metasploit | 0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

Analysis

max time kernel
146s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
Size

170KB
MD5

3e3614d7f5c158939657e985eb4c5315
SHA1

f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3
SHA256

0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7
SHA512

29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045
SSDEEP

3072:j2Rg22PY0+LjJp5/5u6ElqrtCeHrIKWGSjG0rlhc3Ij3JQ/oJishIUOku:sh2PcjJp7kIrtCXRjG0rg4j7zu

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 25 IoCs

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

pid	process
4188	igfxwp32.exe
1020	igfxwp32.exe
1072	igfxwp32.exe
1092	igfxwp32.exe
1408	igfxwp32.exe
4900	igfxwp32.exe
4764	igfxwp32.exe
4504	igfxwp32.exe
3644	igfxwp32.exe
3112	igfxwp32.exe
2820	igfxwp32.exe
2032	igfxwp32.exe
4980	igfxwp32.exe
4612	igfxwp32.exe
1736	igfxwp32.exe
1748	igfxwp32.exe
728	igfxwp32.exe
2712	igfxwp32.exe
4320	igfxwp32.exe
4036	igfxwp32.exe
1876	igfxwp32.exe
4288	igfxwp32.exe
3976	igfxwp32.exe
3216	igfxwp32.exe
4472	igfxwp32.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4184-134-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4184-137-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4184-138-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4184-139-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4184-143-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1020-149-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1020-151-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1020-152-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1020-155-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1092-164-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1092-167-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4900-176-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4900-179-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4504-188-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4504-191-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3112-200-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3112-203-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2032-212-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2032-215-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4612-224-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4612-227-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1748-236-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1748-239-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2712-248-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2712-251-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4036-260-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4036-263-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4288-272-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4288-275-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3216-284-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3216-285-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3216-288-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igfxwp32.exe

Maps connected drives based on registry 3 TTPs 26 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwp32.exe

Drops file in System32 directory 39 IoCs

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File created	C:\Windows\SysWOW64\igfxwp32.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwp32.exe	igfxwp32.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

description	pid	process	target process
PID 348 set thread context of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 4188 set thread context of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 1072 set thread context of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1408 set thread context of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 4764 set thread context of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 3644 set thread context of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 2820 set thread context of 2032	2820	igfxwp32.exe	igfxwp32.exe
PID 4980 set thread context of 4612	4980	igfxwp32.exe	igfxwp32.exe
PID 1736 set thread context of 1748	1736	igfxwp32.exe	igfxwp32.exe
PID 728 set thread context of 2712	728	igfxwp32.exe	igfxwp32.exe
PID 4320 set thread context of 4036	4320	igfxwp32.exe	igfxwp32.exe
PID 1876 set thread context of 4288	1876	igfxwp32.exe	igfxwp32.exe
PID 3976 set thread context of 3216	3976	igfxwp32.exe	igfxwp32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

igfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwp32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exeigfxwp32.exe

pid	process
348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
4184	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
4184	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
4184	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
4184	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
4188	igfxwp32.exe
4188	igfxwp32.exe
1020	igfxwp32.exe
1020	igfxwp32.exe
1020	igfxwp32.exe
1020	igfxwp32.exe
1072	igfxwp32.exe
1072	igfxwp32.exe
1092	igfxwp32.exe
1092	igfxwp32.exe
1092	igfxwp32.exe
1092	igfxwp32.exe
1408	igfxwp32.exe
1408	igfxwp32.exe
4900	igfxwp32.exe
4900	igfxwp32.exe
4900	igfxwp32.exe
4900	igfxwp32.exe
4764	igfxwp32.exe
4764	igfxwp32.exe
4504	igfxwp32.exe
4504	igfxwp32.exe
4504	igfxwp32.exe
4504	igfxwp32.exe
3644	igfxwp32.exe
3644	igfxwp32.exe
3112	igfxwp32.exe
3112	igfxwp32.exe
3112	igfxwp32.exe
3112	igfxwp32.exe
2820	igfxwp32.exe
2820	igfxwp32.exe
2032	igfxwp32.exe
2032	igfxwp32.exe
2032	igfxwp32.exe
2032	igfxwp32.exe
4980	igfxwp32.exe
4980	igfxwp32.exe
4612	igfxwp32.exe
4612	igfxwp32.exe
4612	igfxwp32.exe
4612	igfxwp32.exe
1736	igfxwp32.exe
1736	igfxwp32.exe
1748	igfxwp32.exe
1748	igfxwp32.exe
1748	igfxwp32.exe
1748	igfxwp32.exe
728	igfxwp32.exe
728	igfxwp32.exe
2712	igfxwp32.exe
2712	igfxwp32.exe
2712	igfxwp32.exe
2712	igfxwp32.exe
4320	igfxwp32.exe
4320	igfxwp32.exe
4036	igfxwp32.exe
4036	igfxwp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 348 wrote to memory of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 348 wrote to memory of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 348 wrote to memory of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 348 wrote to memory of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 348 wrote to memory of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 348 wrote to memory of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 348 wrote to memory of 4184	348	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
PID 4184 wrote to memory of 4188	4184	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	igfxwp32.exe
PID 4184 wrote to memory of 4188	4184	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	igfxwp32.exe
PID 4184 wrote to memory of 4188	4184	0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe	igfxwp32.exe
PID 4188 wrote to memory of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 4188 wrote to memory of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 4188 wrote to memory of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 4188 wrote to memory of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 4188 wrote to memory of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 4188 wrote to memory of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 4188 wrote to memory of 1020	4188	igfxwp32.exe	igfxwp32.exe
PID 1020 wrote to memory of 1072	1020	igfxwp32.exe	igfxwp32.exe
PID 1020 wrote to memory of 1072	1020	igfxwp32.exe	igfxwp32.exe
PID 1020 wrote to memory of 1072	1020	igfxwp32.exe	igfxwp32.exe
PID 1072 wrote to memory of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1072 wrote to memory of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1072 wrote to memory of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1072 wrote to memory of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1072 wrote to memory of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1072 wrote to memory of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1072 wrote to memory of 1092	1072	igfxwp32.exe	igfxwp32.exe
PID 1092 wrote to memory of 1408	1092	igfxwp32.exe	igfxwp32.exe
PID 1092 wrote to memory of 1408	1092	igfxwp32.exe	igfxwp32.exe
PID 1092 wrote to memory of 1408	1092	igfxwp32.exe	igfxwp32.exe
PID 1408 wrote to memory of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 1408 wrote to memory of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 1408 wrote to memory of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 1408 wrote to memory of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 1408 wrote to memory of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 1408 wrote to memory of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 1408 wrote to memory of 4900	1408	igfxwp32.exe	igfxwp32.exe
PID 4900 wrote to memory of 4764	4900	igfxwp32.exe	igfxwp32.exe
PID 4900 wrote to memory of 4764	4900	igfxwp32.exe	igfxwp32.exe
PID 4900 wrote to memory of 4764	4900	igfxwp32.exe	igfxwp32.exe
PID 4764 wrote to memory of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 4764 wrote to memory of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 4764 wrote to memory of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 4764 wrote to memory of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 4764 wrote to memory of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 4764 wrote to memory of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 4764 wrote to memory of 4504	4764	igfxwp32.exe	igfxwp32.exe
PID 4504 wrote to memory of 3644	4504	igfxwp32.exe	igfxwp32.exe
PID 4504 wrote to memory of 3644	4504	igfxwp32.exe	igfxwp32.exe
PID 4504 wrote to memory of 3644	4504	igfxwp32.exe	igfxwp32.exe
PID 3644 wrote to memory of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 3644 wrote to memory of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 3644 wrote to memory of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 3644 wrote to memory of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 3644 wrote to memory of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 3644 wrote to memory of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 3644 wrote to memory of 3112	3644	igfxwp32.exe	igfxwp32.exe
PID 3112 wrote to memory of 2820	3112	igfxwp32.exe	igfxwp32.exe
PID 3112 wrote to memory of 2820	3112	igfxwp32.exe	igfxwp32.exe
PID 3112 wrote to memory of 2820	3112	igfxwp32.exe	igfxwp32.exe
PID 2820 wrote to memory of 2032	2820	igfxwp32.exe	igfxwp32.exe
PID 2820 wrote to memory of 2032	2820	igfxwp32.exe	igfxwp32.exe
PID 2820 wrote to memory of 2032	2820	igfxwp32.exe	igfxwp32.exe
PID 2820 wrote to memory of 2032	2820	igfxwp32.exe	igfxwp32.exe

C:\Users\Admin\AppData\Local\Temp\0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
"C:\Users\Admin\AppData\Local\Temp\0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Local\Temp\0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe
"C:\Users\Admin\AppData\Local\Temp\0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\0E893C~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Users\Admin\AppData\Local\Temp\0E893C~1.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
10⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
12⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
14⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
16⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
18⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:728

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
20⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
22⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1876

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
24⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4288

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3976

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
26⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3216

C:\Windows\SysWOW64\igfxwp32.exe
"C:\Windows\system32\igfxwp32.exe" C:\Windows\SysWOW64\igfxwp32.exe
27⤵
- Executes dropped EXE
PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
C:\Windows\SysWOW64\igfxwp32.exe

Filesize
170KB

MD5
3e3614d7f5c158939657e985eb4c5315

SHA1
f37d70a2e272241c7f2bcb71e2e6aa7b96aefcd3

SHA256
0e893cdfd9aaffaeaad9f0f119b31cefdbdb9d9a0790791ffa37a370e7a7dbd7

SHA512
29e2447027c31108b735e00785cc281c5b2fd54de85c9e33ec1640f8f14e8e579df07a3f3caa0e2faa600888539ff15fcea70a69b8ae30edef5b9f57da01e045

Download Submit
memory/348-136-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/348-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/728-240-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/728-237-0x0000000000000000-mapping.dmp

Download
memory/728-244-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1020-145-0x0000000000000000-mapping.dmp

Download
memory/1020-152-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1020-149-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1020-151-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1020-155-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1072-153-0x0000000000000000-mapping.dmp

Download
memory/1072-161-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1072-156-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1092-164-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1092-167-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1092-157-0x0000000000000000-mapping.dmp

Download
memory/1408-168-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1408-165-0x0000000000000000-mapping.dmp

Download
memory/1408-172-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-225-0x0000000000000000-mapping.dmp

Download
memory/1736-232-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1736-228-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1748-236-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1748-239-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1748-229-0x0000000000000000-mapping.dmp

Download
memory/1876-268-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1876-261-0x0000000000000000-mapping.dmp

Download
memory/1876-264-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2032-205-0x0000000000000000-mapping.dmp

Download
memory/2032-212-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2032-215-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2712-241-0x0000000000000000-mapping.dmp

Download
memory/2712-248-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2712-251-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2820-209-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2820-201-0x0000000000000000-mapping.dmp

Download
memory/2820-204-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3112-200-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3112-203-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3112-193-0x0000000000000000-mapping.dmp

Download
memory/3216-285-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3216-277-0x0000000000000000-mapping.dmp

Download
memory/3216-284-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3216-288-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3644-198-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3644-192-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3644-189-0x0000000000000000-mapping.dmp

Download
memory/3976-276-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3976-273-0x0000000000000000-mapping.dmp

Download
memory/3976-280-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4036-263-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4036-260-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4036-253-0x0000000000000000-mapping.dmp

Download
memory/4184-138-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4184-143-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4184-133-0x0000000000000000-mapping.dmp

Download
memory/4184-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4184-137-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4184-139-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4188-140-0x0000000000000000-mapping.dmp

Download
memory/4188-144-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4188-150-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4288-265-0x0000000000000000-mapping.dmp

Download
memory/4288-272-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4288-275-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4320-252-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4320-256-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4320-249-0x0000000000000000-mapping.dmp

Download
memory/4472-286-0x0000000000000000-mapping.dmp

Download
memory/4472-289-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4504-191-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4504-188-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4504-181-0x0000000000000000-mapping.dmp

Download
memory/4612-227-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4612-224-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4612-217-0x0000000000000000-mapping.dmp

Download
memory/4764-180-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4764-185-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4764-177-0x0000000000000000-mapping.dmp

Download
memory/4900-176-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4900-179-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4900-169-0x0000000000000000-mapping.dmp

Download
memory/4980-216-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4980-221-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4980-213-0x0000000000000000-mapping.dmp

Download