metasploit | 0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
Size

170KB
MD5

1b350d822f30776066909a80d8419a93
SHA1

650990958bbefdfd2c2d76e2217909d981c44cae
SHA256

0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6
SHA512

09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012
SSDEEP

3072:t2FIPYVs+NtiUaVOwWsHhvllx1AFs/9fGyFqd7IpmrvWHlXhR:4IPYFti5Oh2hdRlFGyFqRIpmbW9hR

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 25 IoCs

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

pid	process
744	igfxwp32.exe
1772	igfxwp32.exe
2992	igfxwp32.exe
2368	igfxwp32.exe
2788	igfxwp32.exe
112	igfxwp32.exe
1736	igfxwp32.exe
4520	igfxwp32.exe
3316	igfxwp32.exe
1632	igfxwp32.exe
384	igfxwp32.exe
4300	igfxwp32.exe
5100	igfxwp32.exe
3284	igfxwp32.exe
4204	igfxwp32.exe
1272	igfxwp32.exe
2340	igfxwp32.exe
2204	igfxwp32.exe
4160	igfxwp32.exe
2160	igfxwp32.exe
1748	igfxwp32.exe
1964	igfxwp32.exe
1112	igfxwp32.exe
1420	igfxwp32.exe
4808	igfxwp32.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4416-134-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4416-137-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4416-138-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4416-139-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4416-144-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1772-150-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1772-151-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1772-152-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1772-155-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2368-164-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2368-167-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/112-176-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/112-179-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4520-188-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4520-191-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1632-200-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1632-203-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4300-212-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4300-215-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3284-224-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3284-227-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1272-236-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1272-239-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2204-248-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2204-251-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2160-260-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2160-263-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1964-272-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1964-275-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1420-284-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1420-287-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe

Maps connected drives based on registry 3 TTPs 26 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exeigfxwp32.exeigfxwp32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe

Drops file in System32 directory 39 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

description	pid	process	target process
PID 1524 set thread context of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 744 set thread context of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 2992 set thread context of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2788 set thread context of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 1736 set thread context of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 3316 set thread context of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 384 set thread context of 4300	384	igfxwp32.exe	igfxwp32.exe
PID 5100 set thread context of 3284	5100	igfxwp32.exe	igfxwp32.exe
PID 4204 set thread context of 1272	4204	igfxwp32.exe	igfxwp32.exe
PID 2340 set thread context of 2204	2340	igfxwp32.exe	igfxwp32.exe
PID 4160 set thread context of 2160	4160	igfxwp32.exe	igfxwp32.exe
PID 1748 set thread context of 1964	1748	igfxwp32.exe	igfxwp32.exe
PID 1112 set thread context of 1420	1112	igfxwp32.exe	igfxwp32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

pid	process
1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
4416	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
4416	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
4416	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
4416	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
744	igfxwp32.exe
744	igfxwp32.exe
1772	igfxwp32.exe
1772	igfxwp32.exe
1772	igfxwp32.exe
1772	igfxwp32.exe
2992	igfxwp32.exe
2992	igfxwp32.exe
2368	igfxwp32.exe
2368	igfxwp32.exe
2368	igfxwp32.exe
2368	igfxwp32.exe
2788	igfxwp32.exe
2788	igfxwp32.exe
112	igfxwp32.exe
112	igfxwp32.exe
112	igfxwp32.exe
112	igfxwp32.exe
1736	igfxwp32.exe
1736	igfxwp32.exe
4520	igfxwp32.exe
4520	igfxwp32.exe
4520	igfxwp32.exe
4520	igfxwp32.exe
3316	igfxwp32.exe
3316	igfxwp32.exe
1632	igfxwp32.exe
1632	igfxwp32.exe
1632	igfxwp32.exe
1632	igfxwp32.exe
384	igfxwp32.exe
384	igfxwp32.exe
4300	igfxwp32.exe
4300	igfxwp32.exe
4300	igfxwp32.exe
4300	igfxwp32.exe
5100	igfxwp32.exe
5100	igfxwp32.exe
3284	igfxwp32.exe
3284	igfxwp32.exe
3284	igfxwp32.exe
3284	igfxwp32.exe
4204	igfxwp32.exe
4204	igfxwp32.exe
1272	igfxwp32.exe
1272	igfxwp32.exe
1272	igfxwp32.exe
1272	igfxwp32.exe
2340	igfxwp32.exe
2340	igfxwp32.exe
2204	igfxwp32.exe
2204	igfxwp32.exe
2204	igfxwp32.exe
2204	igfxwp32.exe
4160	igfxwp32.exe
4160	igfxwp32.exe
2160	igfxwp32.exe
2160	igfxwp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1524 wrote to memory of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 1524 wrote to memory of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 1524 wrote to memory of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 1524 wrote to memory of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 1524 wrote to memory of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 1524 wrote to memory of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 1524 wrote to memory of 4416	1524	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
PID 4416 wrote to memory of 744	4416	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	igfxwp32.exe
PID 4416 wrote to memory of 744	4416	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	igfxwp32.exe
PID 4416 wrote to memory of 744	4416	0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe	igfxwp32.exe
PID 744 wrote to memory of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 744 wrote to memory of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 744 wrote to memory of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 744 wrote to memory of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 744 wrote to memory of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 744 wrote to memory of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 744 wrote to memory of 1772	744	igfxwp32.exe	igfxwp32.exe
PID 1772 wrote to memory of 2992	1772	igfxwp32.exe	igfxwp32.exe
PID 1772 wrote to memory of 2992	1772	igfxwp32.exe	igfxwp32.exe
PID 1772 wrote to memory of 2992	1772	igfxwp32.exe	igfxwp32.exe
PID 2992 wrote to memory of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2992 wrote to memory of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2992 wrote to memory of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2992 wrote to memory of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2992 wrote to memory of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2992 wrote to memory of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2992 wrote to memory of 2368	2992	igfxwp32.exe	igfxwp32.exe
PID 2368 wrote to memory of 2788	2368	igfxwp32.exe	igfxwp32.exe
PID 2368 wrote to memory of 2788	2368	igfxwp32.exe	igfxwp32.exe
PID 2368 wrote to memory of 2788	2368	igfxwp32.exe	igfxwp32.exe
PID 2788 wrote to memory of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 2788 wrote to memory of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 2788 wrote to memory of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 2788 wrote to memory of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 2788 wrote to memory of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 2788 wrote to memory of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 2788 wrote to memory of 112	2788	igfxwp32.exe	igfxwp32.exe
PID 112 wrote to memory of 1736	112	igfxwp32.exe	igfxwp32.exe
PID 112 wrote to memory of 1736	112	igfxwp32.exe	igfxwp32.exe
PID 112 wrote to memory of 1736	112	igfxwp32.exe	igfxwp32.exe
PID 1736 wrote to memory of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 1736 wrote to memory of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 1736 wrote to memory of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 1736 wrote to memory of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 1736 wrote to memory of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 1736 wrote to memory of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 1736 wrote to memory of 4520	1736	igfxwp32.exe	igfxwp32.exe
PID 4520 wrote to memory of 3316	4520	igfxwp32.exe	igfxwp32.exe
PID 4520 wrote to memory of 3316	4520	igfxwp32.exe	igfxwp32.exe
PID 4520 wrote to memory of 3316	4520	igfxwp32.exe	igfxwp32.exe
PID 3316 wrote to memory of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 3316 wrote to memory of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 3316 wrote to memory of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 3316 wrote to memory of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 3316 wrote to memory of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 3316 wrote to memory of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 3316 wrote to memory of 1632	3316	igfxwp32.exe	igfxwp32.exe
PID 1632 wrote to memory of 384	1632	igfxwp32.exe	igfxwp32.exe
PID 1632 wrote to memory of 384	1632	igfxwp32.exe	igfxwp32.exe
PID 1632 wrote to memory of 384	1632	igfxwp32.exe	igfxwp32.exe
PID 384 wrote to memory of 4300	384	igfxwp32.exe	igfxwp32.exe
PID 384 wrote to memory of 4300	384	igfxwp32.exe	igfxwp32.exe
PID 384 wrote to memory of 4300	384	igfxwp32.exe	igfxwp32.exe
PID 384 wrote to memory of 4300	384	igfxwp32.exe	igfxwp32.exe

C:\Users\Admin\AppData\Local\Temp\0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
"C:\Users\Admin\AppData\Local\Temp\0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe
"C:\Users\Admin\AppData\Local\Temp\0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\0FA77F~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\0FA77F~1.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
10⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
12⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
14⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
16⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
18⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
20⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
22⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1748

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
24⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1964

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1112

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
26⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1420

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
27⤵
- Executes dropped EXE
PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
1b350d822f30776066909a80d8419a93

SHA1
650990958bbefdfd2c2d76e2217909d981c44cae

SHA256
0fa77fc3e43ab53920173502b4303b3fe2cdfe67e29d443706189fe8e5bf4cf6

SHA512
09c306e57649f3db6ebf92ba2d707754bcaa6c6da3aae5af59184094ddf1eabc38260bffe143b5f0b6f8e2923a4ca3fc9658c34d739de79618a68f7c78e42012

Download Submit
memory/112-169-0x0000000000000000-mapping.dmp

Download
memory/112-179-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/112-176-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/384-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/384-210-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/384-201-0x0000000000000000-mapping.dmp

Download
memory/744-140-0x0000000000000000-mapping.dmp

Download
memory/744-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/744-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1112-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1112-276-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1112-273-0x0000000000000000-mapping.dmp

Download
memory/1272-229-0x0000000000000000-mapping.dmp

Download
memory/1272-239-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1272-236-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1420-277-0x0000000000000000-mapping.dmp

Download
memory/1420-284-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1420-287-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1524-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1524-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1632-193-0x0000000000000000-mapping.dmp

Download
memory/1632-200-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1632-203-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1736-177-0x0000000000000000-mapping.dmp

Download
memory/1736-180-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1736-185-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1748-261-0x0000000000000000-mapping.dmp

Download
memory/1748-264-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1748-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1772-152-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1772-151-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1772-145-0x0000000000000000-mapping.dmp

Download
memory/1772-155-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1772-150-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1964-272-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1964-275-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1964-265-0x0000000000000000-mapping.dmp

Download
memory/2160-260-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2160-263-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2160-253-0x0000000000000000-mapping.dmp

Download
memory/2204-248-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2204-251-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2204-241-0x0000000000000000-mapping.dmp

Download
memory/2340-244-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-237-0x0000000000000000-mapping.dmp

Download
memory/2368-167-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2368-164-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2368-157-0x0000000000000000-mapping.dmp

Download
memory/2788-173-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-165-0x0000000000000000-mapping.dmp

Download
memory/2788-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-153-0x0000000000000000-mapping.dmp

Download
memory/3284-227-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3284-217-0x0000000000000000-mapping.dmp

Download
memory/3284-224-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3316-189-0x0000000000000000-mapping.dmp

Download
memory/3316-197-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3316-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4160-249-0x0000000000000000-mapping.dmp

Download
memory/4160-256-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4160-252-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4204-225-0x0000000000000000-mapping.dmp

Download
memory/4204-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4204-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4300-215-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4300-205-0x0000000000000000-mapping.dmp

Download
memory/4300-212-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4416-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4416-133-0x0000000000000000-mapping.dmp

Download
memory/4416-139-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4416-138-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4416-144-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4416-137-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4520-191-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4520-181-0x0000000000000000-mapping.dmp

Download
memory/4520-188-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4808-285-0x0000000000000000-mapping.dmp

Download
memory/4808-288-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5100-213-0x0000000000000000-mapping.dmp

Download
memory/5100-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5100-220-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download