Malware Analysis Report

2025-08-05 12:48

Sample ID 240122-gbjcxaheen
Target 6edc093990915b0abb5dba3fc74b2865
SHA256 20621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b
Tags
metasploit backdoor trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b

Threat Level: Known bad

The file 6edc093990915b0abb5dba3fc74b2865 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan upx

MetaSploit

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Deletes itself

UPX packed file

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 05:37

Reported

2024-01-22 05:40

Platform

win7-20231215-en

Max time kernel

148s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 2732 set thread context of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 set thread context of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 set thread context of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 set thread context of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 set thread context of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 848 set thread context of 880 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1964 set thread context of 1120 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1804 set thread context of 2980 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2004 set thread context of 2672 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2308 set thread context of 1128 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2176 set thread context of 2736 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2612 set thread context of 2808 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3036 set thread context of 1008 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 328 set thread context of 1600 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2164 set thread context of 2248 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 2500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 2500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 2500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 2500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 2500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 2500 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 1700 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1700 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1700 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1700 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2712 wrote to memory of 2628 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2712 wrote to memory of 2628 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2712 wrote to memory of 2628 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2712 wrote to memory of 2628 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2660 wrote to memory of 1196 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2660 wrote to memory of 1196 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2660 wrote to memory of 1196 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2660 wrote to memory of 1196 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 wrote to memory of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 wrote to memory of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 wrote to memory of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 wrote to memory of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 wrote to memory of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 wrote to memory of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1196 wrote to memory of 2912 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2912 wrote to memory of 1660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2912 wrote to memory of 1660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2912 wrote to memory of 1660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2912 wrote to memory of 1660 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 wrote to memory of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 wrote to memory of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 wrote to memory of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 wrote to memory of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 wrote to memory of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 wrote to memory of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1660 wrote to memory of 904 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 904 wrote to memory of 1532 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 904 wrote to memory of 1532 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 904 wrote to memory of 1532 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 904 wrote to memory of 1532 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 wrote to memory of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 wrote to memory of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 wrote to memory of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 wrote to memory of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 wrote to memory of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 wrote to memory of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1532 wrote to memory of 2284 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2284 wrote to memory of 848 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2284 wrote to memory of 848 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe

"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"

C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe

"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

Network

N/A

Files

memory/1700-4-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1700-9-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1700-8-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1700-7-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1700-6-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1700-3-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1700-2-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1700-0-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwk32.exe

MD5 77fbe302308bdf00063eaad4703f6757
SHA1 31bcf1c961359221179e0a6602fb417d36bf6692
SHA256 f6900fb60b6fa194997036bb5c7710be5b58a789d82580b7093031cb71c1185a
SHA512 d01121c2cc7d810e4b12281a731a8b17771938af00a388cab8c894f84713a1758b12ab567bd1374490e63ca2af4960e87863491e9f3052e6a19affd6648df0ed

memory/1700-17-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwk32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\igfxwk32.exe

MD5 6edc093990915b0abb5dba3fc74b2865
SHA1 c2c90318513b04cfcc90fd4eb4338d1ea22b67f3
SHA256 20621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b
SHA512 655bf08e34ecb686281fc9401a73ffd659d04f70bf0cea60a77379d7ee2c3047bcd82dfffd10d06d4ee98b0038d8824769104cda90d805726207fa73716738c1

memory/2712-28-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2712-29-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2712-31-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2712-30-0x0000000000400000-0x0000000000466000-memory.dmp

\Windows\SysWOW64\igfxwk32.exe

MD5 d092b492334b8523cd5196f9759b32fd
SHA1 393dd0578eb75fec347c63487eca427d762599a8
SHA256 7f55a8e580c98a474da62e1a4a8943d27879b421ac9a2acd451fb06915a882d3
SHA512 25b704c7d7a263efd16ec783f8e066094d63d55254be3fb48611f7c920d8940d7b5ed04fc430ebf54eaf7956b54b2a79211513a25703a8a30a276ce5736459bb

memory/2712-34-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwk32.exe

MD5 6ea364fb0ed525cbe07e19b2a9c48277
SHA1 5150ccc717e318a74fbf6e4f6fbcb9f6b76c6289
SHA256 133292895b1f75aec9d58072607efa1083b631f731d0fa4472f9c24824621fdf
SHA512 3a80a5d1209bf43741e5cad3a85e06ed50443be960ac64a2229c534a38520426c933f3fc764b2a3f8ba64c57b83b5ba4e6f72438b9bd8222692e8f110bc4d84b

memory/2660-45-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2660-50-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2912-65-0x0000000000400000-0x0000000000466000-memory.dmp

memory/904-80-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2284-93-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2284-101-0x0000000000400000-0x0000000000466000-memory.dmp

memory/880-117-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1120-126-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1120-134-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2980-150-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2672-166-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwk32.exe

MD5 e02f48af0ff6e101ac2ee68c4c03c1b8
SHA1 e7d50c579d28bdbb1ba7fbfc55bc4b09b7cd2482
SHA256 278c7f9756a76d5d89100316420d952ca1c9b9efeec52522ecec963124ba3436
SHA512 1add79efb1c8029dd719b3f7032cde5589e7401273706db0702eb2978afe98ba45c9966cc589ff493dad2511286b4ef04bf66380cd6266388077ccb9b45e3bc8

memory/1128-176-0x0000000000400000-0x0000000000466000-memory.dmp

\Windows\SysWOW64\igfxwk32.exe

MD5 161964e423db07f394e2b3698a8e98f6
SHA1 cb5191c11cac1d67683ecbe434e53b042bbcfd1d
SHA256 1b81fd8c6fbec3afa5b5eef55047977b3193108e158d9e953a9097230230823b
SHA512 5323e37002d78a0b0a48f1af4c3c4d830fd5e6680c67b953b8dc4d8174be517cca43d79783def4ec1e1eb39ee9fe3e72c05846b74fcb2c9c058926a7b3027d33

memory/1128-183-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2736-193-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2736-201-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2808-217-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1008-235-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1600-247-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-256-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-260-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2248-263-0x0000000000400000-0x0000000000466000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 05:37

Reported

2024-01-22 05:40

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\igfxwk32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Windows\SysWOW64\igfxwk32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File created C:\Windows\SysWOW64\igfxwk32.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\igfxwk32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1200 set thread context of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 3968 set thread context of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 set thread context of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 set thread context of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 set thread context of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 set thread context of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2888 set thread context of 428 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1500 set thread context of 2876 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3796 set thread context of 1968 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1112 set thread context of 3972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2276 set thread context of 4468 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3368 set thread context of 3856 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 1836 set thread context of 4104 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3560 set thread context of 3532 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4504 set thread context of 3224 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\igfxwk32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A
N/A N/A C:\Windows\SysWOW64\igfxwk32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 1200 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 1200 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 1200 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 1200 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 1200 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 1200 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe
PID 4856 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4856 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4856 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3968 wrote to memory of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3968 wrote to memory of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3968 wrote to memory of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3968 wrote to memory of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3968 wrote to memory of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3968 wrote to memory of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3968 wrote to memory of 2780 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2780 wrote to memory of 3520 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2780 wrote to memory of 3520 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2780 wrote to memory of 3520 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 wrote to memory of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 wrote to memory of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 wrote to memory of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 wrote to memory of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 wrote to memory of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 wrote to memory of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3520 wrote to memory of 2972 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2972 wrote to memory of 2080 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2972 wrote to memory of 2080 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2972 wrote to memory of 2080 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2080 wrote to memory of 2072 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2072 wrote to memory of 3160 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2072 wrote to memory of 3160 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2072 wrote to memory of 3160 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 wrote to memory of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 wrote to memory of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 wrote to memory of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 wrote to memory of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 wrote to memory of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 wrote to memory of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 3160 wrote to memory of 4552 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4552 wrote to memory of 4432 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4552 wrote to memory of 4432 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4552 wrote to memory of 4432 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 wrote to memory of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 wrote to memory of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 wrote to memory of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 wrote to memory of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 wrote to memory of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 wrote to memory of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 4432 wrote to memory of 5012 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 5012 wrote to memory of 2888 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 5012 wrote to memory of 2888 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 5012 wrote to memory of 2888 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2888 wrote to memory of 428 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2888 wrote to memory of 428 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2888 wrote to memory of 428 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe
PID 2888 wrote to memory of 428 N/A C:\Windows\SysWOW64\igfxwk32.exe C:\Windows\SysWOW64\igfxwk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe

"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"

C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe

"C:\Users\Admin\AppData\Local\Temp\6edc093990915b0abb5dba3fc74b2865.exe"

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Users\Admin\AppData\Local\Temp\6EDC09~1.EXE

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

C:\Windows\SysWOW64\igfxwk32.exe

"C:\Windows\system32\igfxwk32.exe" C:\Windows\SysWOW64\igfxwk32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

memory/4856-0-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4856-2-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4856-4-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4856-3-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwk32.exe

MD5 6edc093990915b0abb5dba3fc74b2865
SHA1 c2c90318513b04cfcc90fd4eb4338d1ea22b67f3
SHA256 20621716fb9682a544cfb8e34aa92cf14221d9b752657c7cf98500e93ca4ff2b
SHA512 655bf08e34ecb686281fc9401a73ffd659d04f70bf0cea60a77379d7ee2c3047bcd82dfffd10d06d4ee98b0038d8824769104cda90d805726207fa73716738c1

memory/4856-38-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2780-43-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2780-45-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2780-44-0x0000000000400000-0x0000000000466000-memory.dmp

C:\Windows\SysWOW64\igfxwk32.exe

MD5 ad92202c40d4bc9dd27ebcff76ab5a14
SHA1 d81795349a08142aa2253a8d0df911940a1d1817
SHA256 e2ff0b4f4561fc4748130a078e0e896da12b43d97b885fa63c82ce70bbe0b0a9
SHA512 6869ff79c5a7b04c97553a44bacbfd79720d5cf19559242290bd877bd242c0b27e75b4a53e0afdf9aa54ae83cd293c02b3d087b35edd44258694c9c299245edb

C:\Windows\SysWOW64\igfxwk32.exe

MD5 182683599db6990d2df18c9ac174a280
SHA1 7dd938a7dd4a923c851c4292014ba2ca22139115
SHA256 aa87f7e4faff9646dbe54b9b22fcb2fbad7b8a30927e49d559343c9d6e5783a0
SHA512 3a425120637df2609943b76a2c3be2a30d72623f9f8b3f5bad4405d4877bd0a26fc02cc9463d630002f02968d63e6f527d8cea746884c57cbde14d2ebd18932b

memory/2780-47-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2972-54-0x0000000000400000-0x0000000000466000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2972-57-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2072-63-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2072-66-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4552-73-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4552-75-0x0000000000400000-0x0000000000466000-memory.dmp

memory/5012-82-0x0000000000400000-0x0000000000466000-memory.dmp

memory/5012-84-0x0000000000400000-0x0000000000466000-memory.dmp

memory/428-89-0x0000000000400000-0x0000000000466000-memory.dmp

memory/428-91-0x0000000000400000-0x0000000000466000-memory.dmp

memory/428-90-0x0000000000400000-0x0000000000466000-memory.dmp

memory/428-93-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2876-100-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2876-102-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1968-108-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1968-110-0x0000000000400000-0x0000000000466000-memory.dmp

memory/1968-112-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3972-119-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3972-121-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4468-127-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4468-132-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3856-138-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3856-143-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4104-149-0x0000000000400000-0x0000000000466000-memory.dmp

memory/4104-153-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3532-159-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3532-164-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3224-170-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3224-174-0x0000000000400000-0x0000000000466000-memory.dmp