Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 18:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ae7a7ba4496d3f41ea55d432a6346a3.exe
Resource
win7-20231215-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
7ae7a7ba4496d3f41ea55d432a6346a3.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
7ae7a7ba4496d3f41ea55d432a6346a3.exe
-
Size
169KB
-
MD5
7ae7a7ba4496d3f41ea55d432a6346a3
-
SHA1
824d712a47bcd0d686e8b0908e83fe949a938a01
-
SHA256
93126c09d41e1a0611c7ef1171e11e1599fc8e619af202982573ece10785891b
-
SHA512
ada791b4b49574f7664a73d51d383b5b409f9520bf620dc3e00cf4c0149239a912d7ed3f6e6003139094445e19de85e566568a59d26e9728a01b9be1eb9cf70d
-
SSDEEP
3072:mx+wJ0Gu+ngj/mvMOkljkJozO8pQVCVElHeGoY8Bih/uy:m14j/mK22zO8g3HevY9/X
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 7ae7a7ba4496d3f41ea55d432a6346a3.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation igfxkb32.exe -
Executes dropped EXE 29 IoCs
pid Process 3204 igfxkb32.exe 1008 igfxkb32.exe 3844 igfxkb32.exe 4412 igfxkb32.exe 2332 igfxkb32.exe 3076 igfxkb32.exe 4492 igfxkb32.exe 1832 igfxkb32.exe 1712 igfxkb32.exe 1584 igfxkb32.exe 3488 igfxkb32.exe 1748 igfxkb32.exe 1480 igfxkb32.exe 4448 igfxkb32.exe 4596 igfxkb32.exe 4688 igfxkb32.exe 1600 igfxkb32.exe 4020 igfxkb32.exe 1656 igfxkb32.exe 4032 igfxkb32.exe 2052 igfxkb32.exe 4216 igfxkb32.exe 4400 igfxkb32.exe 4320 igfxkb32.exe 3512 igfxkb32.exe 2008 igfxkb32.exe 5096 igfxkb32.exe 3956 igfxkb32.exe 4600 igfxkb32.exe -
resource yara_rule behavioral2/memory/5016-0-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/5016-2-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/5016-3-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/5016-4-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/5016-38-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1008-43-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1008-44-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1008-45-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1008-47-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4412-54-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4412-56-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/3076-63-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/3076-64-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1832-72-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1832-74-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1584-80-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1584-81-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1584-82-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1584-84-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1748-90-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/1748-93-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4448-100-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4448-101-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4688-109-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4688-111-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4020-118-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4020-121-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4032-127-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4032-133-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4216-139-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4216-143-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4320-149-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/4320-153-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/2008-159-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/2008-163-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/3956-169-0x0000000012370000-0x00000000123C9000-memory.dmp upx behavioral2/memory/3956-173-0x0000000012370000-0x00000000123C9000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 30 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 7ae7a7ba4496d3f41ea55d432a6346a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 7ae7a7ba4496d3f41ea55d432a6346a3.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxkb32.exe -
Drops file in System32 directory 45 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe 7ae7a7ba4496d3f41ea55d432a6346a3.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ 7ae7a7ba4496d3f41ea55d432a6346a3.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe 7ae7a7ba4496d3f41ea55d432a6346a3.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\ igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File created C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe File opened for modification C:\Windows\SysWOW64\igfxkb32.exe igfxkb32.exe -
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 4000 set thread context of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 3204 set thread context of 1008 3204 igfxkb32.exe 101 PID 3844 set thread context of 4412 3844 igfxkb32.exe 103 PID 2332 set thread context of 3076 2332 igfxkb32.exe 106 PID 4492 set thread context of 1832 4492 igfxkb32.exe 108 PID 1712 set thread context of 1584 1712 igfxkb32.exe 110 PID 3488 set thread context of 1748 3488 igfxkb32.exe 112 PID 1480 set thread context of 4448 1480 igfxkb32.exe 115 PID 4596 set thread context of 4688 4596 igfxkb32.exe 118 PID 1600 set thread context of 4020 1600 igfxkb32.exe 121 PID 1656 set thread context of 4032 1656 igfxkb32.exe 123 PID 2052 set thread context of 4216 2052 igfxkb32.exe 125 PID 4400 set thread context of 4320 4400 igfxkb32.exe 127 PID 3512 set thread context of 2008 3512 igfxkb32.exe 129 PID 5096 set thread context of 3956 5096 igfxkb32.exe 131 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 7ae7a7ba4496d3f41ea55d432a6346a3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxkb32.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 5016 7ae7a7ba4496d3f41ea55d432a6346a3.exe 5016 7ae7a7ba4496d3f41ea55d432a6346a3.exe 5016 7ae7a7ba4496d3f41ea55d432a6346a3.exe 5016 7ae7a7ba4496d3f41ea55d432a6346a3.exe 1008 igfxkb32.exe 1008 igfxkb32.exe 1008 igfxkb32.exe 1008 igfxkb32.exe 4412 igfxkb32.exe 4412 igfxkb32.exe 4412 igfxkb32.exe 4412 igfxkb32.exe 3076 igfxkb32.exe 3076 igfxkb32.exe 3076 igfxkb32.exe 3076 igfxkb32.exe 1832 igfxkb32.exe 1832 igfxkb32.exe 1832 igfxkb32.exe 1832 igfxkb32.exe 1584 igfxkb32.exe 1584 igfxkb32.exe 1584 igfxkb32.exe 1584 igfxkb32.exe 1748 igfxkb32.exe 1748 igfxkb32.exe 1748 igfxkb32.exe 1748 igfxkb32.exe 4448 igfxkb32.exe 4448 igfxkb32.exe 4448 igfxkb32.exe 4448 igfxkb32.exe 4688 igfxkb32.exe 4688 igfxkb32.exe 4688 igfxkb32.exe 4688 igfxkb32.exe 4020 igfxkb32.exe 4020 igfxkb32.exe 4020 igfxkb32.exe 4020 igfxkb32.exe 4032 igfxkb32.exe 4032 igfxkb32.exe 4032 igfxkb32.exe 4032 igfxkb32.exe 4216 igfxkb32.exe 4216 igfxkb32.exe 4216 igfxkb32.exe 4216 igfxkb32.exe 4320 igfxkb32.exe 4320 igfxkb32.exe 4320 igfxkb32.exe 4320 igfxkb32.exe 2008 igfxkb32.exe 2008 igfxkb32.exe 2008 igfxkb32.exe 2008 igfxkb32.exe 3956 igfxkb32.exe 3956 igfxkb32.exe 3956 igfxkb32.exe 3956 igfxkb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4000 wrote to memory of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 4000 wrote to memory of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 4000 wrote to memory of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 4000 wrote to memory of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 4000 wrote to memory of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 4000 wrote to memory of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 4000 wrote to memory of 5016 4000 7ae7a7ba4496d3f41ea55d432a6346a3.exe 96 PID 5016 wrote to memory of 3204 5016 7ae7a7ba4496d3f41ea55d432a6346a3.exe 99 PID 5016 wrote to memory of 3204 5016 7ae7a7ba4496d3f41ea55d432a6346a3.exe 99 PID 5016 wrote to memory of 3204 5016 7ae7a7ba4496d3f41ea55d432a6346a3.exe 99 PID 3204 wrote to memory of 1008 3204 igfxkb32.exe 101 PID 3204 wrote to memory of 1008 3204 igfxkb32.exe 101 PID 3204 wrote to memory of 1008 3204 igfxkb32.exe 101 PID 3204 wrote to memory of 1008 3204 igfxkb32.exe 101 PID 3204 wrote to memory of 1008 3204 igfxkb32.exe 101 PID 3204 wrote to memory of 1008 3204 igfxkb32.exe 101 PID 3204 wrote to memory of 1008 3204 igfxkb32.exe 101 PID 1008 wrote to memory of 3844 1008 igfxkb32.exe 102 PID 1008 wrote to memory of 3844 1008 igfxkb32.exe 102 PID 1008 wrote to memory of 3844 1008 igfxkb32.exe 102 PID 3844 wrote to memory of 4412 3844 igfxkb32.exe 103 PID 3844 wrote to memory of 4412 3844 igfxkb32.exe 103 PID 3844 wrote to memory of 4412 3844 igfxkb32.exe 103 PID 3844 wrote to memory of 4412 3844 igfxkb32.exe 103 PID 3844 wrote to memory of 4412 3844 igfxkb32.exe 103 PID 3844 wrote to memory of 4412 3844 igfxkb32.exe 103 PID 3844 wrote to memory of 4412 3844 igfxkb32.exe 103 PID 4412 wrote to memory of 2332 4412 igfxkb32.exe 104 PID 4412 wrote to memory of 2332 4412 igfxkb32.exe 104 PID 4412 wrote to memory of 2332 4412 igfxkb32.exe 104 PID 2332 wrote to memory of 3076 2332 igfxkb32.exe 106 PID 2332 wrote to memory of 3076 2332 igfxkb32.exe 106 PID 2332 wrote to memory of 3076 2332 igfxkb32.exe 106 PID 2332 wrote to memory of 3076 2332 igfxkb32.exe 106 PID 2332 wrote to memory of 3076 2332 igfxkb32.exe 106 PID 2332 wrote to memory of 3076 2332 igfxkb32.exe 106 PID 2332 wrote to memory of 3076 2332 igfxkb32.exe 106 PID 3076 wrote to memory of 4492 3076 igfxkb32.exe 107 PID 3076 wrote to memory of 4492 3076 igfxkb32.exe 107 PID 3076 wrote to memory of 4492 3076 igfxkb32.exe 107 PID 4492 wrote to memory of 1832 4492 igfxkb32.exe 108 PID 4492 wrote to memory of 1832 4492 igfxkb32.exe 108 PID 4492 wrote to memory of 1832 4492 igfxkb32.exe 108 PID 4492 wrote to memory of 1832 4492 igfxkb32.exe 108 PID 4492 wrote to memory of 1832 4492 igfxkb32.exe 108 PID 4492 wrote to memory of 1832 4492 igfxkb32.exe 108 PID 4492 wrote to memory of 1832 4492 igfxkb32.exe 108 PID 1832 wrote to memory of 1712 1832 igfxkb32.exe 109 PID 1832 wrote to memory of 1712 1832 igfxkb32.exe 109 PID 1832 wrote to memory of 1712 1832 igfxkb32.exe 109 PID 1712 wrote to memory of 1584 1712 igfxkb32.exe 110 PID 1712 wrote to memory of 1584 1712 igfxkb32.exe 110 PID 1712 wrote to memory of 1584 1712 igfxkb32.exe 110 PID 1712 wrote to memory of 1584 1712 igfxkb32.exe 110 PID 1712 wrote to memory of 1584 1712 igfxkb32.exe 110 PID 1712 wrote to memory of 1584 1712 igfxkb32.exe 110 PID 1712 wrote to memory of 1584 1712 igfxkb32.exe 110 PID 1584 wrote to memory of 3488 1584 igfxkb32.exe 111 PID 1584 wrote to memory of 3488 1584 igfxkb32.exe 111 PID 1584 wrote to memory of 3488 1584 igfxkb32.exe 111 PID 3488 wrote to memory of 1748 3488 igfxkb32.exe 112 PID 3488 wrote to memory of 1748 3488 igfxkb32.exe 112 PID 3488 wrote to memory of 1748 3488 igfxkb32.exe 112 PID 3488 wrote to memory of 1748 3488 igfxkb32.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ae7a7ba4496d3f41ea55d432a6346a3.exe"C:\Users\Admin\AppData\Local\Temp\7ae7a7ba4496d3f41ea55d432a6346a3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\7ae7a7ba4496d3f41ea55d432a6346a3.exeC:\Users\Admin\AppData\Local\Temp\7ae7a7ba4496d3f41ea55d432a6346a3.exe2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Users\Admin\AppData\Local\Temp\7AE7A7~1.EXE3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1748 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1480 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4448 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4596 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4688 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1600 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4020 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1656 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4032 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2052 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4216 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4400 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4320 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3512 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5096 -
C:\Windows\SysWOW64\igfxkb32.exeC:\Windows\SysWOW64\igfxkb32.exe30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3956 -
C:\Windows\SysWOW64\igfxkb32.exe"C:\Windows\system32\igfxkb32.exe" C:\Windows\SysWOW64\igfxkb32.exe31⤵
- Executes dropped EXE
PID:4600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD57ae7a7ba4496d3f41ea55d432a6346a3
SHA1824d712a47bcd0d686e8b0908e83fe949a938a01
SHA25693126c09d41e1a0611c7ef1171e11e1599fc8e619af202982573ece10785891b
SHA512ada791b4b49574f7664a73d51d383b5b409f9520bf620dc3e00cf4c0149239a912d7ed3f6e6003139094445e19de85e566568a59d26e9728a01b9be1eb9cf70d