metasploit | d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
Size

204KB
MD5

2a05e4ea6f36aa1c3a5be5c90e4621b0
SHA1

8f3487708f376e0aed5f45ca17343ae4efc57336
SHA256

d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84
SHA512

1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Score

10^/10

metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 41 IoCs

Processes:

igfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exe

pid	process
5108	igfxhs32.exe
4764	igfxhs32.exe
2140	igfxhs32.exe
1404	igfxhs32.exe
2868	igfxhs32.exe
4380	igfxhs32.exe
2288	igfxhs32.exe
2624	igfxhs32.exe
4876	igfxhs32.exe
2448	igfxhs32.exe
1708	igfxhs32.exe
3548	igfxhs32.exe
2984	igfxhs32.exe
2080	igfxhs32.exe
2436	igfxhs32.exe
1336	igfxhs32.exe
1260	igfxhs32.exe
5112	igfxhs32.exe
4584	igfxhs32.exe
2780	igfxhs32.exe
2292	igfxhs32.exe
2832	igfxhs32.exe
2544	igfxhs32.exe
3556	igfxhs32.exe
1452	igfxhs32.exe
3924	igfxhs32.exe
4908	igfxhs32.exe
4364	igfxhs32.exe
2124	igfxhs32.exe
3044	igfxhs32.exe
2952	igfxhs32.exe
1168	igfxhs32.exe
3252	igfxhs32.exe
3928	igfxhs32.exe
1144	igfxhs32.exe
1472	igfxhs32.exe
3852	igfxhs32.exe
2888	igfxhs32.exe
4044	igfxhs32.exe
4612	igfxhs32.exe
4156	igfxhs32.exe

Checks computer location settings 2 TTPs 41 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

igfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exed6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	igfxhs32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

igfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exed6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxhs32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxhs32.exe

Drops file in System32 directory 64 IoCs

Processes:

igfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exed6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File created	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\igfxhs32.exe	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxhs32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 41 IoCs

Processes:

igfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exed6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxhs32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exeigfxhs32.exe

pid	process
2128	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
2128	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
2128	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
2128	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
5108	igfxhs32.exe
5108	igfxhs32.exe
5108	igfxhs32.exe
5108	igfxhs32.exe
4764	igfxhs32.exe
4764	igfxhs32.exe
4764	igfxhs32.exe
4764	igfxhs32.exe
2140	igfxhs32.exe
2140	igfxhs32.exe
2140	igfxhs32.exe
2140	igfxhs32.exe
1404	igfxhs32.exe
1404	igfxhs32.exe
1404	igfxhs32.exe
1404	igfxhs32.exe
2868	igfxhs32.exe
2868	igfxhs32.exe
2868	igfxhs32.exe
2868	igfxhs32.exe
4380	igfxhs32.exe
4380	igfxhs32.exe
4380	igfxhs32.exe
4380	igfxhs32.exe
2288	igfxhs32.exe
2288	igfxhs32.exe
2288	igfxhs32.exe
2288	igfxhs32.exe
2624	igfxhs32.exe
2624	igfxhs32.exe
2624	igfxhs32.exe
2624	igfxhs32.exe
4876	igfxhs32.exe
4876	igfxhs32.exe
4876	igfxhs32.exe
4876	igfxhs32.exe
2448	igfxhs32.exe
2448	igfxhs32.exe
2448	igfxhs32.exe
2448	igfxhs32.exe
1708	igfxhs32.exe
1708	igfxhs32.exe
1708	igfxhs32.exe
1708	igfxhs32.exe
3548	igfxhs32.exe
3548	igfxhs32.exe
3548	igfxhs32.exe
3548	igfxhs32.exe
2984	igfxhs32.exe
2984	igfxhs32.exe
2984	igfxhs32.exe
2984	igfxhs32.exe
2080	igfxhs32.exe
2080	igfxhs32.exe
2080	igfxhs32.exe
2080	igfxhs32.exe
2436	igfxhs32.exe
2436	igfxhs32.exe
2436	igfxhs32.exe
2436	igfxhs32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2128 wrote to memory of 5108	2128	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe	igfxhs32.exe
PID 2128 wrote to memory of 5108	2128	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe	igfxhs32.exe
PID 2128 wrote to memory of 5108	2128	d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe	igfxhs32.exe
PID 5108 wrote to memory of 4764	5108	igfxhs32.exe	igfxhs32.exe
PID 5108 wrote to memory of 4764	5108	igfxhs32.exe	igfxhs32.exe
PID 5108 wrote to memory of 4764	5108	igfxhs32.exe	igfxhs32.exe
PID 4764 wrote to memory of 2140	4764	igfxhs32.exe	igfxhs32.exe
PID 4764 wrote to memory of 2140	4764	igfxhs32.exe	igfxhs32.exe
PID 4764 wrote to memory of 2140	4764	igfxhs32.exe	igfxhs32.exe
PID 2140 wrote to memory of 1404	2140	igfxhs32.exe	igfxhs32.exe
PID 2140 wrote to memory of 1404	2140	igfxhs32.exe	igfxhs32.exe
PID 2140 wrote to memory of 1404	2140	igfxhs32.exe	igfxhs32.exe
PID 1404 wrote to memory of 2868	1404	igfxhs32.exe	igfxhs32.exe
PID 1404 wrote to memory of 2868	1404	igfxhs32.exe	igfxhs32.exe
PID 1404 wrote to memory of 2868	1404	igfxhs32.exe	igfxhs32.exe
PID 2868 wrote to memory of 4380	2868	igfxhs32.exe	igfxhs32.exe
PID 2868 wrote to memory of 4380	2868	igfxhs32.exe	igfxhs32.exe
PID 2868 wrote to memory of 4380	2868	igfxhs32.exe	igfxhs32.exe
PID 4380 wrote to memory of 2288	4380	igfxhs32.exe	igfxhs32.exe
PID 4380 wrote to memory of 2288	4380	igfxhs32.exe	igfxhs32.exe
PID 4380 wrote to memory of 2288	4380	igfxhs32.exe	igfxhs32.exe
PID 2288 wrote to memory of 2624	2288	igfxhs32.exe	igfxhs32.exe
PID 2288 wrote to memory of 2624	2288	igfxhs32.exe	igfxhs32.exe
PID 2288 wrote to memory of 2624	2288	igfxhs32.exe	igfxhs32.exe
PID 2624 wrote to memory of 4876	2624	igfxhs32.exe	igfxhs32.exe
PID 2624 wrote to memory of 4876	2624	igfxhs32.exe	igfxhs32.exe
PID 2624 wrote to memory of 4876	2624	igfxhs32.exe	igfxhs32.exe
PID 4876 wrote to memory of 2448	4876	igfxhs32.exe	igfxhs32.exe
PID 4876 wrote to memory of 2448	4876	igfxhs32.exe	igfxhs32.exe
PID 4876 wrote to memory of 2448	4876	igfxhs32.exe	igfxhs32.exe
PID 2448 wrote to memory of 1708	2448	igfxhs32.exe	igfxhs32.exe
PID 2448 wrote to memory of 1708	2448	igfxhs32.exe	igfxhs32.exe
PID 2448 wrote to memory of 1708	2448	igfxhs32.exe	igfxhs32.exe
PID 1708 wrote to memory of 3548	1708	igfxhs32.exe	igfxhs32.exe
PID 1708 wrote to memory of 3548	1708	igfxhs32.exe	igfxhs32.exe
PID 1708 wrote to memory of 3548	1708	igfxhs32.exe	igfxhs32.exe
PID 3548 wrote to memory of 2984	3548	igfxhs32.exe	igfxhs32.exe
PID 3548 wrote to memory of 2984	3548	igfxhs32.exe	igfxhs32.exe
PID 3548 wrote to memory of 2984	3548	igfxhs32.exe	igfxhs32.exe
PID 2984 wrote to memory of 2080	2984	igfxhs32.exe	igfxhs32.exe
PID 2984 wrote to memory of 2080	2984	igfxhs32.exe	igfxhs32.exe
PID 2984 wrote to memory of 2080	2984	igfxhs32.exe	igfxhs32.exe
PID 2080 wrote to memory of 2436	2080	igfxhs32.exe	igfxhs32.exe
PID 2080 wrote to memory of 2436	2080	igfxhs32.exe	igfxhs32.exe
PID 2080 wrote to memory of 2436	2080	igfxhs32.exe	igfxhs32.exe
PID 2436 wrote to memory of 1336	2436	igfxhs32.exe	igfxhs32.exe
PID 2436 wrote to memory of 1336	2436	igfxhs32.exe	igfxhs32.exe
PID 2436 wrote to memory of 1336	2436	igfxhs32.exe	igfxhs32.exe
PID 1336 wrote to memory of 1260	1336	igfxhs32.exe	igfxhs32.exe
PID 1336 wrote to memory of 1260	1336	igfxhs32.exe	igfxhs32.exe
PID 1336 wrote to memory of 1260	1336	igfxhs32.exe	igfxhs32.exe
PID 1260 wrote to memory of 5112	1260	igfxhs32.exe	igfxhs32.exe
PID 1260 wrote to memory of 5112	1260	igfxhs32.exe	igfxhs32.exe
PID 1260 wrote to memory of 5112	1260	igfxhs32.exe	igfxhs32.exe
PID 5112 wrote to memory of 4584	5112	igfxhs32.exe	igfxhs32.exe
PID 5112 wrote to memory of 4584	5112	igfxhs32.exe	igfxhs32.exe
PID 5112 wrote to memory of 4584	5112	igfxhs32.exe	igfxhs32.exe
PID 4584 wrote to memory of 2780	4584	igfxhs32.exe	igfxhs32.exe
PID 4584 wrote to memory of 2780	4584	igfxhs32.exe	igfxhs32.exe
PID 4584 wrote to memory of 2780	4584	igfxhs32.exe	igfxhs32.exe
PID 2780 wrote to memory of 2292	2780	igfxhs32.exe	igfxhs32.exe
PID 2780 wrote to memory of 2292	2780	igfxhs32.exe	igfxhs32.exe
PID 2780 wrote to memory of 2292	2780	igfxhs32.exe	igfxhs32.exe
PID 2292 wrote to memory of 2832	2292	igfxhs32.exe	igfxhs32.exe

C:\Users\Admin\AppData\Local\Temp\d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe
"C:\Users\Admin\AppData\Local\Temp\d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Users\Admin\AppData\Local\Temp\D6AEA4~1.EXE
2⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
9⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
10⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
11⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
12⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
13⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
14⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
15⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
16⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
17⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
18⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
19⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
20⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
21⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
22⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
23⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2832

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
24⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2544

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
25⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3556

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
26⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1452

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
27⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3924

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
28⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4908

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
29⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4364

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
30⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2124

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
31⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3044

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
32⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2952

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
33⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1168

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
34⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
PID:3252

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
35⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3928

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
36⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1144

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
37⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1472

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
38⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3852

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
39⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2888

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
40⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
PID:4044

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
41⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4612

C:\Windows\SysWOW64\igfxhs32.exe
"C:\Windows\system32\igfxhs32.exe" C:\Windows\SysWOW64\igfxhs32.exe
42⤵
- Executes dropped EXE
- Maps connected drives based on registry
PID:4156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
C:\Windows\SysWOW64\igfxhs32.exe
Filesize
204KB

MD5
2a05e4ea6f36aa1c3a5be5c90e4621b0

SHA1
8f3487708f376e0aed5f45ca17343ae4efc57336

SHA256
d6aea4ff503f9694f046766d48f5dcf61d7ab856a07793e486cb6ec5310a8e84

SHA512
1f0e857bf840046b551bc21eac3252b39c2a9ca26551c933b035830b235e3904e51f3f2466988b005fda31f3b4f58e1d5c3938cd758b517b7b15b3c237cd792a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1144-268-0x0000000000000000-mapping.dmp

Download
memory/1168-257-0x0000000000000000-mapping.dmp

Download
memory/1260-203-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1260-200-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1260-197-0x0000000000000000-mapping.dmp

Download
memory/1336-199-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1336-193-0x0000000000000000-mapping.dmp

Download
memory/1336-196-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1404-144-0x0000000000000000-mapping.dmp

Download
memory/1404-147-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1404-150-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1452-232-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1452-235-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1452-229-0x0000000000000000-mapping.dmp

Download
memory/1472-271-0x0000000000000000-mapping.dmp

Download
memory/1708-172-0x0000000000000000-mapping.dmp

Download
memory/1708-178-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/1708-175-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2080-185-0x0000000000000000-mapping.dmp

Download
memory/2080-191-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2080-188-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2124-251-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2124-248-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2124-245-0x0000000000000000-mapping.dmp

Download
memory/2128-134-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2128-130-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2140-146-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2140-143-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2140-140-0x0000000000000000-mapping.dmp

Download
memory/2288-159-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2288-156-0x0000000000000000-mapping.dmp

Download
memory/2288-162-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2292-219-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2292-213-0x0000000000000000-mapping.dmp

Download
memory/2292-216-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2436-189-0x0000000000000000-mapping.dmp

Download
memory/2436-195-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2436-192-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2448-168-0x0000000000000000-mapping.dmp

Download
memory/2448-171-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2448-174-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2544-221-0x0000000000000000-mapping.dmp

Download
memory/2544-224-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2544-227-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2624-166-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2624-160-0x0000000000000000-mapping.dmp

Download
memory/2624-163-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2780-215-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2780-212-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2780-209-0x0000000000000000-mapping.dmp

Download
memory/2832-220-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2832-223-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2832-217-0x0000000000000000-mapping.dmp

Download
memory/2868-154-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2868-151-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2868-148-0x0000000000000000-mapping.dmp

Download
memory/2888-277-0x0000000000000000-mapping.dmp

Download
memory/2952-259-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2952-256-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2952-253-0x0000000000000000-mapping.dmp

Download
memory/2984-183-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/2984-180-0x0000000000000000-mapping.dmp

Download
memory/2984-187-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3044-252-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3044-249-0x0000000000000000-mapping.dmp

Download
memory/3044-255-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3252-261-0x0000000000000000-mapping.dmp

Download
memory/3548-182-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3548-176-0x0000000000000000-mapping.dmp

Download
memory/3548-179-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3556-228-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3556-225-0x0000000000000000-mapping.dmp

Download
memory/3556-231-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3852-274-0x0000000000000000-mapping.dmp

Download
memory/3924-239-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3924-236-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/3924-233-0x0000000000000000-mapping.dmp

Download
memory/3928-265-0x0000000000000000-mapping.dmp

Download
memory/4044-280-0x0000000000000000-mapping.dmp

Download
memory/4156-286-0x0000000000000000-mapping.dmp

Download
memory/4364-241-0x0000000000000000-mapping.dmp

Download
memory/4364-244-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4364-247-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4380-158-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4380-155-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4380-152-0x0000000000000000-mapping.dmp

Download
memory/4584-205-0x0000000000000000-mapping.dmp

Download
memory/4584-211-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4584-208-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4612-283-0x0000000000000000-mapping.dmp

Download
memory/4764-136-0x0000000000000000-mapping.dmp

Download
memory/4764-142-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4764-139-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4876-170-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4876-167-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4876-164-0x0000000000000000-mapping.dmp

Download
memory/4908-243-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/4908-237-0x0000000000000000-mapping.dmp

Download
memory/4908-240-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/5108-131-0x0000000000000000-mapping.dmp

Download
memory/5108-135-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/5108-138-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/5112-207-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/5112-204-0x0000000032370000-0x00000000323D4000-memory.dmp

Filesize
400KB

Download
memory/5112-201-0x0000000000000000-mapping.dmp

Download