656 2652 igfxwk32.exe 97 PID 112 set thread context of 2100 112 igfxwk32.exe 100 PID 4252 set thread context of 4208 4252 igfxwk32.exe 102 PID 1984 set thread context of 1576 1984 igfxwk32.exe 104 PID 4488 set thread context of 4608 4488 igfxwk32.exe 106 PID 4448 set thread context of 5092 4448 igfxwk32.exe 108 PID 1832 set thread context of 3464 1832 igfxwk32.exe 110 PID 548 set thread context of 1564 548 igfxwk32.exe 112 PID 2652 set thread context of 4628 2652 igfxwk32.exe 114 PID 1716 set thread context of 556 1716 igfxwk32.exe 116 PID 3624 set thread context of 2256 3624 igfxwk32.exe 118 PID 4952 set thread context of 784 4952 igfxwk32.exe 120 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6ea94e3ef956c8567aad333e0c6e6190.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 3756 6ea94e3ef956c8567aad333e0c6e6190.exe 3756 6ea94e3ef956c8567aad333e0c6e6190.exe 3756 6ea94e3ef956c8567aad333e0c6e6190.exe 3756 6ea94e3ef956c8567aad333e0c6e6190.exe 656 igfxwk32.exe 656 igfxwk32.exe 656 igfxwk32.exe 656 igfxwk32.exe 2100 igfxwk32.exe 2100 igfxwk32.exe 2100 igfxwk32.exe 2100 igfxwk32.exe 4208 igfxwk32.exe 4208 igfxwk32.exe 4208 igfxwk32.exe 4208 igfxwk32.exe 1576 igfxwk32.exe 1576 igfxwk32.exe 1576 igfxwk32.exe 1576 igfxwk32.exe 4608 igfxwk32.exe 4608 igfxwk32.exe 4608 igfxwk32.exe 4608 igfxwk32.exe 5092 igfxwk32.exe 5092 igfxwk32.exe 5092 igfxwk32.exe 5092 igfxwk32.exe 3464 igfxwk32.exe 3464 igfxwk32.exe 3464 igfxwk32.exe 3464 igfxwk32.exe 1564 igfxwk32.exe 1564 igfxwk32.exe 1564 igfxwk32.exe 1564 igfxwk32.exe 4628 igfxwk32.exe 4628 igfxwk32.exe 4628 igfxwk32.exe 4628 igfxwk32.exe 556 igfxwk32.exe 556 igfxwk32.exe 556 igfxwk32.exe 556 igfxwk32.exe 2256 igfxwk32.exe 2256 igfxwk32.exe 2256 igfxwk32.exe 2256 igfxwk32.exe 784 igfxwk32.exe 784 igfxwk32.exe 784 igfxwk32.exe 784 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 4076 wrote to memory of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 4076 wrote to memory of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 4076 wrote to memory of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 4076 wrote to memory of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 4076 wrote to memory of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 4076 wrote to memory of 3756 4076 6ea94e3ef956c8567aad333e0c6e6190.exe 88 PID 3756 wrote to memory of 2652 3756 6ea94e3ef956c8567aad333e0c6e6190.exe 94 PID 3756 wrote to memory of 2652 3756 6ea94e3ef956c8567aad333e0c6e6190.exe 94 PID 3756 wrote to memory of 2652 3756 6ea94e3ef956c8567aad333e0c6e6190.exe 94 PID 2652 wrote to memory of 656 2652 igfxwk32.exe 97 PID 2652 wrote to memory of 656 2652 igfxwk32.exe 97 PID 2652 wrote to memory of 656 2652 igfxwk32.exe 97 PID 2652 wrote to memory of 656 2652 igfxwk32.exe 97 PID 2652 wrote to memory of 656 2652 igfxwk32.exe 97 PID 2652 wrote to memory of 656 2652 igfxwk32.exe 97 PID 2652 wrote to memory of 656 2652 igfxwk32.exe 97 PID 656 wrote to memory of 112 656 igfxwk32.exe 99 PID 656 wrote to memory of 112 656 igfxwk32.exe 99 PID 656 wrote to memory of 112 656 igfxwk32.exe 99 PID 112 wrote to memory of 2100 112 igfxwk32.exe 100 PID 112 wrote to memory of 2100 112 igfxwk32.exe 100 PID 112 wrote to memory of 2100 112 igfxwk32.exe 100 PID 112 wrote to memory of 2100 112 igfxwk32.exe 100 PID 112 wrote to memory of 2100 112 igfxwk32.exe 100 PID 112 wrote to memory of 2100 112 igfxwk32.exe 100 PID 112 wrote to memory of 2100 112 igfxwk32.exe 100 PID 2100 wrote to memory of 4252 2100 igfxwk32.exe 101 PID 2100 wrote to memory of 4252 2100 igfxwk32.exe 101 PID 2100 wrote to memory of 4252 2100 igfxwk32.exe 101 PID 4252 wrote to memory of 4208 4252 igfxwk32.exe 102 PID 4252 wrote to memory of 4208 4252 igfxwk32.exe 102 PID 4252 wrote to memory of 4208 4252 igfxwk32.exe 102 PID 4252 wrote to memory of 4208 4252 igfxwk32.exe 102 PID 4252 wrote to memory of 4208 4252 igfxwk32.exe 102 PID 4252 wrote to memory of 4208 4252 igfxwk32.exe 102 PID 4252 wrote to memory of 4208 4252 igfxwk32.exe 102 PID 4208 wrote to memory of 1984 4208 igfxwk32.exe 103 PID 4208 wrote to memory of 1984 4208 igfxwk32.exe 103 PID 4208 wrote to memory of 1984 4208 igfxwk32.exe 103 PID 1984 wrote to memory of 1576 1984 igfxwk32.exe 104 PID 1984 wrote to memory of 1576 1984 igfxwk32.exe 104 PID 1984 wrote to memory of 1576 1984 igfxwk32.exe 104 PID 1984 wrote to memory of 1576 1984 igfxwk32.exe 104 PID 1984 wrote to memory of 1576 1984 igfxwk32.exe 104 PID 1984 wrote to memory of 1576 1984 igfxwk32.exe 104 PID 1984 wrote to memory of 1576 1984 igfxwk32.exe 104 PID 1576 wrote to memory of 4488 1576 igfxwk32.exe 105 PID 1576 wrote to memory of 4488 1576 igfxwk32.exe 105 PID 1576 wrote to memory of 4488 1576 igfxwk32.exe 105 PID 4488 wrote to memory of 4608 4488 igfxwk32.exe 106 PID 4488 wrote to memory of 4608 4488 igfxwk32.exe 106 PID 4488 wrote to memory of 4608 4488 igfxwk32.exe 106 PID 4488 wrote to memory of 4608 4488 igfxwk32.exe 106 PID 4488 wrote to memory of 4608 4488 igfxwk32.exe 106 PID 4488 wrote to memory of 4608 4488 igfxwk32.exe 106 PID 4488 wrote to memory of 4608 4488 igfxwk32.exe 106 PID 4608 wrote to memory of 4448 4608 igfxwk32.exe 107 PID 4608 wrote to memory of 4448 4608 igfxwk32.exe 107 PID 4608 wrote to memory of 4448 4608 igfxwk32.exe 107 PID 4448 wrote to memory of 5092 4448 igfxwk32.exe 108 PID 4448 wrote to memory of 5092 4448 igfxwk32.exe 108 PID 4448 wrote to memory of 5092 4448 igfxwk32.exe 108 PID 4448 wrote to memory of 5092 4448 igfxwk32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ea94e3ef956c8567aad333e0c6e6190.exe"C:\Users\Admin\AppData\Local\Temp\6ea94e3ef956c8567aad333e0c6e6190.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\6ea94e3ef956c8567aad333e0c6e6190.exe"C:\Users\Admin\AppData\Local\Temp\6ea94e3ef956c8567aad333e0c6e6190.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EA94E~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EA94E~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5092 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1832 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3464 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:548 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1564 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2652 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1716 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:556 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3624 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2256 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4952 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:784 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
PID:3692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD56ea94e3ef956c8567aad333e0c6e6190
SHA18ffdb2eb888b727ab63b639131395cb72cac6f6c
SHA25634c74776e99de0b4c0e6beb741a47922aba72203aab945e744d3c8f85fef2afb
SHA5124b3d75aa22a330825fd1e508c93b149b99f4735c0f87114b6de63bc2129eecb05b8df68739bc5f34f81f9954f38a93ab0ef113d7c548f313bfe0416d92e4b442