metasploit | 8175d65ea18612e0f05830b00fc3206d0d06b5641d3baec3e22f16753a9725d7

Analysis

max time kernel
151s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 06:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7403160cc0b5c66baf0919c5979827a6.exe
Size

241KB
MD5

7403160cc0b5c66baf0919c5979827a6
SHA1

33654f0ed237e3dde8d2ce094c1dca952e9bd8c7
SHA256

8175d65ea18612e0f05830b00fc3206d0d06b5641d3baec3e22f16753a9725d7
SHA512

52463cc919df34bf503ce5781d10dcdc757cb8d82e05c6eef89ba5b66b3c4697aaa88ea9984cf8c6e88b12b3b340430735dcb108b7f68dd2d13b6cffc98ecc26
SSDEEP

6144:qHrDUxK2rhRV1TYIFKM4e+hV5oWhiMr63niRurrfr:xbhRV5Ygkbh87diRur

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2052	igfxper32.exe

Executes dropped EXE 45 IoCs

pid	Process
2052	igfxper32.exe
1164	igfxper32.exe
2568	igfxper32.exe
2384	igfxper32.exe
2832	igfxper32.exe
320	igfxper32.exe
1632	igfxper32.exe
1624	igfxper32.exe
280	igfxper32.exe
1668	igfxper32.exe
1972	igfxper32.exe
2300	igfxper32.exe
2132	igfxper32.exe
720	igfxper32.exe
1336	igfxper32.exe
764	igfxper32.exe
1944	igfxper32.exe
1932	igfxper32.exe
3052	igfxper32.exe
2872	igfxper32.exe
2712	igfxper32.exe
368	igfxper32.exe
2732	igfxper32.exe
2596	igfxper32.exe
2684	igfxper32.exe
1648	igfxper32.exe
2812	igfxper32.exe
2540	igfxper32.exe
1580	igfxper32.exe
2236	igfxper32.exe
268	igfxper32.exe
1748	igfxper32.exe
1372	igfxper32.exe
580	igfxper32.exe
2112	igfxper32.exe
1144	igfxper32.exe
2248	igfxper32.exe
1808	igfxper32.exe
332	igfxper32.exe
1776	igfxper32.exe
640	igfxper32.exe
1352	igfxper32.exe
988	igfxper32.exe
2508	igfxper32.exe
1692	igfxper32.exe

Loads dropped DLL 64 IoCs

pid	Process
2944	7403160cc0b5c66baf0919c5979827a6.exe
2944	7403160cc0b5c66baf0919c5979827a6.exe
2052	igfxper32.exe
2052	igfxper32.exe
1164	igfxper32.exe
1164	igfxper32.exe
2568	igfxper32.exe
2568	igfxper32.exe
2384	igfxper32.exe
2384	igfxper32.exe
2832	igfxper32.exe
2832	igfxper32.exe
320	igfxper32.exe
320	igfxper32.exe
1632	igfxper32.exe
1632	igfxper32.exe
1624	igfxper32.exe
1624	igfxper32.exe
280	igfxper32.exe
280	igfxper32.exe
1668	igfxper32.exe
1668	igfxper32.exe
1972	igfxper32.exe
1972	igfxper32.exe
2300	igfxper32.exe
2300	igfxper32.exe
2132	igfxper32.exe
2132	igfxper32.exe
720	igfxper32.exe
720	igfxper32.exe
1336	igfxper32.exe
1336	igfxper32.exe
764	igfxper32.exe
764	igfxper32.exe
1944	igfxper32.exe
1944	igfxper32.exe
1932	igfxper32.exe
1932	igfxper32.exe
3052	igfxper32.exe
3052	igfxper32.exe
2872	igfxper32.exe
2872	igfxper32.exe
2712	igfxper32.exe
2712	igfxper32.exe
368	igfxper32.exe
368	igfxper32.exe
2732	igfxper32.exe
2732	igfxper32.exe
2596	igfxper32.exe
2596	igfxper32.exe
2684	igfxper32.exe
2684	igfxper32.exe
1648	igfxper32.exe
1648	igfxper32.exe
2812	igfxper32.exe
2812	igfxper32.exe
2540	igfxper32.exe
2540	igfxper32.exe
1580	igfxper32.exe
1580	igfxper32.exe
2236	igfxper32.exe
2236	igfxper32.exe
268	igfxper32.exe
268	igfxper32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-0-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x000d0000000122fe-6.dat	upx
behavioral1/memory/2944-12-0x0000000002FF0000-0x00000000030AA000-memory.dmp	upx
behavioral1/files/0x000d0000000122fe-23.dat	upx
behavioral1/files/0x000d0000000122fe-24.dat	upx
behavioral1/memory/1632-53-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x000d0000000122fe-76.dat	upx
behavioral1/files/0x000d0000000122fe-78.dat	upx
behavioral1/memory/720-98-0x0000000003100000-0x00000000031BA000-memory.dmp	upx
behavioral1/memory/2540-148-0x00000000030E0000-0x000000000319A000-memory.dmp	upx
behavioral1/memory/1372-160-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7403160cc0b5c66baf0919c5979827a6.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7403160cc0b5c66baf0919c5979827a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxper32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	7403160cc0b5c66baf0919c5979827a6.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	7403160cc0b5c66baf0919c5979827a6.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File created	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe
File opened for modification	C:\Windows\SysWOW64\igfxper32.exe	igfxper32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2944	7403160cc0b5c66baf0919c5979827a6.exe
2052	igfxper32.exe
1164	igfxper32.exe
2568	igfxper32.exe
2384	igfxper32.exe
2832	igfxper32.exe
320	igfxper32.exe
1632	igfxper32.exe
1624	igfxper32.exe
280	igfxper32.exe
1668	igfxper32.exe
1972	igfxper32.exe
2300	igfxper32.exe
2132	igfxper32.exe
720	igfxper32.exe
1336	igfxper32.exe
764	igfxper32.exe
1944	igfxper32.exe
1932	igfxper32.exe
3052	igfxper32.exe
2872	igfxper32.exe
2712	igfxper32.exe
368	igfxper32.exe
2732	igfxper32.exe
2596	igfxper32.exe
2684	igfxper32.exe
1648	igfxper32.exe
2812	igfxper32.exe
2540	igfxper32.exe
1580	igfxper32.exe
2236	igfxper32.exe
268	igfxper32.exe
1748	igfxper32.exe
1372	igfxper32.exe
580	igfxper32.exe
2112	igfxper32.exe
1144	igfxper32.exe
2248	igfxper32.exe
1808	igfxper32.exe
332	igfxper32.exe
1776	igfxper32.exe
640	igfxper32.exe
1352	igfxper32.exe
988	igfxper32.exe
2508	igfxper32.exe
1692	igfxper32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2052	2944	7403160cc0b5c66baf0919c5979827a6.exe	28
PID 2944 wrote to memory of 2052	2944	7403160cc0b5c66baf0919c5979827a6.exe	28
PID 2944 wrote to memory of 2052	2944	7403160cc0b5c66baf0919c5979827a6.exe	28
PID 2944 wrote to memory of 2052	2944	7403160cc0b5c66baf0919c5979827a6.exe	28
PID 2052 wrote to memory of 1164	2052	igfxper32.exe	29
PID 2052 wrote to memory of 1164	2052	igfxper32.exe	29
PID 2052 wrote to memory of 1164	2052	igfxper32.exe	29
PID 2052 wrote to memory of 1164	2052	igfxper32.exe	29
PID 1164 wrote to memory of 2568	1164	igfxper32.exe	30
PID 1164 wrote to memory of 2568	1164	igfxper32.exe	30
PID 1164 wrote to memory of 2568	1164	igfxper32.exe	30
PID 1164 wrote to memory of 2568	1164	igfxper32.exe	30
PID 2568 wrote to memory of 2384	2568	igfxper32.exe	31
PID 2568 wrote to memory of 2384	2568	igfxper32.exe	31
PID 2568 wrote to memory of 2384	2568	igfxper32.exe	31
PID 2568 wrote to memory of 2384	2568	igfxper32.exe	31
PID 2384 wrote to memory of 2832	2384	igfxper32.exe	32
PID 2384 wrote to memory of 2832	2384	igfxper32.exe	32
PID 2384 wrote to memory of 2832	2384	igfxper32.exe	32
PID 2384 wrote to memory of 2832	2384	igfxper32.exe	32
PID 2832 wrote to memory of 320	2832	igfxper32.exe	33
PID 2832 wrote to memory of 320	2832	igfxper32.exe	33
PID 2832 wrote to memory of 320	2832	igfxper32.exe	33
PID 2832 wrote to memory of 320	2832	igfxper32.exe	33
PID 320 wrote to memory of 1632	320	igfxper32.exe	34
PID 320 wrote to memory of 1632	320	igfxper32.exe	34
PID 320 wrote to memory of 1632	320	igfxper32.exe	34
PID 320 wrote to memory of 1632	320	igfxper32.exe	34
PID 1632 wrote to memory of 1624	1632	igfxper32.exe	35
PID 1632 wrote to memory of 1624	1632	igfxper32.exe	35
PID 1632 wrote to memory of 1624	1632	igfxper32.exe	35
PID 1632 wrote to memory of 1624	1632	igfxper32.exe	35
PID 1624 wrote to memory of 280	1624	igfxper32.exe	36
PID 1624 wrote to memory of 280	1624	igfxper32.exe	36
PID 1624 wrote to memory of 280	1624	igfxper32.exe	36
PID 1624 wrote to memory of 280	1624	igfxper32.exe	36
PID 280 wrote to memory of 1668	280	igfxper32.exe	37
PID 280 wrote to memory of 1668	280	igfxper32.exe	37
PID 280 wrote to memory of 1668	280	igfxper32.exe	37
PID 280 wrote to memory of 1668	280	igfxper32.exe	37
PID 1668 wrote to memory of 1972	1668	igfxper32.exe	40
PID 1668 wrote to memory of 1972	1668	igfxper32.exe	40
PID 1668 wrote to memory of 1972	1668	igfxper32.exe	40
PID 1668 wrote to memory of 1972	1668	igfxper32.exe	40
PID 1972 wrote to memory of 2300	1972	igfxper32.exe	41
PID 1972 wrote to memory of 2300	1972	igfxper32.exe	41
PID 1972 wrote to memory of 2300	1972	igfxper32.exe	41
PID 1972 wrote to memory of 2300	1972	igfxper32.exe	41
PID 2300 wrote to memory of 2132	2300	igfxper32.exe	42
PID 2300 wrote to memory of 2132	2300	igfxper32.exe	42
PID 2300 wrote to memory of 2132	2300	igfxper32.exe	42
PID 2300 wrote to memory of 2132	2300	igfxper32.exe	42
PID 2132 wrote to memory of 720	2132	igfxper32.exe	43
PID 2132 wrote to memory of 720	2132	igfxper32.exe	43
PID 2132 wrote to memory of 720	2132	igfxper32.exe	43
PID 2132 wrote to memory of 720	2132	igfxper32.exe	43
PID 720 wrote to memory of 1336	720	igfxper32.exe	44
PID 720 wrote to memory of 1336	720	igfxper32.exe	44
PID 720 wrote to memory of 1336	720	igfxper32.exe	44
PID 720 wrote to memory of 1336	720	igfxper32.exe	44
PID 1336 wrote to memory of 764	1336	igfxper32.exe	45
PID 1336 wrote to memory of 764	1336	igfxper32.exe	45
PID 1336 wrote to memory of 764	1336	igfxper32.exe	45
PID 1336 wrote to memory of 764	1336	igfxper32.exe	45

C:\Users\Admin\AppData\Local\Temp\7403160cc0b5c66baf0919c5979827a6.exe
"C:\Users\Admin\AppData\Local\Temp\7403160cc0b5c66baf0919c5979827a6.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\igfxper32.exe
  "C:\Windows\system32\igfxper32.exe" C:\Users\Admin\AppData\Local\Temp\740316~1.EXE
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\igfxper32.exe
    "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\igfxper32.exe
      "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:368
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:268
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        33⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        34⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        35⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:580
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        36⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        37⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        38⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        39⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:332
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        42⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:640
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        43⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1352
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        44⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:988
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        45⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        46⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\SysWOW64\igfxper32.exe
        
        "C:\Windows\system32\igfxper32.exe" C:\Windows\SysWOW64\IGFXPE~1.EXE
        47⤵
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxper32.exe

Filesize
124KB

MD5
12d6f79081acfb32d6bd706197d8e5b3

SHA1
0dd5f72692112d3dd0f339ea3e8a0ac0be5825aa

SHA256
fd1e143e91612d1716fdf51f7342f0c5e3fd377a6821f4a8033756d8ef72d461

SHA512
324c055ce56befec8485d4999d1cf75ba3740b528a930950c7ea2cd754fe6d94e3e48fe153c038db815aa2be2ed63ac51d3e3b7f960d7722fab36790d7629949

Download Submit
\Windows\SysWOW64\igfxper32.exe

Filesize
128KB

MD5
bac0f0636c7d73272a0c4a741dc0cece

SHA1
16b20afcf465a7efdffce1a91eeac4a5db2e36e9

SHA256
a2b8b6c5f14768f7584a9013907eb9fc6fd24092250dd8ab99bad8023fb529c9

SHA512
448ac3d771138f7c9bccadff1e7d17cef0a0cdb229aeab71020633c867c3d9a4dac1e03277fe39b81999e9b82ba912b9b7a3d5df575cc65362a84b6268fa06ea

Download Submit
\Windows\SysWOW64\igfxper32.exe

Filesize
241KB

MD5
7403160cc0b5c66baf0919c5979827a6

SHA1
33654f0ed237e3dde8d2ce094c1dca952e9bd8c7

SHA256
8175d65ea18612e0f05830b00fc3206d0d06b5641d3baec3e22f16753a9725d7

SHA512
52463cc919df34bf503ce5781d10dcdc757cb8d82e05c6eef89ba5b66b3c4697aaa88ea9984cf8c6e88b12b3b340430735dcb108b7f68dd2d13b6cffc98ecc26

Download Submit
\Windows\SysWOW64\igfxper32.exe

Filesize
197KB

MD5
e540634135beb948f0d56faf76464a38

SHA1
c444da368b18cf05bd6787c3f44b983c483c2859

SHA256
95867ba941d2f63301fc3fb101075a41695740cc3fbe98906eb8735de4a1d9a1

SHA512
1481c2d6d49f28b70ad38cf40d7319b512fa5ab57dfa61a8483da32e734b7ee5dd39ad1940208de50f045d9940c9bee8df43ba8277a034fd09ac9de3b52807a0

Download Submit
memory/268-156-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/268-157-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/280-85-0x0000000002EF0000-0x0000000002FAA000-memory.dmp

Filesize
744KB

Download
memory/280-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/280-70-0x0000000002EF0000-0x0000000002FAA000-memory.dmp

Filesize
744KB

Download
memory/280-73-0x0000000002EF0000-0x0000000002FAA000-memory.dmp

Filesize
744KB

Download
memory/280-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-47-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-52-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/332-179-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/368-133-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/368-132-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/368-134-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/580-166-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/640-185-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/720-98-0x0000000003100000-0x00000000031BA000-memory.dmp

Filesize
744KB

Download
memory/720-99-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/720-95-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/764-112-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/764-113-0x0000000002F30000-0x0000000002FEA000-memory.dmp

Filesize
744KB

Download
memory/764-108-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/988-190-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1144-171-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1164-26-0x00000000030A0000-0x000000000315A000-memory.dmp

Filesize
744KB

Download
memory/1164-27-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1164-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1164-28-0x00000000030A0000-0x000000000315A000-memory.dmp

Filesize
744KB

Download
memory/1336-107-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1336-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1336-106-0x0000000002FE0000-0x000000000309A000-memory.dmp

Filesize
744KB

Download
memory/1352-188-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1372-163-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1372-160-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1580-152-0x0000000002FE0000-0x000000000309A000-memory.dmp

Filesize
744KB

Download
memory/1580-153-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1580-151-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1624-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1624-64-0x0000000002FB0000-0x000000000306A000-memory.dmp

Filesize
744KB

Download
memory/1624-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1632-53-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1632-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1632-57-0x0000000003120000-0x00000000031DA000-memory.dmp

Filesize
744KB

Download
memory/1632-59-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1648-144-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1648-143-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1668-77-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1668-74-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1692-194-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1748-161-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1748-159-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1748-158-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1776-182-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1808-177-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1932-121-0x0000000004530000-0x00000000045EA000-memory.dmp

Filesize
744KB

Download
memory/1932-122-0x0000000004530000-0x00000000045EA000-memory.dmp

Filesize
744KB

Download
memory/1932-120-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1932-119-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1932-130-0x0000000004530000-0x00000000045EA000-memory.dmp

Filesize
744KB

Download
memory/1944-117-0x00000000043E0000-0x000000000449A000-memory.dmp

Filesize
744KB

Download
memory/1944-118-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1944-126-0x00000000043E0000-0x000000000449A000-memory.dmp

Filesize
744KB

Download
memory/1944-114-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1972-83-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1972-79-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2052-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2052-21-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2052-19-0x0000000003220000-0x00000000032DA000-memory.dmp

Filesize
744KB

Download
memory/2052-40-0x0000000003220000-0x00000000032DA000-memory.dmp

Filesize
744KB

Download
memory/2112-168-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2132-90-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2132-94-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2236-154-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2236-155-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2248-174-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2300-84-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2300-89-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2384-39-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2384-34-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2508-192-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2540-147-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2540-148-0x00000000030E0000-0x000000000319A000-memory.dmp

Filesize
744KB

Download
memory/2540-150-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2540-149-0x00000000030E0000-0x000000000319A000-memory.dmp

Filesize
744KB

Download
memory/2568-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2568-29-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2596-140-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2596-139-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2684-141-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2684-142-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2712-131-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2712-129-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2732-136-0x0000000004640000-0x00000000046FA000-memory.dmp

Filesize
744KB

Download
memory/2732-138-0x0000000004640000-0x00000000046FA000-memory.dmp

Filesize
744KB

Download
memory/2732-137-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2732-135-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2812-146-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2812-145-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2832-46-0x0000000003160000-0x000000000321A000-memory.dmp

Filesize
744KB

Download
memory/2832-41-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2832-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2872-127-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2872-128-0x0000000002FD0000-0x000000000308A000-memory.dmp

Filesize
744KB

Download
memory/2872-125-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2944-0-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2944-14-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2944-12-0x0000000002FF0000-0x00000000030AA000-memory.dmp

Filesize
744KB

Download
memory/2944-2-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2944-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3052-124-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3052-123-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download