Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/01/2024, 05:37
Static task
static1
Behavioral task
behavioral1
Sample
6edc093990915b0abb5dba3fc74b2865.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6edc093990915b0abb5dba3fc74b2865.exe
Resource
win10v2004-20231215-en
General
-
Target
6edc093990915b0abb5dba3fc74b2865.exe
-
Size
168KB
-
MD5
6edc093990915b0abb5dba3fc74b2865
-
SHA1
c2c90318513b04cfcc90fd4eb4338d1ea22b67f3
-
SHA256
20621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b
-
SHA512
655bf08e34ecb686281fc9401a73ffd659d04f70bf0cea60a77379d7ee2c3047bcd82dfffd10d06d4ee98b0038d8824769104cda90d805726207fa73716738c1
-
SSDEEP
3072:nS64Tw1Wftp52Oc8MqGElZa/KA7hfK+cQZFXRtY/SuE8ku+OIW1U3Ztz9BQ8Es:6w1Wfq89GElZgK0hStkF7aS18F+ODSp1
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Deletes itself 1 IoCs
pid Process 2712 igfxwk32.exe -
Executes dropped EXE 31 IoCs
pid Process 2732 igfxwk32.exe 2712 igfxwk32.exe 2628 igfxwk32.exe 2660 igfxwk32.exe 1196 igfxwk32.exe 2912 igfxwk32.exe 1660 igfxwk32.exe 904 igfxwk32.exe 1532 igfxwk32.exe 2284 igfxwk32.exe 848 igfxwk32.exe 880 igfxwk32.exe 1964 igfxwk32.exe 1120 igfxwk32.exe 1804 igfxwk32.exe 2980 igfxwk32.exe 2004 igfxwk32.exe 2672 igfxwk32.exe 2308 igfxwk32.exe 1128 igfxwk32.exe 2176 igfxwk32.exe 2736 igfxwk32.exe 2612 igfxwk32.exe 2808 igfxwk32.exe 3036 igfxwk32.exe 1008 igfxwk32.exe 328 igfxwk32.exe 1600 igfxwk32.exe 2164 igfxwk32.exe 2248 igfxwk32.exe 2000 igfxwk32.exe -
Loads dropped DLL 31 IoCs
pid Process 1700 6edc093990915b0abb5dba3fc74b2865.exe 2732 igfxwk32.exe 2712 igfxwk32.exe 2628 igfxwk32.exe 2660 igfxwk32.exe 1196 igfxwk32.exe 2912 igfxwk32.exe 1660 igfxwk32.exe 904 igfxwk32.exe 1532 igfxwk32.exe 2284 igfxwk32.exe 848 igfxwk32.exe 880 igfxwk32.exe 1964 igfxwk32.exe 1120 igfxwk32.exe 1804 igfxwk32.exe 2980 igfxwk32.exe 2004 igfxwk32.exe 2672 igfxwk32.exe 2308 igfxwk32.exe 1128 igfxwk32.exe 2176 igfxwk32.exe 2736 igfxwk32.exe 2612 igfxwk32.exe 2808 igfxwk32.exe 3036 igfxwk32.exe 1008 igfxwk32.exe 328 igfxwk32.exe 1600 igfxwk32.exe 2164 igfxwk32.exe 2248 igfxwk32.exe -
resource yara_rule behavioral1/memory/1700-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-9-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-8-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-7-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-6-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1700-17-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2712-28-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2712-29-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2712-31-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2712-30-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2712-34-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2660-50-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2912-65-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/904-80-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2284-93-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2284-101-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/880-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1120-126-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1120-134-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2980-150-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2672-166-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1128-176-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1128-183-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2736-193-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2736-201-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2808-217-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1008-235-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/1600-247-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2248-256-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2248-260-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral1/memory/2248-263-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 32 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6edc093990915b0abb5dba3fc74b2865.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6edc093990915b0abb5dba3fc74b2865.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe 6edc093990915b0abb5dba3fc74b2865.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ 6edc093990915b0abb5dba3fc74b2865.exe File created C:\Windows\SysWOW64\igfxwk32.exe 6edc093990915b0abb5dba3fc74b2865.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 2500 set thread context of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 2732 set thread context of 2712 2732 igfxwk32.exe 30 PID 2628 set thread context of 2660 2628 igfxwk32.exe 32 PID 1196 set thread context of 2912 1196 igfxwk32.exe 34 PID 1660 set thread context of 904 1660 igfxwk32.exe 36 PID 1532 set thread context of 2284 1532 igfxwk32.exe 40 PID 848 set thread context of 880 848 igfxwk32.exe 42 PID 1964 set thread context of 1120 1964 igfxwk32.exe 44 PID 1804 set thread context of 2980 1804 igfxwk32.exe 46 PID 2004 set thread context of 2672 2004 igfxwk32.exe 48 PID 2308 set thread context of 1128 2308 igfxwk32.exe 50 PID 2176 set thread context of 2736 2176 igfxwk32.exe 52 PID 2612 set thread context of 2808 2612 igfxwk32.exe 54 PID 3036 set thread context of 1008 3036 igfxwk32.exe 56 PID 328 set thread context of 1600 328 igfxwk32.exe 58 PID 2164 set thread context of 2248 2164 igfxwk32.exe 60 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1700 6edc093990915b0abb5dba3fc74b2865.exe 1700 6edc093990915b0abb5dba3fc74b2865.exe 2712 igfxwk32.exe 2712 igfxwk32.exe 2660 igfxwk32.exe 2660 igfxwk32.exe 2912 igfxwk32.exe 2912 igfxwk32.exe 904 igfxwk32.exe 904 igfxwk32.exe 2284 igfxwk32.exe 2284 igfxwk32.exe 880 igfxwk32.exe 880 igfxwk32.exe 1120 igfxwk32.exe 1120 igfxwk32.exe 2980 igfxwk32.exe 2980 igfxwk32.exe 2672 igfxwk32.exe 2672 igfxwk32.exe 1128 igfxwk32.exe 1128 igfxwk32.exe 2736 igfxwk32.exe 2736 igfxwk32.exe 2808 igfxwk32.exe 2808 igfxwk32.exe 1008 igfxwk32.exe 1008 igfxwk32.exe 1600 igfxwk32.exe 1600 igfxwk32.exe 2248 igfxwk32.exe 2248 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 2500 wrote to memory of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 2500 wrote to memory of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 2500 wrote to memory of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 2500 wrote to memory of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 2500 wrote to memory of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 2500 wrote to memory of 1700 2500 6edc093990915b0abb5dba3fc74b2865.exe 28 PID 1700 wrote to memory of 2732 1700 6edc093990915b0abb5dba3fc74b2865.exe 29 PID 1700 wrote to memory of 2732 1700 6edc093990915b0abb5dba3fc74b2865.exe 29 PID 1700 wrote to memory of 2732 1700 6edc093990915b0abb5dba3fc74b2865.exe 29 PID 1700 wrote to memory of 2732 1700 6edc093990915b0abb5dba3fc74b2865.exe 29 PID 2732 wrote to memory of 2712 2732 igfxwk32.exe 30 PID 2732 wrote to memory of 2712 2732 igfxwk32.exe 30 PID 2732 wrote to memory of 2712 2732 igfxwk32.exe 30 PID 2732 wrote to memory of 2712 2732 igfxwk32.exe 30 PID 2732 wrote to memory of 2712 2732 igfxwk32.exe 30 PID 2732 wrote to memory of 2712 2732 igfxwk32.exe 30 PID 2732 wrote to memory of 2712 2732 igfxwk32.exe 30 PID 2712 wrote to memory of 2628 2712 igfxwk32.exe 31 PID 2712 wrote to memory of 2628 2712 igfxwk32.exe 31 PID 2712 wrote to memory of 2628 2712 igfxwk32.exe 31 PID 2712 wrote to memory of 2628 2712 igfxwk32.exe 31 PID 2628 wrote to memory of 2660 2628 igfxwk32.exe 32 PID 2628 wrote to memory of 2660 2628 igfxwk32.exe 32 PID 2628 wrote to memory of 2660 2628 igfxwk32.exe 32 PID 2628 wrote to memory of 2660 2628 igfxwk32.exe 32 PID 2628 wrote to memory of 2660 2628 igfxwk32.exe 32 PID 2628 wrote to memory of 2660 2628 igfxwk32.exe 32 PID 2628 wrote to memory of 2660 2628 igfxwk32.exe 32 PID 2660 wrote to memory of 1196 2660 igfxwk32.exe 33 PID 2660 wrote to memory of 1196 2660 igfxwk32.exe 33 PID 2660 wrote to memory of 1196 2660 igfxwk32.exe 33 PID 2660 wrote to memory of 1196 2660 igfxwk32.exe 33 PID 1196 wrote to memory of 2912 1196 igfxwk32.exe 34 PID 1196 wrote to memory of 2912 1196 igfxwk32.exe 34 PID 1196 wrote to memory of 2912 1196 igfxwk32.exe 34 PID 1196 wrote to memory of 2912 1196 igfxwk32.exe 34 PID 1196 wrote to memory of 2912 1196 igfxwk32.exe 34 PID 1196 wrote to memory of 2912 1196 igfxwk32.exe 34 PID 1196 wrote to memory of 2912 1196 igfxwk32.exe 34 PID 2912 wrote to memory of 1660 2912 igfxwk32.exe 35 PID 2912 wrote to memory of 1660 2912 igfxwk32.exe 35 PID 2912 wrote to memory of 1660 2912 igfxwk32.exe 35 PID 2912 wrote to memory of 1660 2912 igfxwk32.exe 35 PID 1660 wrote to memory of 904 1660 igfxwk32.exe 36 PID 1660 wrote to memory of 904 1660 igfxwk32.exe 36 PID 1660 wrote to memory of 904 1660 igfxwk32.exe 36 PID 1660 wrote to memory of 904 1660 igfxwk32.exe 36 PID 1660 wrote to memory of 904 1660 igfxwk32.exe 36 PID 1660 wrote to memory of 904 1660 igfxwk32.exe 36 PID 1660 wrote to memory of 904 1660 igfxwk32.exe 36 PID 904 wrote to memory of 1532 904 igfxwk32.exe 37 PID 904 wrote to memory of 1532 904 igfxwk32.exe 37 PID 904 wrote to memory of 1532 904 igfxwk32.exe 37 PID 904 wrote to memory of 1532 904 igfxwk32.exe 37 PID 1532 wrote to memory of 2284 1532 igfxwk32.exe 40 PID 1532 wrote to memory of 2284 1532 igfxwk32.exe 40 PID 1532 wrote to memory of 2284 1532 igfxwk32.exe 40 PID 1532 wrote to memory of 2284 1532 igfxwk32.exe 40 PID 1532 wrote to memory of 2284 1532 igfxwk32.exe 40 PID 1532 wrote to memory of 2284 1532 igfxwk32.exe 40 PID 1532 wrote to memory of 2284 1532 igfxwk32.exe 40 PID 2284 wrote to memory of 848 2284 igfxwk32.exe 41 PID 2284 wrote to memory of 848 2284 igfxwk32.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"2⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE4⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:848 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1964 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1120 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1804 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2980 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2004 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2308 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1128 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2176 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2736 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2612 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2808 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3036 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1008 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:328 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1600 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2164 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe33⤵
- Executes dropped EXE
PID:2000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD577fbe302308bdf00063eaad4703f6757
SHA131bcf1c961359221179e0a6602fb417d36bf6692
SHA256f6900fb60b6fa194997036bb5c7710be5b58a789d82580b7093031cb71c1185a
SHA512d01121c2cc7d810e4b12281a731a8b17771938af00a388cab8c894f84713a1758b12ab567bd1374490e63ca2af4960e87863491e9f3052e6a19affd6648df0ed
-
Filesize
50KB
MD5e02f48af0ff6e101ac2ee68c4c03c1b8
SHA1e7d50c579d28bdbb1ba7fbfc55bc4b09b7cd2482
SHA256278c7f9756a76d5d89100316420d952ca1c9b9efeec52522ecec963124ba3436
SHA5121add79efb1c8029dd719b3f7032cde5589e7401273706db0702eb2978afe98ba45c9966cc589ff493dad2511286b4ef04bf66380cd6266388077ccb9b45e3bc8
-
Filesize
168KB
MD56edc093990915b0abb5dba3fc74b2865
SHA1c2c90318513b04cfcc90fd4eb4338d1ea22b67f3
SHA25620621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b
SHA512655bf08e34ecb686281fc9401a73ffd659d04f70bf0cea60a77379d7ee2c3047bcd82dfffd10d06d4ee98b0038d8824769104cda90d805726207fa73716738c1
-
Filesize
45KB
MD56ea364fb0ed525cbe07e19b2a9c48277
SHA15150ccc717e318a74fbf6e4f6fbcb9f6b76c6289
SHA256133292895b1f75aec9d58072607efa1083b631f731d0fa4472f9c24824621fdf
SHA5123a80a5d1209bf43741e5cad3a85e06ed50443be960ac64a2229c534a38520426c933f3fc764b2a3f8ba64c57b83b5ba4e6f72438b9bd8222692e8f110bc4d84b
-
Filesize
59KB
MD5161964e423db07f394e2b3698a8e98f6
SHA1cb5191c11cac1d67683ecbe434e53b042bbcfd1d
SHA2561b81fd8c6fbec3afa5b5eef55047977b3193108e158d9e953a9097230230823b
SHA5125323e37002d78a0b0a48f1af4c3c4d830fd5e6680c67b953b8dc4d8174be517cca43d79783def4ec1e1eb39ee9fe3e72c05846b74fcb2c9c058926a7b3027d33
-
Filesize
116KB
MD5d092b492334b8523cd5196f9759b32fd
SHA1393dd0578eb75fec347c63487eca427d762599a8
SHA2567f55a8e580c98a474da62e1a4a8943d27879b421ac9a2acd451fb06915a882d3
SHA51225b704c7d7a263efd16ec783f8e066094d63d55254be3fb48611f7c920d8940d7b5ed04fc430ebf54eaf7956b54b2a79211513a25703a8a30a276ce5736459bb