metasploit | 936df8a9a1e7d4c8ebaa8eb83895c34e2173cccd0ebc9ae8367e4fe16cc5e332

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df499130201f21670d4b4cbce68748c2.exe
Size

916KB
MD5

df499130201f21670d4b4cbce68748c2
SHA1

1525b615b3a31527fbfffa32f4c9e09f3eedc284
SHA256

936df8a9a1e7d4c8ebaa8eb83895c34e2173cccd0ebc9ae8367e4fe16cc5e332
SHA512

62ba3ee41e3d1f4418196d9f9dbeb284c480db62dcee3deb9de4523332890111863843697aacaa1b3d48afc7873fb2a97df38a2db83912ce5957824c5ba669d8
SSDEEP

6144:ssSKU3H/2P3rvLhrtXOdlsCMHxci/DTSAKIATI1NRhsBoIy:hZUXoD1rtSlszF1hAc1NRqB

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2992	igfxdwx32.exe

Executes dropped EXE 45 IoCs

pid	Process
2992	igfxdwx32.exe
2688	igfxdwx32.exe
2460	igfxdwx32.exe
2976	igfxdwx32.exe
2056	igfxdwx32.exe
1584	igfxdwx32.exe
276	igfxdwx32.exe
1376	igfxdwx32.exe
1816	igfxdwx32.exe
2660	igfxdwx32.exe
936	igfxdwx32.exe
2764	igfxdwx32.exe
400	igfxdwx32.exe
1340	igfxdwx32.exe
1872	igfxdwx32.exe
1800	igfxdwx32.exe
704	igfxdwx32.exe
1976	igfxdwx32.exe
1616	igfxdwx32.exe
2556	igfxdwx32.exe
1312	igfxdwx32.exe
2720	igfxdwx32.exe
2544	igfxdwx32.exe
2528	igfxdwx32.exe
1228	igfxdwx32.exe
776	igfxdwx32.exe
1180	igfxdwx32.exe
3060	igfxdwx32.exe
1628	igfxdwx32.exe
1796	igfxdwx32.exe
2676	igfxdwx32.exe
1748	igfxdwx32.exe
2772	igfxdwx32.exe
2776	igfxdwx32.exe
2764	igfxdwx32.exe
1100	igfxdwx32.exe
1088	igfxdwx32.exe
1340	igfxdwx32.exe
2748	igfxdwx32.exe
2088	igfxdwx32.exe
1608	igfxdwx32.exe
1540	igfxdwx32.exe
2996	igfxdwx32.exe
976	igfxdwx32.exe
2068	igfxdwx32.exe

Loads dropped DLL 64 IoCs

pid	Process
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2976	igfxdwx32.exe
2976	igfxdwx32.exe
2056	igfxdwx32.exe
2056	igfxdwx32.exe
1584	igfxdwx32.exe
1584	igfxdwx32.exe
276	igfxdwx32.exe
276	igfxdwx32.exe
1376	igfxdwx32.exe
1376	igfxdwx32.exe
1816	igfxdwx32.exe
1816	igfxdwx32.exe
2660	igfxdwx32.exe
2660	igfxdwx32.exe
936	igfxdwx32.exe
936	igfxdwx32.exe
2764	igfxdwx32.exe
2764	igfxdwx32.exe
400	igfxdwx32.exe
400	igfxdwx32.exe
1340	igfxdwx32.exe
1340	igfxdwx32.exe
1872	igfxdwx32.exe
1872	igfxdwx32.exe
1800	igfxdwx32.exe
1800	igfxdwx32.exe
704	igfxdwx32.exe
704	igfxdwx32.exe
1976	igfxdwx32.exe
1976	igfxdwx32.exe
1616	igfxdwx32.exe
1616	igfxdwx32.exe
2556	igfxdwx32.exe
2556	igfxdwx32.exe
1312	igfxdwx32.exe
1312	igfxdwx32.exe
2720	igfxdwx32.exe
2720	igfxdwx32.exe
2544	igfxdwx32.exe
2544	igfxdwx32.exe
2528	igfxdwx32.exe
2528	igfxdwx32.exe
1228	igfxdwx32.exe
1228	igfxdwx32.exe
776	igfxdwx32.exe
776	igfxdwx32.exe
1180	igfxdwx32.exe
1180	igfxdwx32.exe
3060	igfxdwx32.exe
3060	igfxdwx32.exe
1628	igfxdwx32.exe
1628	igfxdwx32.exe
1796	igfxdwx32.exe
1796	igfxdwx32.exe
2676	igfxdwx32.exe
2676	igfxdwx32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	df499130201f21670d4b4cbce68748c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdwx32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	df499130201f21670d4b4cbce68748c2.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	df499130201f21670d4b4cbce68748c2.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	df499130201f21670d4b4cbce68748c2.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe
File created	C:\Windows\SysWOW64\igfxdwx32.exe	igfxdwx32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 46 IoCs

pid	Process
2068	df499130201f21670d4b4cbce68748c2.exe
2992	igfxdwx32.exe
2688	igfxdwx32.exe
2460	igfxdwx32.exe
2976	igfxdwx32.exe
2056	igfxdwx32.exe
1584	igfxdwx32.exe
276	igfxdwx32.exe
1376	igfxdwx32.exe
1816	igfxdwx32.exe
2660	igfxdwx32.exe
936	igfxdwx32.exe
2764	igfxdwx32.exe
400	igfxdwx32.exe
1340	igfxdwx32.exe
1872	igfxdwx32.exe
1800	igfxdwx32.exe
704	igfxdwx32.exe
1976	igfxdwx32.exe
1616	igfxdwx32.exe
2556	igfxdwx32.exe
1312	igfxdwx32.exe
2720	igfxdwx32.exe
2544	igfxdwx32.exe
2528	igfxdwx32.exe
1228	igfxdwx32.exe
776	igfxdwx32.exe
1180	igfxdwx32.exe
3060	igfxdwx32.exe
1628	igfxdwx32.exe
1796	igfxdwx32.exe
2676	igfxdwx32.exe
1748	igfxdwx32.exe
2772	igfxdwx32.exe
2776	igfxdwx32.exe
2764	igfxdwx32.exe
1100	igfxdwx32.exe
1088	igfxdwx32.exe
1340	igfxdwx32.exe
2748	igfxdwx32.exe
2088	igfxdwx32.exe
1608	igfxdwx32.exe
1540	igfxdwx32.exe
2996	igfxdwx32.exe
976	igfxdwx32.exe
2068	igfxdwx32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2068	df499130201f21670d4b4cbce68748c2.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2992	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2688	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2460	igfxdwx32.exe
2976	igfxdwx32.exe
2976	igfxdwx32.exe
2976	igfxdwx32.exe
2976	igfxdwx32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2992	2068	df499130201f21670d4b4cbce68748c2.exe	28
PID 2068 wrote to memory of 2992	2068	df499130201f21670d4b4cbce68748c2.exe	28
PID 2068 wrote to memory of 2992	2068	df499130201f21670d4b4cbce68748c2.exe	28
PID 2068 wrote to memory of 2992	2068	df499130201f21670d4b4cbce68748c2.exe	28
PID 2992 wrote to memory of 2688	2992	igfxdwx32.exe	29
PID 2992 wrote to memory of 2688	2992	igfxdwx32.exe	29
PID 2992 wrote to memory of 2688	2992	igfxdwx32.exe	29
PID 2992 wrote to memory of 2688	2992	igfxdwx32.exe	29
PID 2688 wrote to memory of 2460	2688	igfxdwx32.exe	30
PID 2688 wrote to memory of 2460	2688	igfxdwx32.exe	30
PID 2688 wrote to memory of 2460	2688	igfxdwx32.exe	30
PID 2688 wrote to memory of 2460	2688	igfxdwx32.exe	30
PID 2460 wrote to memory of 2976	2460	igfxdwx32.exe	31
PID 2460 wrote to memory of 2976	2460	igfxdwx32.exe	31
PID 2460 wrote to memory of 2976	2460	igfxdwx32.exe	31
PID 2460 wrote to memory of 2976	2460	igfxdwx32.exe	31
PID 2976 wrote to memory of 2056	2976	igfxdwx32.exe	32
PID 2976 wrote to memory of 2056	2976	igfxdwx32.exe	32
PID 2976 wrote to memory of 2056	2976	igfxdwx32.exe	32
PID 2976 wrote to memory of 2056	2976	igfxdwx32.exe	32
PID 2056 wrote to memory of 1584	2056	igfxdwx32.exe	33
PID 2056 wrote to memory of 1584	2056	igfxdwx32.exe	33
PID 2056 wrote to memory of 1584	2056	igfxdwx32.exe	33
PID 2056 wrote to memory of 1584	2056	igfxdwx32.exe	33
PID 1584 wrote to memory of 276	1584	igfxdwx32.exe	34
PID 1584 wrote to memory of 276	1584	igfxdwx32.exe	34
PID 1584 wrote to memory of 276	1584	igfxdwx32.exe	34
PID 1584 wrote to memory of 276	1584	igfxdwx32.exe	34
PID 276 wrote to memory of 1376	276	igfxdwx32.exe	35
PID 276 wrote to memory of 1376	276	igfxdwx32.exe	35
PID 276 wrote to memory of 1376	276	igfxdwx32.exe	35
PID 276 wrote to memory of 1376	276	igfxdwx32.exe	35
PID 1376 wrote to memory of 1816	1376	igfxdwx32.exe	36
PID 1376 wrote to memory of 1816	1376	igfxdwx32.exe	36
PID 1376 wrote to memory of 1816	1376	igfxdwx32.exe	36
PID 1376 wrote to memory of 1816	1376	igfxdwx32.exe	36
PID 1816 wrote to memory of 2660	1816	igfxdwx32.exe	37
PID 1816 wrote to memory of 2660	1816	igfxdwx32.exe	37
PID 1816 wrote to memory of 2660	1816	igfxdwx32.exe	37
PID 1816 wrote to memory of 2660	1816	igfxdwx32.exe	37
PID 2660 wrote to memory of 936	2660	igfxdwx32.exe	40
PID 2660 wrote to memory of 936	2660	igfxdwx32.exe	40
PID 2660 wrote to memory of 936	2660	igfxdwx32.exe	40
PID 2660 wrote to memory of 936	2660	igfxdwx32.exe	40
PID 936 wrote to memory of 2764	936	igfxdwx32.exe	41
PID 936 wrote to memory of 2764	936	igfxdwx32.exe	41
PID 936 wrote to memory of 2764	936	igfxdwx32.exe	41
PID 936 wrote to memory of 2764	936	igfxdwx32.exe	41
PID 2764 wrote to memory of 400	2764	igfxdwx32.exe	42
PID 2764 wrote to memory of 400	2764	igfxdwx32.exe	42
PID 2764 wrote to memory of 400	2764	igfxdwx32.exe	42
PID 2764 wrote to memory of 400	2764	igfxdwx32.exe	42
PID 400 wrote to memory of 1340	400	igfxdwx32.exe	43
PID 400 wrote to memory of 1340	400	igfxdwx32.exe	43
PID 400 wrote to memory of 1340	400	igfxdwx32.exe	43
PID 400 wrote to memory of 1340	400	igfxdwx32.exe	43
PID 1340 wrote to memory of 1872	1340	igfxdwx32.exe	44
PID 1340 wrote to memory of 1872	1340	igfxdwx32.exe	44
PID 1340 wrote to memory of 1872	1340	igfxdwx32.exe	44
PID 1340 wrote to memory of 1872	1340	igfxdwx32.exe	44
PID 1872 wrote to memory of 1800	1872	igfxdwx32.exe	45
PID 1872 wrote to memory of 1800	1872	igfxdwx32.exe	45
PID 1872 wrote to memory of 1800	1872	igfxdwx32.exe	45
PID 1872 wrote to memory of 1800	1872	igfxdwx32.exe	45

C:\Users\Admin\AppData\Local\Temp\df499130201f21670d4b4cbce68748c2.exe
"C:\Users\Admin\AppData\Local\Temp\df499130201f21670d4b4cbce68748c2.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\igfxdwx32.exe
  "C:\Windows\system32\igfxdwx32.exe" C:\Users\Admin\AppData\Local\Temp\DF4991~1.EXE
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\igfxdwx32.exe
    "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\igfxdwx32.exe
      "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1800
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:704
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1976
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1616
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2556
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1312
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2720
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2544
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2528
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1228
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:776
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1180
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3060
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1628
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1796
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2676
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        33⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1748
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2772
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        35⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2776
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        36⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2764
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        37⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1100
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        38⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1088
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        39⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1340
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        40⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2748
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        41⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2088
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        42⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1608
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        43⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1540
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        44⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2996
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:976
        
        C:\Windows\SysWOW64\igfxdwx32.exe
        
        "C:\Windows\system32\igfxdwx32.exe" C:\Windows\SysWOW64\IGFXDW~1.EXE
        46⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxdwx32.exe

Filesize
903KB

MD5
aafa78b9bdf75fd1465be1214d60f7cd

SHA1
14a32155ac40faec56b924faa0d4256f43c99b31

SHA256
216868a3f464933ec503276c98fa1a1f1c9dd2f7c909c3317c9b2772feea94ea

SHA512
c95768b7548ed748f548658ddf7761ac675c7cf850239697857a829671b76db474ac795409af9b027d149977f4543c311555aeaba9b5cffc4b7ddbc560c17d37

Download Submit
C:\Windows\SysWOW64\igfxdwx32.exe

Filesize
615KB

MD5
aef6bd392d538817aecfa16ba443babd

SHA1
8e8ffdb600b701cf6581e45866d734eef963839c

SHA256
75da2c21bf8d2e1e7f9589e049ec611b1522fe8e8d5d45625ad9cb8893c43f9c

SHA512
1b597f3623e99026128abd50befc2a611024087be8d3e3ad092d71b030cb27d4a71eeeba4dfc48665e9d88c9af3fcb6d3c0139a253dcf53d8e2c9e50bf803190

Download Submit
C:\Windows\SysWOW64\igfxdwx32.exe

Filesize
737KB

MD5
5aa3ddff26c4dfae94c0709878392554

SHA1
e7d76fc73e8a6562a7ffd20f990fc3e79fc019c6

SHA256
c47debde27dba41a62192fd049d0c4e708f67a01bb308a219afa52c2cac77929

SHA512
41208f3d59dc342dc2a1d66a85a7c13258483ebe9f60282c52896e24060ab24a4ae232f414c82e5de494dd8f8e9b102b8aa4a7abd761703db68b304f7f33e6bc

Download Submit
\Windows\SysWOW64\igfxdwx32.exe

Filesize
384KB

MD5
cb3585c9047d33daf0c503597efc3af6

SHA1
2dec7493a4e9d6c834a781500d6f5f601f1087cb

SHA256
af01f0855b867ff071ac95a43cbd1ac9ee3d7779d80747b6c56001d22cf6636e

SHA512
2c3f33099f4de59a54174cbfec9f6d67d8ad19f3ed8861224d01ae8807cc612459779205e96f66bc4dca41f69f04b42581e68cad05ca154d7c00e3c1e6ca6a15

Download Submit
\Windows\SysWOW64\igfxdwx32.exe

Filesize
916KB

MD5
df499130201f21670d4b4cbce68748c2

SHA1
1525b615b3a31527fbfffa32f4c9e09f3eedc284

SHA256
936df8a9a1e7d4c8ebaa8eb83895c34e2173cccd0ebc9ae8367e4fe16cc5e332

SHA512
62ba3ee41e3d1f4418196d9f9dbeb284c480db62dcee3deb9de4523332890111863843697aacaa1b3d48afc7873fb2a97df38a2db83912ce5957824c5ba669d8

Download Submit
\Windows\SysWOW64\igfxdwx32.exe

Filesize
406KB

MD5
63d4d0e63b214e0aef8b15bc2ba75a37

SHA1
05b080707c79ce814f4f17656906d36feac3ab95

SHA256
8e583cf76c0f16745b783842997e29df2eac183e37fa532d31b8cfaa1b343a26

SHA512
c9e523c6f4957ce734ce683ab2cdf739fcfdfb1d2ed3a46fad505d62cb452769c74991dde7227e36a072da4b3ef1b80c0df9df84cc37684d25f5251fad3140aa

Download Submit
memory/276-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/276-54-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/276-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/400-92-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/400-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/400-99-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/704-123-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/704-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/704-124-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/776-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/936-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/936-81-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/936-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/976-209-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1088-188-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1100-187-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1180-160-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1228-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1228-150-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1312-138-0x0000000003000000-0x000000000307F000-memory.dmp

Filesize
508KB

Download
memory/1312-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1312-135-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1312-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1340-101-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1340-105-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1340-100-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1340-106-0x0000000002DC0000-0x0000000002E3F000-memory.dmp

Filesize
508KB

Download
memory/1340-193-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1376-63-0x0000000003190000-0x000000000320F000-memory.dmp

Filesize
508KB

Download
memory/1376-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1376-59-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1540-205-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1584-47-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1584-48-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1584-51-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1608-201-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1616-131-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1616-128-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1616-129-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1628-167-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1748-177-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1796-170-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-116-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1800-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-121-0x0000000002F20000-0x0000000002F9F000-memory.dmp

Filesize
508KB

Download
memory/1816-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1816-71-0x0000000003050000-0x00000000030CF000-memory.dmp

Filesize
508KB

Download
memory/1816-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1816-65-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1872-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1872-113-0x0000000003050000-0x00000000030CF000-memory.dmp

Filesize
508KB

Download
memory/1872-108-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1872-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1976-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1976-126-0x00000000042A0000-0x000000000431F000-memory.dmp

Filesize
508KB

Download
memory/1976-125-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2056-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2056-46-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2056-42-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2068-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2068-7-0x0000000002E00000-0x0000000002E7F000-memory.dmp

Filesize
508KB

Download
memory/2068-12-0x0000000002E00000-0x0000000002E7F000-memory.dmp

Filesize
508KB

Download
memory/2068-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2068-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2088-199-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2460-35-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2460-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2460-29-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2528-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2528-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2528-148-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2544-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2544-143-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2544-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2544-146-0x0000000003050000-0x00000000030CF000-memory.dmp

Filesize
508KB

Download
memory/2556-133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2556-132-0x0000000002E50000-0x0000000002ECF000-memory.dmp

Filesize
508KB

Download
memory/2556-134-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2556-130-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2660-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2660-79-0x0000000003040000-0x00000000030BF000-memory.dmp

Filesize
508KB

Download
memory/2660-77-0x0000000003040000-0x00000000030BF000-memory.dmp

Filesize
508KB

Download
memory/2660-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2660-73-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2676-173-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-27-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-23-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2720-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2720-142-0x0000000004270000-0x00000000042EF000-memory.dmp

Filesize
508KB

Download
memory/2720-140-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2720-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2748-196-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-185-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-89-0x0000000002F40000-0x0000000002FBF000-memory.dmp

Filesize
508KB

Download
memory/2764-85-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2764-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2764-94-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2772-178-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2776-182-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2976-38-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2976-41-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2976-34-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2992-15-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2992-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2992-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2996-206-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3060-164-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download