Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 11:05
Static task
static1
Behavioral task
behavioral1
Sample
6f835b6c3057fcc816392c3b72740345.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6f835b6c3057fcc816392c3b72740345.exe
Resource
win10v2004-20231222-en
General
-
Target
6f835b6c3057fcc816392c3b72740345.exe
-
Size
232KB
-
MD5
6f835b6c3057fcc816392c3b72740345
-
SHA1
1101247576532083c6b3a87ff52fc9ccd588668a
-
SHA256
55cea4bf97f08c33c864615a119c6b4ffc090069bbb7b4d64d2c7dd0e19dad59
-
SHA512
a4d583ea616c8b0e48edc6b74b419ff637e2f8b29cc98179e76ecf08968b4fb56ac2b4ceb7cb45626f444a2157fe64f78037389bfe084c5e633e50977c1ec533
-
SSDEEP
3072:BsLEbdIlxJ5SKlVgUtuN1OtH8OVtddjgctRSO8DjqmJxZSacqSt2PZgRvIL:CQSD3Nt1cE8XqmJnpPZce
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 32 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 6f835b6c3057fcc816392c3b72740345.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation igfxdw32.exe -
Deletes itself 1 IoCs
pid Process 1456 igfxdw32.exe -
Executes dropped EXE 63 IoCs
pid Process 2260 igfxdw32.exe 1456 igfxdw32.exe 3996 igfxdw32.exe 4400 igfxdw32.exe 4508 igfxdw32.exe 1452 igfxdw32.exe 4884 igfxdw32.exe 4576 igfxdw32.exe 4032 igfxdw32.exe 4380 igfxdw32.exe 4192 igfxdw32.exe 852 igfxdw32.exe 3708 igfxdw32.exe 2380 igfxdw32.exe 4232 igfxdw32.exe 4404 igfxdw32.exe 5080 igfxdw32.exe 1972 igfxdw32.exe 4612 igfxdw32.exe 3112 igfxdw32.exe 3408 igfxdw32.exe 2768 igfxdw32.exe 220 igfxdw32.exe 1856 igfxdw32.exe 856 igfxdw32.exe 4292 igfxdw32.exe 1380 igfxdw32.exe 4528 igfxdw32.exe 4160 igfxdw32.exe 1860 igfxdw32.exe 900 igfxdw32.exe 3944 igfxdw32.exe 2988 igfxdw32.exe 1924 igfxdw32.exe 2492 igfxdw32.exe 2544 igfxdw32.exe 2180 igfxdw32.exe 3180 igfxdw32.exe 2552 igfxdw32.exe 4412 igfxdw32.exe 2476 igfxdw32.exe 4748 igfxdw32.exe 2260 igfxdw32.exe 5112 igfxdw32.exe 1464 igfxdw32.exe 2044 igfxdw32.exe 220 igfxdw32.exe 1656 igfxdw32.exe 2316 igfxdw32.exe 1192 igfxdw32.exe 816 igfxdw32.exe 4196 igfxdw32.exe 3108 igfxdw32.exe 4336 igfxdw32.exe 2816 igfxdw32.exe 4332 igfxdw32.exe 1324 igfxdw32.exe 4724 igfxdw32.exe 2940 igfxdw32.exe 764 igfxdw32.exe 2832 igfxdw32.exe 3532 igfxdw32.exe 2748 igfxdw32.exe -
resource yara_rule behavioral2/memory/4124-0-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4124-2-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4124-3-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4124-4-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4124-38-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1456-44-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1456-46-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4400-54-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4400-57-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1452-64-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1452-66-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4576-73-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4576-75-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4380-81-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4380-84-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/852-91-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/852-93-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2380-100-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2380-102-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4404-108-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4404-111-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1972-117-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1972-120-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3112-127-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3112-132-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2768-137-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2768-142-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1856-147-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1856-152-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4292-158-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4292-163-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4528-168-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4528-173-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1860-178-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1860-183-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3944-188-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3944-193-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1924-199-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1924-203-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2544-209-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2544-213-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3180-219-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/3180-223-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4412-229-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4412-233-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4748-238-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4748-243-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5112-249-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/5112-253-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2044-257-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/2044-261-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1656-265-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1656-269-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1192-273-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/1192-277-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4196-282-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4196-285-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4336-289-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4336-293-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4332-297-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4332-301-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4724-306-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/4724-309-0x0000000000400000-0x0000000000466000-memory.dmp upx behavioral2/memory/764-313-0x0000000000400000-0x0000000000466000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 6f835b6c3057fcc816392c3b72740345.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6f835b6c3057fcc816392c3b72740345.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxdw32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe 6f835b6c3057fcc816392c3b72740345.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\ 6f835b6c3057fcc816392c3b72740345.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File created C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe File opened for modification C:\Windows\SysWOW64\igfxdw32.exe igfxdw32.exe -
Suspicious use of SetThreadContext 32 IoCs
description pid Process procid_target PID 2180 set thread context of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 2260 set thread context of 1456 2260 igfxdw32.exe 96 PID 3996 set thread context of 4400 3996 igfxdw32.exe 100 PID 4508 set thread context of 1452 4508 igfxdw32.exe 102 PID 4884 set thread context of 4576 4884 igfxdw32.exe 104 PID 4032 set thread context of 4380 4032 igfxdw32.exe 106 PID 4192 set thread context of 852 4192 igfxdw32.exe 109 PID 3708 set thread context of 2380 3708 igfxdw32.exe 111 PID 4232 set thread context of 4404 4232 igfxdw32.exe 113 PID 5080 set thread context of 1972 5080 igfxdw32.exe 115 PID 4612 set thread context of 3112 4612 igfxdw32.exe 117 PID 3408 set thread context of 2768 3408 igfxdw32.exe 119 PID 220 set thread context of 1856 220 igfxdw32.exe 121 PID 856 set thread context of 4292 856 igfxdw32.exe 123 PID 1380 set thread context of 4528 1380 igfxdw32.exe 125 PID 4160 set thread context of 1860 4160 igfxdw32.exe 127 PID 900 set thread context of 3944 900 igfxdw32.exe 129 PID 2988 set thread context of 1924 2988 igfxdw32.exe 131 PID 2492 set thread context of 2544 2492 igfxdw32.exe 133 PID 2180 set thread context of 3180 2180 igfxdw32.exe 135 PID 2552 set thread context of 4412 2552 igfxdw32.exe 137 PID 2476 set thread context of 4748 2476 igfxdw32.exe 139 PID 2260 set thread context of 5112 2260 igfxdw32.exe 141 PID 1464 set thread context of 2044 1464 igfxdw32.exe 143 PID 220 set thread context of 1656 220 igfxdw32.exe 145 PID 2316 set thread context of 1192 2316 igfxdw32.exe 147 PID 816 set thread context of 4196 816 igfxdw32.exe 149 PID 3108 set thread context of 4336 3108 igfxdw32.exe 151 PID 2816 set thread context of 4332 2816 igfxdw32.exe 153 PID 1324 set thread context of 4724 1324 igfxdw32.exe 155 PID 2940 set thread context of 764 2940 igfxdw32.exe 157 PID 2832 set thread context of 3532 2832 igfxdw32.exe 159 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6f835b6c3057fcc816392c3b72740345.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxdw32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4124 6f835b6c3057fcc816392c3b72740345.exe 4124 6f835b6c3057fcc816392c3b72740345.exe 4124 6f835b6c3057fcc816392c3b72740345.exe 4124 6f835b6c3057fcc816392c3b72740345.exe 1456 igfxdw32.exe 1456 igfxdw32.exe 1456 igfxdw32.exe 1456 igfxdw32.exe 4400 igfxdw32.exe 4400 igfxdw32.exe 4400 igfxdw32.exe 4400 igfxdw32.exe 1452 igfxdw32.exe 1452 igfxdw32.exe 1452 igfxdw32.exe 1452 igfxdw32.exe 4576 igfxdw32.exe 4576 igfxdw32.exe 4576 igfxdw32.exe 4576 igfxdw32.exe 4380 igfxdw32.exe 4380 igfxdw32.exe 4380 igfxdw32.exe 4380 igfxdw32.exe 852 igfxdw32.exe 852 igfxdw32.exe 852 igfxdw32.exe 852 igfxdw32.exe 2380 igfxdw32.exe 2380 igfxdw32.exe 2380 igfxdw32.exe 2380 igfxdw32.exe 4404 igfxdw32.exe 4404 igfxdw32.exe 4404 igfxdw32.exe 4404 igfxdw32.exe 1972 igfxdw32.exe 1972 igfxdw32.exe 1972 igfxdw32.exe 1972 igfxdw32.exe 3112 igfxdw32.exe 3112 igfxdw32.exe 3112 igfxdw32.exe 3112 igfxdw32.exe 2768 igfxdw32.exe 2768 igfxdw32.exe 2768 igfxdw32.exe 2768 igfxdw32.exe 1856 igfxdw32.exe 1856 igfxdw32.exe 1856 igfxdw32.exe 1856 igfxdw32.exe 4292 igfxdw32.exe 4292 igfxdw32.exe 4292 igfxdw32.exe 4292 igfxdw32.exe 4528 igfxdw32.exe 4528 igfxdw32.exe 4528 igfxdw32.exe 4528 igfxdw32.exe 1860 igfxdw32.exe 1860 igfxdw32.exe 1860 igfxdw32.exe 1860 igfxdw32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 2180 wrote to memory of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 2180 wrote to memory of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 2180 wrote to memory of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 2180 wrote to memory of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 2180 wrote to memory of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 2180 wrote to memory of 4124 2180 6f835b6c3057fcc816392c3b72740345.exe 91 PID 4124 wrote to memory of 2260 4124 6f835b6c3057fcc816392c3b72740345.exe 94 PID 4124 wrote to memory of 2260 4124 6f835b6c3057fcc816392c3b72740345.exe 94 PID 4124 wrote to memory of 2260 4124 6f835b6c3057fcc816392c3b72740345.exe 94 PID 2260 wrote to memory of 1456 2260 igfxdw32.exe 96 PID 2260 wrote to memory of 1456 2260 igfxdw32.exe 96 PID 2260 wrote to memory of 1456 2260 igfxdw32.exe 96 PID 2260 wrote to memory of 1456 2260 igfxdw32.exe 96 PID 2260 wrote to memory of 1456 2260 igfxdw32.exe 96 PID 2260 wrote to memory of 1456 2260 igfxdw32.exe 96 PID 2260 wrote to memory of 1456 2260 igfxdw32.exe 96 PID 1456 wrote to memory of 3996 1456 igfxdw32.exe 99 PID 1456 wrote to memory of 3996 1456 igfxdw32.exe 99 PID 1456 wrote to memory of 3996 1456 igfxdw32.exe 99 PID 3996 wrote to memory of 4400 3996 igfxdw32.exe 100 PID 3996 wrote to memory of 4400 3996 igfxdw32.exe 100 PID 3996 wrote to memory of 4400 3996 igfxdw32.exe 100 PID 3996 wrote to memory of 4400 3996 igfxdw32.exe 100 PID 3996 wrote to memory of 4400 3996 igfxdw32.exe 100 PID 3996 wrote to memory of 4400 3996 igfxdw32.exe 100 PID 3996 wrote to memory of 4400 3996 igfxdw32.exe 100 PID 4400 wrote to memory of 4508 4400 igfxdw32.exe 101 PID 4400 wrote to memory of 4508 4400 igfxdw32.exe 101 PID 4400 wrote to memory of 4508 4400 igfxdw32.exe 101 PID 4508 wrote to memory of 1452 4508 igfxdw32.exe 102 PID 4508 wrote to memory of 1452 4508 igfxdw32.exe 102 PID 4508 wrote to memory of 1452 4508 igfxdw32.exe 102 PID 4508 wrote to memory of 1452 4508 igfxdw32.exe 102 PID 4508 wrote to memory of 1452 4508 igfxdw32.exe 102 PID 4508 wrote to memory of 1452 4508 igfxdw32.exe 102 PID 4508 wrote to memory of 1452 4508 igfxdw32.exe 102 PID 1452 wrote to memory of 4884 1452 igfxdw32.exe 103 PID 1452 wrote to memory of 4884 1452 igfxdw32.exe 103 PID 1452 wrote to memory of 4884 1452 igfxdw32.exe 103 PID 4884 wrote to memory of 4576 4884 igfxdw32.exe 104 PID 4884 wrote to memory of 4576 4884 igfxdw32.exe 104 PID 4884 wrote to memory of 4576 4884 igfxdw32.exe 104 PID 4884 wrote to memory of 4576 4884 igfxdw32.exe 104 PID 4884 wrote to memory of 4576 4884 igfxdw32.exe 104 PID 4884 wrote to memory of 4576 4884 igfxdw32.exe 104 PID 4884 wrote to memory of 4576 4884 igfxdw32.exe 104 PID 4576 wrote to memory of 4032 4576 igfxdw32.exe 105 PID 4576 wrote to memory of 4032 4576 igfxdw32.exe 105 PID 4576 wrote to memory of 4032 4576 igfxdw32.exe 105 PID 4032 wrote to memory of 4380 4032 igfxdw32.exe 106 PID 4032 wrote to memory of 4380 4032 igfxdw32.exe 106 PID 4032 wrote to memory of 4380 4032 igfxdw32.exe 106 PID 4032 wrote to memory of 4380 4032 igfxdw32.exe 106 PID 4032 wrote to memory of 4380 4032 igfxdw32.exe 106 PID 4032 wrote to memory of 4380 4032 igfxdw32.exe 106 PID 4032 wrote to memory of 4380 4032 igfxdw32.exe 106 PID 4380 wrote to memory of 4192 4380 igfxdw32.exe 107 PID 4380 wrote to memory of 4192 4380 igfxdw32.exe 107 PID 4380 wrote to memory of 4192 4380 igfxdw32.exe 107 PID 4192 wrote to memory of 852 4192 igfxdw32.exe 109 PID 4192 wrote to memory of 852 4192 igfxdw32.exe 109 PID 4192 wrote to memory of 852 4192 igfxdw32.exe 109 PID 4192 wrote to memory of 852 4192 igfxdw32.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"C:\Users\Admin\AppData\Local\Temp\6f835b6c3057fcc816392c3b72740345.exe"2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Users\Admin\AppData\Local\Temp\6F835B~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Users\Admin\AppData\Local\Temp\6F835B~1.EXE4⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:852 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3708 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2380 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4232 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4404 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5080 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4612 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3112 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3408 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:220 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1856 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:856 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4292 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1380 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4528 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4160 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1860 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:900 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3944 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2988 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2492 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2180 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe40⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2552 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2476 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe44⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4748 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2260 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe46⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5112 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1464 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe48⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:220 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe50⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2316 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:816 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe54⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4196 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3108 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe56⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2816 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4332 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1324 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe60⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4724 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2940 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe62⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2832 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe64⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3532 -
C:\Windows\SysWOW64\igfxdw32.exe"C:\Windows\system32\igfxdw32.exe" C:\Windows\SysWOW64\igfxdw32.exe65⤵
- Executes dropped EXE
PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD5c4d7d368dc6789c39ee24ea1e3ae35c6
SHA1f61398ccd12d25b0af39ec0b7cf3d4eb534716aa
SHA25644cf290a8c1f46c2d056da35c62a647044c837c8811dadbd16593b8ddb9c8256
SHA512d84b1eb946ca0862a833f156c4a245e9084bca59fdb6089ff12fa950dde169db1d989cd0b9621e346ebda70db84824f409c9927c82ae34e0ba82047ed3fed6dd
-
Filesize
232KB
MD56f835b6c3057fcc816392c3b72740345
SHA11101247576532083c6b3a87ff52fc9ccd588668a
SHA25655cea4bf97f08c33c864615a119c6b4ffc090069bbb7b4d64d2c7dd0e19dad59
SHA512a4d583ea616c8b0e48edc6b74b419ff637e2f8b29cc98179e76ecf08968b4fb56ac2b4ceb7cb45626f444a2157fe64f78037389bfe084c5e633e50977c1ec533