metasploit | 74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

Analysis

max time kernel
151s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
Size

179KB
MD5

e7f36826c44c8fea5ad90ca38f3434ac
SHA1

31cc06746f0a55ea578dc852e4ce32db98802371
SHA256

74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43
SHA512

b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c
SSDEEP

3072:g0Lh0KNHQ80N8m+5/KJKC35nB00LA8De3vtS+x68F+Hcpw:g0L8NDMuDc9+8S+x6+tw

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

Processes:

igfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exe

pid	process
1696	igfxwa32.exe
4240	igfxwa32.exe
3988	igfxwa32.exe
3548	igfxwa32.exe
320	igfxwa32.exe
1284	igfxwa32.exe
1984	igfxwa32.exe
2492	igfxwa32.exe
3656	igfxwa32.exe
2468	igfxwa32.exe
988	igfxwa32.exe
1000	igfxwa32.exe
3704	igfxwa32.exe
3692	igfxwa32.exe
4020	igfxwa32.exe
4744	igfxwa32.exe
2544	igfxwa32.exe
1080	igfxwa32.exe
628	igfxwa32.exe
1876	igfxwa32.exe
1988	igfxwa32.exe
3668	igfxwa32.exe
2260	igfxwa32.exe
3836	igfxwa32.exe
1244	igfxwa32.exe
4776	igfxwa32.exe
5104	igfxwa32.exe
3252	igfxwa32.exe
3712	igfxwa32.exe
1388	igfxwa32.exe
1464	igfxwa32.exe
3092	igfxwa32.exe
2536	igfxwa32.exe
2160	igfxwa32.exe
2080	igfxwa32.exe
5068	igfxwa32.exe
908	igfxwa32.exe
3344	igfxwa32.exe
3672	igfxwa32.exe
112	igfxwa32.exe
3164	igfxwa32.exe
4992	igfxwa32.exe
1544	igfxwa32.exe
1988	igfxwa32.exe
4624	igfxwa32.exe
2260	igfxwa32.exe
2960	igfxwa32.exe
2488	igfxwa32.exe
1936	igfxwa32.exe
4216	igfxwa32.exe
2272	igfxwa32.exe
2232	igfxwa32.exe
2684	igfxwa32.exe
4052	igfxwa32.exe
5052	igfxwa32.exe
2320	igfxwa32.exe
4912	igfxwa32.exe
5044	igfxwa32.exe
3580	igfxwa32.exe
4892	igfxwa32.exe
3400	igfxwa32.exe
8	igfxwa32.exe
4136	igfxwa32.exe
1488	igfxwa32.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3736-137-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3736-139-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3736-140-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3736-141-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3736-146-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4240-153-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4240-152-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4240-154-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4240-158-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3548-164-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3548-165-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3548-166-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3548-169-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1284-175-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1284-176-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1284-177-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1284-180-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2492-186-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2492-187-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2492-189-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2492-188-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2492-193-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2468-202-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/2468-205-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1000-215-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1000-219-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3692-225-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3692-226-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3692-228-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3692-231-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4744-240-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4744-243-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1080-252-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1080-255-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1876-264-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1876-267-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3668-275-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3668-279-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3836-287-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3836-292-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4776-299-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/4776-302-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3252-308-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3252-309-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3252-310-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/3252-314-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1388-322-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral2/memory/1388-325-0x0000000000400000-0x0000000000466000-memory.dmp	upx

Checks computer location settings 2 TTPs 38 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	igfxwa32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxwa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxwa32.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File created	C:\Windows\SysWOW64\igfxwa32.exe	igfxwa32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxwa32.exe

Suspicious use of SetThreadContext 38 IoCs

Processes:

74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exe

description	pid	process	target process
PID 2080 set thread context of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 1696 set thread context of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 3988 set thread context of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 320 set thread context of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 1984 set thread context of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 3656 set thread context of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 988 set thread context of 1000	988	igfxwa32.exe	igfxwa32.exe
PID 3704 set thread context of 3692	3704	igfxwa32.exe	igfxwa32.exe
PID 4020 set thread context of 4744	4020	igfxwa32.exe	igfxwa32.exe
PID 2544 set thread context of 1080	2544	igfxwa32.exe	igfxwa32.exe
PID 628 set thread context of 1876	628	igfxwa32.exe	igfxwa32.exe
PID 1988 set thread context of 3668	1988	igfxwa32.exe	igfxwa32.exe
PID 2260 set thread context of 3836	2260	igfxwa32.exe	igfxwa32.exe
PID 1244 set thread context of 4776	1244	igfxwa32.exe	igfxwa32.exe
PID 5104 set thread context of 3252	5104	igfxwa32.exe	igfxwa32.exe
PID 3712 set thread context of 1388	3712	igfxwa32.exe	igfxwa32.exe
PID 1464 set thread context of 3092	1464	igfxwa32.exe	igfxwa32.exe
PID 2536 set thread context of 2160	2536	igfxwa32.exe	igfxwa32.exe
PID 2080 set thread context of 5068	2080	igfxwa32.exe	igfxwa32.exe
PID 908 set thread context of 3344	908	igfxwa32.exe	igfxwa32.exe
PID 3672 set thread context of 112	3672	igfxwa32.exe	igfxwa32.exe
PID 3164 set thread context of 4992	3164	igfxwa32.exe	igfxwa32.exe
PID 1544 set thread context of 1988	1544	igfxwa32.exe	igfxwa32.exe
PID 4624 set thread context of 2260	4624	igfxwa32.exe	igfxwa32.exe
PID 2960 set thread context of 2488	2960	igfxwa32.exe	igfxwa32.exe
PID 1936 set thread context of 4216	1936	igfxwa32.exe	igfxwa32.exe
PID 2272 set thread context of 2232	2272	igfxwa32.exe	igfxwa32.exe
PID 2684 set thread context of 4052	2684	igfxwa32.exe	igfxwa32.exe
PID 5052 set thread context of 2320	5052	igfxwa32.exe	igfxwa32.exe
PID 4912 set thread context of 5044	4912	igfxwa32.exe	igfxwa32.exe
PID 3580 set thread context of 4892	3580	igfxwa32.exe	igfxwa32.exe
PID 3400 set thread context of 8	3400	igfxwa32.exe	igfxwa32.exe
PID 4136 set thread context of 1488	4136	igfxwa32.exe	igfxwa32.exe
PID 116 set thread context of 4832	116	igfxwa32.exe	igfxwa32.exe
PID 4260 set thread context of 3832	4260	igfxwa32.exe	igfxwa32.exe
PID 636 set thread context of 4564	636	igfxwa32.exe	igfxwa32.exe
PID 876 set thread context of 2388	876	igfxwa32.exe	igfxwa32.exe
PID 1868 set thread context of 1692	1868	igfxwa32.exe	igfxwa32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 38 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4492	2080	WerFault.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
1220	1696	WerFault.exe	igfxwa32.exe
1432	3988	WerFault.exe	igfxwa32.exe
1764	320	WerFault.exe	igfxwa32.exe
4624	1984	WerFault.exe	igfxwa32.exe
1944	3656	WerFault.exe	igfxwa32.exe
5104	988	WerFault.exe	igfxwa32.exe
1388	3704	WerFault.exe	igfxwa32.exe
3752	4020	WerFault.exe	igfxwa32.exe
3952	2544	WerFault.exe	igfxwa32.exe
4384	628	WerFault.exe	igfxwa32.exe
3276	1988	WerFault.exe	igfxwa32.exe
3832	2260	WerFault.exe	igfxwa32.exe
3084	1244	WerFault.exe	igfxwa32.exe
2684	5104	WerFault.exe	igfxwa32.exe
3740	3712	WerFault.exe	igfxwa32.exe
2484	1464	WerFault.exe	igfxwa32.exe
1616	2536	WerFault.exe	igfxwa32.exe
1292	2080	WerFault.exe	igfxwa32.exe
3952	908	WerFault.exe	igfxwa32.exe
4372	3672	WerFault.exe	igfxwa32.exe
1796	3164	WerFault.exe	igfxwa32.exe
1088	1544	WerFault.exe	igfxwa32.exe
1864	4624	WerFault.exe	igfxwa32.exe
1716	2960	WerFault.exe	igfxwa32.exe
2004	1936	WerFault.exe	igfxwa32.exe
4740	2272	WerFault.exe	igfxwa32.exe
640	2684	WerFault.exe	igfxwa32.exe
4904	5052	WerFault.exe	igfxwa32.exe
1824	4912	WerFault.exe	igfxwa32.exe
1140	3580	WerFault.exe	igfxwa32.exe
208	3400	WerFault.exe	igfxwa32.exe
1676	4136	WerFault.exe	igfxwa32.exe
3164	116	WerFault.exe	igfxwa32.exe
736	4260	WerFault.exe	igfxwa32.exe
4924	636	WerFault.exe	igfxwa32.exe
828	876	WerFault.exe	igfxwa32.exe
2328	1868	WerFault.exe	igfxwa32.exe

Modifies registry class 38 IoCs

Processes:

igfxwa32.exeigfxwa32.exeigfxwa32.exe74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxwa32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3736	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
3736	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
3736	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
3736	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
4240	igfxwa32.exe
4240	igfxwa32.exe
4240	igfxwa32.exe
4240	igfxwa32.exe
3548	igfxwa32.exe
3548	igfxwa32.exe
3548	igfxwa32.exe
3548	igfxwa32.exe
1284	igfxwa32.exe
1284	igfxwa32.exe
1284	igfxwa32.exe
1284	igfxwa32.exe
2492	igfxwa32.exe
2492	igfxwa32.exe
2492	igfxwa32.exe
2492	igfxwa32.exe
2468	igfxwa32.exe
2468	igfxwa32.exe
2468	igfxwa32.exe
2468	igfxwa32.exe
1000	igfxwa32.exe
1000	igfxwa32.exe
1000	igfxwa32.exe
1000	igfxwa32.exe
3692	igfxwa32.exe
3692	igfxwa32.exe
3692	igfxwa32.exe
3692	igfxwa32.exe
4744	igfxwa32.exe
4744	igfxwa32.exe
4744	igfxwa32.exe
4744	igfxwa32.exe
1080	igfxwa32.exe
1080	igfxwa32.exe
1080	igfxwa32.exe
1080	igfxwa32.exe
1876	igfxwa32.exe
1876	igfxwa32.exe
1876	igfxwa32.exe
1876	igfxwa32.exe
3668	igfxwa32.exe
3668	igfxwa32.exe
3668	igfxwa32.exe
3668	igfxwa32.exe
3836	igfxwa32.exe
3836	igfxwa32.exe
3836	igfxwa32.exe
3836	igfxwa32.exe
4776	igfxwa32.exe
4776	igfxwa32.exe
4776	igfxwa32.exe
4776	igfxwa32.exe
3252	igfxwa32.exe
3252	igfxwa32.exe
3252	igfxwa32.exe
3252	igfxwa32.exe
1388	igfxwa32.exe
1388	igfxwa32.exe
1388	igfxwa32.exe
1388	igfxwa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exeigfxwa32.exe

description	pid	process	target process
PID 2080 wrote to memory of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 2080 wrote to memory of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 2080 wrote to memory of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 2080 wrote to memory of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 2080 wrote to memory of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 2080 wrote to memory of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 2080 wrote to memory of 3736	2080	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
PID 3736 wrote to memory of 1696	3736	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	igfxwa32.exe
PID 3736 wrote to memory of 1696	3736	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	igfxwa32.exe
PID 3736 wrote to memory of 1696	3736	74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe	igfxwa32.exe
PID 1696 wrote to memory of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 1696 wrote to memory of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 1696 wrote to memory of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 1696 wrote to memory of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 1696 wrote to memory of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 1696 wrote to memory of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 1696 wrote to memory of 4240	1696	igfxwa32.exe	igfxwa32.exe
PID 4240 wrote to memory of 3988	4240	igfxwa32.exe	igfxwa32.exe
PID 4240 wrote to memory of 3988	4240	igfxwa32.exe	igfxwa32.exe
PID 4240 wrote to memory of 3988	4240	igfxwa32.exe	igfxwa32.exe
PID 3988 wrote to memory of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 3988 wrote to memory of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 3988 wrote to memory of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 3988 wrote to memory of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 3988 wrote to memory of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 3988 wrote to memory of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 3988 wrote to memory of 3548	3988	igfxwa32.exe	igfxwa32.exe
PID 3548 wrote to memory of 320	3548	igfxwa32.exe	igfxwa32.exe
PID 3548 wrote to memory of 320	3548	igfxwa32.exe	igfxwa32.exe
PID 3548 wrote to memory of 320	3548	igfxwa32.exe	igfxwa32.exe
PID 320 wrote to memory of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 320 wrote to memory of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 320 wrote to memory of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 320 wrote to memory of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 320 wrote to memory of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 320 wrote to memory of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 320 wrote to memory of 1284	320	igfxwa32.exe	igfxwa32.exe
PID 1284 wrote to memory of 1984	1284	igfxwa32.exe	igfxwa32.exe
PID 1284 wrote to memory of 1984	1284	igfxwa32.exe	igfxwa32.exe
PID 1284 wrote to memory of 1984	1284	igfxwa32.exe	igfxwa32.exe
PID 1984 wrote to memory of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 1984 wrote to memory of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 1984 wrote to memory of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 1984 wrote to memory of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 1984 wrote to memory of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 1984 wrote to memory of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 1984 wrote to memory of 2492	1984	igfxwa32.exe	igfxwa32.exe
PID 2492 wrote to memory of 3656	2492	igfxwa32.exe	igfxwa32.exe
PID 2492 wrote to memory of 3656	2492	igfxwa32.exe	igfxwa32.exe
PID 2492 wrote to memory of 3656	2492	igfxwa32.exe	igfxwa32.exe
PID 3656 wrote to memory of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 3656 wrote to memory of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 3656 wrote to memory of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 3656 wrote to memory of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 3656 wrote to memory of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 3656 wrote to memory of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 3656 wrote to memory of 2468	3656	igfxwa32.exe	igfxwa32.exe
PID 2468 wrote to memory of 988	2468	igfxwa32.exe	igfxwa32.exe
PID 2468 wrote to memory of 988	2468	igfxwa32.exe	igfxwa32.exe
PID 2468 wrote to memory of 988	2468	igfxwa32.exe	igfxwa32.exe
PID 988 wrote to memory of 1000	988	igfxwa32.exe	igfxwa32.exe
PID 988 wrote to memory of 1000	988	igfxwa32.exe	igfxwa32.exe
PID 988 wrote to memory of 1000	988	igfxwa32.exe	igfxwa32.exe
PID 988 wrote to memory of 1000	988	igfxwa32.exe	igfxwa32.exe

C:\Users\Admin\AppData\Local\Temp\74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
"C:\Users\Admin\AppData\Local\Temp\74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe
"C:\Users\Admin\AppData\Local\Temp\74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\74F0BA~1.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Users\Admin\AppData\Local\Temp\74F0BA~1.EXE
4⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
10⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
12⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
14⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3704

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
16⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3692

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4020

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
18⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2544

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
20⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:628

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
22⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1988

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
24⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2260

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
26⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3836

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1244

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
28⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5104

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
30⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3712

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
32⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1464

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
34⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3092

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2536

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
36⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2160

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2080

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
38⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5068

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:908

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
40⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3344

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3672

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
42⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:112

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3164

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
44⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4992

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1544

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
46⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1988

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4624

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
48⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2260

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2960

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
50⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2488

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1936

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
52⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4216

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2272

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
54⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2232

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2684

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
56⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4052

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5052

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
58⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2320

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4912

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
60⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:5044

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3580

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
62⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4892

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3400

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
64⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:8

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4136

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
66⤵
- Executes dropped EXE
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1488

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
67⤵
- Suspicious use of SetThreadContext
PID:116

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
68⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
69⤵
- Suspicious use of SetThreadContext
PID:4260

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
70⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:3832

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
71⤵
- Suspicious use of SetThreadContext
PID:636

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
72⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:4564

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
73⤵
- Suspicious use of SetThreadContext
PID:876

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
74⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:2388

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
75⤵
- Suspicious use of SetThreadContext
PID:1868

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
76⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
PID:1692

C:\Windows\SysWOW64\igfxwa32.exe
"C:\Windows\system32\igfxwa32.exe" C:\Windows\SysWOW64\igfxwa32.exe
77⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 268
76⤵
- Program crash
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 268
74⤵
- Program crash
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 268
72⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 268
70⤵
- Program crash
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 268
68⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 268
66⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 268
64⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 268
62⤵
- Program crash
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 268
60⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 268
58⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 280
56⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 268
54⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 268
52⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 268
50⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 268
48⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 268
46⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 268
44⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 268
42⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 272
40⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 268
38⤵
- Program crash
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 268
36⤵
- Program crash
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 268
34⤵
- Program crash
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 268
32⤵
- Program crash
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 268
30⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 268
28⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 268
26⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 268
24⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 268
22⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 268
20⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 268
18⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 268
16⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 268
14⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 268
12⤵
- Program crash
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 184
10⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 268
8⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 268
6⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 300
4⤵
- Program crash
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 308
2⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2080 -ip 2080
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1696 -ip 1696
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3988 -ip 3988
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 320 -ip 320
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1984 -ip 1984
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3656 -ip 3656
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 988 -ip 988
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3704 -ip 3704
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4020 -ip 4020
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2544 -ip 2544
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 628 -ip 628
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1988 -ip 1988
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2260 -ip 2260
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1244 -ip 1244
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5104 -ip 5104
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3712 -ip 3712
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1464 -ip 1464
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2536 -ip 2536
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2080 -ip 2080
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 908 -ip 908
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3672 -ip 3672
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3164 -ip 3164
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1544 -ip 1544
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4624 -ip 4624
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2960 -ip 2960
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1936 -ip 1936
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2272 -ip 2272
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2684 -ip 2684
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5052 -ip 5052
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4912 -ip 4912
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3580 -ip 3580
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3400 -ip 3400
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4136 -ip 4136
1⤵
PID:2448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 116 -ip 116
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4260 -ip 4260
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 636 -ip 636
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 876 -ip 876
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1868 -ip 1868
1⤵
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
C:\Windows\SysWOW64\igfxwa32.exe
Filesize
179KB

MD5
e7f36826c44c8fea5ad90ca38f3434ac

SHA1
31cc06746f0a55ea578dc852e4ce32db98802371

SHA256
74f0ba018c00f91d7e3cb8e4d3dc75950be330416052d9ea17ec395c458ece43

SHA512
b1e79a6ff61266c0867c9af0e2d9e1af864562c9de0577d4856b656575df6d5362bcfcb64f7de4590f6882ab8930ed0e4ab8abddf08fc40aaedd9b646b71d52c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-493-0x0000000000000000-mapping.dmp

Download
memory/112-378-0x0000000000000000-mapping.dmp

Download
memory/320-195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/320-167-0x0000000000000000-mapping.dmp

Download
memory/320-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-253-0x0000000000000000-mapping.dmp

Download
memory/908-361-0x0000000000000000-mapping.dmp

Download
memory/988-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/988-203-0x0000000000000000-mapping.dmp

Download
memory/988-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1000-219-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1000-215-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1000-208-0x0000000000000000-mapping.dmp

Download
memory/1080-252-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1080-255-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1080-245-0x0000000000000000-mapping.dmp

Download
memory/1244-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-289-0x0000000000000000-mapping.dmp

Download
memory/1244-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1284-177-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1284-171-0x0000000000000000-mapping.dmp

Download
memory/1284-180-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1284-175-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1284-176-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1388-325-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1388-316-0x0000000000000000-mapping.dmp

Download
memory/1388-322-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1464-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1464-323-0x0000000000000000-mapping.dmp

Download
memory/1544-397-0x0000000000000000-mapping.dmp

Download
memory/1696-143-0x0000000000000000-mapping.dmp

Download
memory/1696-155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-257-0x0000000000000000-mapping.dmp

Download
memory/1876-264-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1876-267-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1936-429-0x0000000000000000-mapping.dmp

Download
memory/1984-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-178-0x0000000000000000-mapping.dmp

Download
memory/1984-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-265-0x0000000000000000-mapping.dmp

Download
memory/1988-402-0x0000000000000000-mapping.dmp

Download
memory/2080-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-349-0x0000000000000000-mapping.dmp

Download
memory/2080-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-341-0x0000000000000000-mapping.dmp

Download
memory/2232-442-0x0000000000000000-mapping.dmp

Download
memory/2260-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-412-0x0000000000000000-mapping.dmp

Download
memory/2260-277-0x0000000000000000-mapping.dmp

Download
memory/2260-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-439-0x0000000000000000-mapping.dmp

Download
memory/2320-462-0x0000000000000000-mapping.dmp

Download
memory/2468-202-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2468-205-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2468-196-0x0000000000000000-mapping.dmp

Download
memory/2488-423-0x0000000000000000-mapping.dmp

Download
memory/2492-186-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2492-187-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2492-188-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2492-193-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2492-189-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2492-182-0x0000000000000000-mapping.dmp

Download
memory/2536-334-0x0000000000000000-mapping.dmp

Download
memory/2544-241-0x0000000000000000-mapping.dmp

Download
memory/2544-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-449-0x0000000000000000-mapping.dmp

Download
memory/2960-420-0x0000000000000000-mapping.dmp

Download
memory/3092-327-0x0000000000000000-mapping.dmp

Download
memory/3164-386-0x0000000000000000-mapping.dmp

Download
memory/3252-308-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3252-314-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3252-310-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3252-304-0x0000000000000000-mapping.dmp

Download
memory/3252-309-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3344-365-0x0000000000000000-mapping.dmp

Download
memory/3400-490-0x0000000000000000-mapping.dmp

Download
memory/3548-160-0x0000000000000000-mapping.dmp

Download
memory/3548-166-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3548-165-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3548-169-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3548-164-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3580-479-0x0000000000000000-mapping.dmp

Download
memory/3656-194-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3656-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3656-191-0x0000000000000000-mapping.dmp

Download
memory/3668-269-0x0000000000000000-mapping.dmp

Download
memory/3668-275-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3668-279-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3672-374-0x0000000000000000-mapping.dmp

Download
memory/3692-228-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3692-221-0x0000000000000000-mapping.dmp

Download
memory/3692-231-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3692-226-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3692-225-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3704-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3704-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3704-217-0x0000000000000000-mapping.dmp

Download
memory/3712-312-0x0000000000000000-mapping.dmp

Download
memory/3712-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-140-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3736-139-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3736-137-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3736-141-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3736-146-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3736-136-0x0000000000000000-mapping.dmp

Download
memory/3836-287-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3836-281-0x0000000000000000-mapping.dmp

Download
memory/3836-292-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3988-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3988-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3988-156-0x0000000000000000-mapping.dmp

Download
memory/4020-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4020-229-0x0000000000000000-mapping.dmp

Download
memory/4052-452-0x0000000000000000-mapping.dmp

Download
memory/4136-500-0x0000000000000000-mapping.dmp

Download
memory/4216-432-0x0000000000000000-mapping.dmp

Download
memory/4240-152-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4240-154-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4240-158-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4240-148-0x0000000000000000-mapping.dmp

Download
memory/4240-153-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4624-409-0x0000000000000000-mapping.dmp

Download
memory/4744-243-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4744-240-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4744-233-0x0000000000000000-mapping.dmp

Download
memory/4776-302-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4776-299-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4776-293-0x0000000000000000-mapping.dmp

Download
memory/4892-482-0x0000000000000000-mapping.dmp

Download
memory/4912-468-0x0000000000000000-mapping.dmp

Download
memory/4992-390-0x0000000000000000-mapping.dmp

Download
memory/5044-471-0x0000000000000000-mapping.dmp

Download
memory/5052-459-0x0000000000000000-mapping.dmp

Download
memory/5068-353-0x0000000000000000-mapping.dmp

Download
memory/5104-300-0x0000000000000000-mapping.dmp

Download
memory/5104-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download