Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 05:37
Static task
static1
Behavioral task
behavioral1
Sample
6edc093990915b0abb5dba3fc74b2865.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6edc093990915b0abb5dba3fc74b2865.exe
Resource
win10v2004-20231215-en
General
-
Target
6edc093990915b0abb5dba3fc74b2865.exe
-
Size
168KB
-
MD5
6edc093990915b0abb5dba3fc74b2865
-
SHA1
c2c90318513b04cfcc90fd4eb4338d1ea22b67f3
-
SHA256
20621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b
-
SHA512
655bf08e34ecb686281fc9401a73ffd659d04f70bf0cea60a77379d7ee2c3047bcd82dfffd10d06d4ee98b0038d8824769104cda90d805726207fa73716738c1
-
SSDEEP
3072:nS64Tw1Wftp52Oc8MqGElZa/KA7hfK+cQZFXRtY/SuE8ku+OIW1U3Ztz9BQ8Es:6w1Wfq89GElZgK0hStkF7aS18F+ODSp1
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 6edc093990915b0abb5dba3fc74b2865.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation igfxwk32.exe -
Deletes itself 1 IoCs
pid Process 2780 igfxwk32.exe -
Executes dropped EXE 29 IoCs
pid Process 3968 igfxwk32.exe 2780 igfxwk32.exe 3520 igfxwk32.exe 2972 igfxwk32.exe 2080 igfxwk32.exe 2072 igfxwk32.exe 3160 igfxwk32.exe 4552 igfxwk32.exe 4432 igfxwk32.exe 5012 igfxwk32.exe 2888 igfxwk32.exe 428 igfxwk32.exe 1500 igfxwk32.exe 2876 igfxwk32.exe 3796 igfxwk32.exe 1968 igfxwk32.exe 1112 igfxwk32.exe 3972 igfxwk32.exe 2276 igfxwk32.exe 4468 igfxwk32.exe 3368 igfxwk32.exe 3856 igfxwk32.exe 1836 igfxwk32.exe 4104 igfxwk32.exe 3560 igfxwk32.exe 3532 igfxwk32.exe 4504 igfxwk32.exe 3224 igfxwk32.exe 3800 igfxwk32.exe -
resource yara_rule behavioral2/memory/4856-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4856-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4856-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4856-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4856-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2780-43-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2780-45-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2780-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2780-47-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2972-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2972-57-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2072-63-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2072-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4552-73-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4552-75-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5012-82-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5012-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/428-89-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/428-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/428-90-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/428-93-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2876-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2876-102-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1968-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1968-110-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1968-112-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3972-119-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3972-121-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4468-127-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4468-132-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3856-138-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3856-143-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4104-149-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4104-153-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3532-159-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3532-164-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3224-170-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3224-174-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6edc093990915b0abb5dba3fc74b2865.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6edc093990915b0abb5dba3fc74b2865.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxwk32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ 6edc093990915b0abb5dba3fc74b2865.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe 6edc093990915b0abb5dba3fc74b2865.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File created C:\Windows\SysWOW64\igfxwk32.exe 6edc093990915b0abb5dba3fc74b2865.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\igfxwk32.exe igfxwk32.exe File opened for modification C:\Windows\SysWOW64\ igfxwk32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 1200 set thread context of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 3968 set thread context of 2780 3968 igfxwk32.exe 98 PID 3520 set thread context of 2972 3520 igfxwk32.exe 100 PID 2080 set thread context of 2072 2080 igfxwk32.exe 103 PID 3160 set thread context of 4552 3160 igfxwk32.exe 105 PID 4432 set thread context of 5012 4432 igfxwk32.exe 107 PID 2888 set thread context of 428 2888 igfxwk32.exe 109 PID 1500 set thread context of 2876 1500 igfxwk32.exe 111 PID 3796 set thread context of 1968 3796 igfxwk32.exe 113 PID 1112 set thread context of 3972 1112 igfxwk32.exe 115 PID 2276 set thread context of 4468 2276 igfxwk32.exe 117 PID 3368 set thread context of 3856 3368 igfxwk32.exe 119 PID 1836 set thread context of 4104 1836 igfxwk32.exe 121 PID 3560 set thread context of 3532 3560 igfxwk32.exe 123 PID 4504 set thread context of 3224 4504 igfxwk32.exe 125 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6edc093990915b0abb5dba3fc74b2865.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxwk32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 4856 6edc093990915b0abb5dba3fc74b2865.exe 4856 6edc093990915b0abb5dba3fc74b2865.exe 4856 6edc093990915b0abb5dba3fc74b2865.exe 4856 6edc093990915b0abb5dba3fc74b2865.exe 2780 igfxwk32.exe 2780 igfxwk32.exe 2780 igfxwk32.exe 2780 igfxwk32.exe 2972 igfxwk32.exe 2972 igfxwk32.exe 2972 igfxwk32.exe 2972 igfxwk32.exe 2072 igfxwk32.exe 2072 igfxwk32.exe 2072 igfxwk32.exe 2072 igfxwk32.exe 4552 igfxwk32.exe 4552 igfxwk32.exe 4552 igfxwk32.exe 4552 igfxwk32.exe 5012 igfxwk32.exe 5012 igfxwk32.exe 5012 igfxwk32.exe 5012 igfxwk32.exe 428 igfxwk32.exe 428 igfxwk32.exe 428 igfxwk32.exe 428 igfxwk32.exe 2876 igfxwk32.exe 2876 igfxwk32.exe 2876 igfxwk32.exe 2876 igfxwk32.exe 1968 igfxwk32.exe 1968 igfxwk32.exe 1968 igfxwk32.exe 1968 igfxwk32.exe 3972 igfxwk32.exe 3972 igfxwk32.exe 3972 igfxwk32.exe 3972 igfxwk32.exe 4468 igfxwk32.exe 4468 igfxwk32.exe 4468 igfxwk32.exe 4468 igfxwk32.exe 3856 igfxwk32.exe 3856 igfxwk32.exe 3856 igfxwk32.exe 3856 igfxwk32.exe 4104 igfxwk32.exe 4104 igfxwk32.exe 4104 igfxwk32.exe 4104 igfxwk32.exe 3532 igfxwk32.exe 3532 igfxwk32.exe 3532 igfxwk32.exe 3532 igfxwk32.exe 3224 igfxwk32.exe 3224 igfxwk32.exe 3224 igfxwk32.exe 3224 igfxwk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 1200 wrote to memory of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 1200 wrote to memory of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 1200 wrote to memory of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 1200 wrote to memory of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 1200 wrote to memory of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 1200 wrote to memory of 4856 1200 6edc093990915b0abb5dba3fc74b2865.exe 94 PID 4856 wrote to memory of 3968 4856 6edc093990915b0abb5dba3fc74b2865.exe 97 PID 4856 wrote to memory of 3968 4856 6edc093990915b0abb5dba3fc74b2865.exe 97 PID 4856 wrote to memory of 3968 4856 6edc093990915b0abb5dba3fc74b2865.exe 97 PID 3968 wrote to memory of 2780 3968 igfxwk32.exe 98 PID 3968 wrote to memory of 2780 3968 igfxwk32.exe 98 PID 3968 wrote to memory of 2780 3968 igfxwk32.exe 98 PID 3968 wrote to memory of 2780 3968 igfxwk32.exe 98 PID 3968 wrote to memory of 2780 3968 igfxwk32.exe 98 PID 3968 wrote to memory of 2780 3968 igfxwk32.exe 98 PID 3968 wrote to memory of 2780 3968 igfxwk32.exe 98 PID 2780 wrote to memory of 3520 2780 igfxwk32.exe 99 PID 2780 wrote to memory of 3520 2780 igfxwk32.exe 99 PID 2780 wrote to memory of 3520 2780 igfxwk32.exe 99 PID 3520 wrote to memory of 2972 3520 igfxwk32.exe 100 PID 3520 wrote to memory of 2972 3520 igfxwk32.exe 100 PID 3520 wrote to memory of 2972 3520 igfxwk32.exe 100 PID 3520 wrote to memory of 2972 3520 igfxwk32.exe 100 PID 3520 wrote to memory of 2972 3520 igfxwk32.exe 100 PID 3520 wrote to memory of 2972 3520 igfxwk32.exe 100 PID 3520 wrote to memory of 2972 3520 igfxwk32.exe 100 PID 2972 wrote to memory of 2080 2972 igfxwk32.exe 101 PID 2972 wrote to memory of 2080 2972 igfxwk32.exe 101 PID 2972 wrote to memory of 2080 2972 igfxwk32.exe 101 PID 2080 wrote to memory of 2072 2080 igfxwk32.exe 103 PID 2080 wrote to memory of 2072 2080 igfxwk32.exe 103 PID 2080 wrote to memory of 2072 2080 igfxwk32.exe 103 PID 2080 wrote to memory of 2072 2080 igfxwk32.exe 103 PID 2080 wrote to memory of 2072 2080 igfxwk32.exe 103 PID 2080 wrote to memory of 2072 2080 igfxwk32.exe 103 PID 2080 wrote to memory of 2072 2080 igfxwk32.exe 103 PID 2072 wrote to memory of 3160 2072 igfxwk32.exe 104 PID 2072 wrote to memory of 3160 2072 igfxwk32.exe 104 PID 2072 wrote to memory of 3160 2072 igfxwk32.exe 104 PID 3160 wrote to memory of 4552 3160 igfxwk32.exe 105 PID 3160 wrote to memory of 4552 3160 igfxwk32.exe 105 PID 3160 wrote to memory of 4552 3160 igfxwk32.exe 105 PID 3160 wrote to memory of 4552 3160 igfxwk32.exe 105 PID 3160 wrote to memory of 4552 3160 igfxwk32.exe 105 PID 3160 wrote to memory of 4552 3160 igfxwk32.exe 105 PID 3160 wrote to memory of 4552 3160 igfxwk32.exe 105 PID 4552 wrote to memory of 4432 4552 igfxwk32.exe 106 PID 4552 wrote to memory of 4432 4552 igfxwk32.exe 106 PID 4552 wrote to memory of 4432 4552 igfxwk32.exe 106 PID 4432 wrote to memory of 5012 4432 igfxwk32.exe 107 PID 4432 wrote to memory of 5012 4432 igfxwk32.exe 107 PID 4432 wrote to memory of 5012 4432 igfxwk32.exe 107 PID 4432 wrote to memory of 5012 4432 igfxwk32.exe 107 PID 4432 wrote to memory of 5012 4432 igfxwk32.exe 107 PID 4432 wrote to memory of 5012 4432 igfxwk32.exe 107 PID 4432 wrote to memory of 5012 4432 igfxwk32.exe 107 PID 5012 wrote to memory of 2888 5012 igfxwk32.exe 108 PID 5012 wrote to memory of 2888 5012 igfxwk32.exe 108 PID 5012 wrote to memory of 2888 5012 igfxwk32.exe 108 PID 2888 wrote to memory of 428 2888 igfxwk32.exe 109 PID 2888 wrote to memory of 428 2888 igfxwk32.exe 109 PID 2888 wrote to memory of 428 2888 igfxwk32.exe 109 PID 2888 wrote to memory of 428 2888 igfxwk32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:428 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1500 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2876 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3796 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1112 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3972 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2276 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3368 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3856 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1836 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4104 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3560 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3532 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4504 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3224 -
C:\Windows\SysWOW64\igfxwk32.exe"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe31⤵
- Executes dropped EXE
PID:3800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5ad92202c40d4bc9dd27ebcff76ab5a14
SHA1d81795349a08142aa2253a8d0df911940a1d1817
SHA256e2ff0b4f4561fc4748130a078e0e896da12b43d97b885fa63c82ce70bbe0b0a9
SHA5126869ff79c5a7b04c97553a44bacbfd79720d5cf19559242290bd877bd242c0b27e75b4a53e0afdf9aa54ae83cd293c02b3d087b35edd44258694c9c299245edb
-
Filesize
100KB
MD5182683599db6990d2df18c9ac174a280
SHA17dd938a7dd4a923c851c4292014ba2ca22139115
SHA256aa87f7e4faff9646dbe54b9b22fcb2fbad7b8a30927e49d559343c9d6e5783a0
SHA5123a425120637df2609943b76a2c3be2a30d72623f9f8b3f5bad4405d4877bd0a26fc02cc9463d630002f02968d63e6f527d8cea746884c57cbde14d2ebd18932b
-
Filesize
168KB
MD56edc093990915b0abb5dba3fc74b2865
SHA1c2c90318513b04cfcc90fd4eb4338d1ea22b67f3
SHA25620621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b
SHA512655bf08e34ecb686281fc9401a73ffd659d04f70bf0cea60a77379d7ee2c3047bcd82dfffd10d06d4ee98b0038d8824769104cda90d805726207fa73716738c1