Analysis
-
max time kernel
149s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe
-
Size
329KB
-
MD5
02cb022f503bbef3b833f920dd8fb6c2
-
SHA1
170a1e8bd5505cdd9f4a4f47459af755ddf5de87
-
SHA256
3469692e0429097f567c960b9805a205c2b232fedb42fd47c2b0cc3a4f0eb00f
-
SHA512
88819fa7ce289de87255d50706fdcbb45d29c296f8590b2ebd244990c7f768de730f8d3af4c1db5d8eca16f8fc0e05a37c62086625f13a3109828eba5faca0f5
-
SSDEEP
6144:YRxVstLI005DXHkS5ziFiSw23emcscfL1K/9jumJOh+ulgxHamaZUyRQMJGQgtgw:YRotLIDXEezipjo5K/NZkhpls6CyJG3d
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 43 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
igfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exe02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation igfxsvr86.exe -
Deletes itself 1 IoCs
Processes:
igfxsvr86.exepid process 2872 igfxsvr86.exe -
Executes dropped EXE 43 IoCs
Processes:
igfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exepid process 2872 igfxsvr86.exe 5040 igfxsvr86.exe 2160 igfxsvr86.exe 3004 igfxsvr86.exe 3708 igfxsvr86.exe 4196 igfxsvr86.exe 4232 igfxsvr86.exe 1912 igfxsvr86.exe 5024 igfxsvr86.exe 3768 igfxsvr86.exe 4008 igfxsvr86.exe 3616 igfxsvr86.exe 4460 igfxsvr86.exe 2624 igfxsvr86.exe 4404 igfxsvr86.exe 2908 igfxsvr86.exe 1600 igfxsvr86.exe 224 igfxsvr86.exe 4656 igfxsvr86.exe 1884 igfxsvr86.exe 4020 igfxsvr86.exe 4352 igfxsvr86.exe 432 igfxsvr86.exe 232 igfxsvr86.exe 1552 igfxsvr86.exe 4592 igfxsvr86.exe 4588 igfxsvr86.exe 2372 igfxsvr86.exe 224 igfxsvr86.exe 4456 igfxsvr86.exe 1556 igfxsvr86.exe 3708 igfxsvr86.exe 2052 igfxsvr86.exe 4608 igfxsvr86.exe 1784 igfxsvr86.exe 4448 igfxsvr86.exe 4132 igfxsvr86.exe 4740 igfxsvr86.exe 996 igfxsvr86.exe 3464 igfxsvr86.exe 4480 igfxsvr86.exe 4772 igfxsvr86.exe 1288 igfxsvr86.exe -
Maps connected drives based on registry 3 TTPs 64 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
igfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exe02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum igfxsvr86.exe -
Drops file in System32 directory 64 IoCs
Processes:
igfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exe02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\ igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File created C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe File opened for modification C:\Windows\SysWOW64\igfxsvr86.exe igfxsvr86.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 44 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exepid process 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2872 igfxsvr86.exe 5040 igfxsvr86.exe 2160 igfxsvr86.exe 3004 igfxsvr86.exe 3708 igfxsvr86.exe 4196 igfxsvr86.exe 4232 igfxsvr86.exe 1912 igfxsvr86.exe 5024 igfxsvr86.exe 3768 igfxsvr86.exe 4008 igfxsvr86.exe 3616 igfxsvr86.exe 4460 igfxsvr86.exe 2624 igfxsvr86.exe 4404 igfxsvr86.exe 2908 igfxsvr86.exe 1600 igfxsvr86.exe 224 igfxsvr86.exe 4656 igfxsvr86.exe 1884 igfxsvr86.exe 4020 igfxsvr86.exe 4352 igfxsvr86.exe 432 igfxsvr86.exe 232 igfxsvr86.exe 1552 igfxsvr86.exe 4592 igfxsvr86.exe 4588 igfxsvr86.exe 2372 igfxsvr86.exe 224 igfxsvr86.exe 4456 igfxsvr86.exe 1556 igfxsvr86.exe 3708 igfxsvr86.exe 2052 igfxsvr86.exe 4608 igfxsvr86.exe 1784 igfxsvr86.exe 4448 igfxsvr86.exe 4132 igfxsvr86.exe 4740 igfxsvr86.exe 996 igfxsvr86.exe 3464 igfxsvr86.exe 4480 igfxsvr86.exe 4772 igfxsvr86.exe 1288 igfxsvr86.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 43 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ igfxsvr86.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exepid process 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 2872 igfxsvr86.exe 5040 igfxsvr86.exe 5040 igfxsvr86.exe 5040 igfxsvr86.exe 5040 igfxsvr86.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exeigfxsvr86.exedescription pid process target process PID 3144 wrote to memory of 2872 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe igfxsvr86.exe PID 3144 wrote to memory of 2872 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe igfxsvr86.exe PID 3144 wrote to memory of 2872 3144 02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe igfxsvr86.exe PID 2872 wrote to memory of 5040 2872 igfxsvr86.exe igfxsvr86.exe PID 2872 wrote to memory of 5040 2872 igfxsvr86.exe igfxsvr86.exe PID 2872 wrote to memory of 5040 2872 igfxsvr86.exe igfxsvr86.exe PID 5040 wrote to memory of 2160 5040 igfxsvr86.exe igfxsvr86.exe PID 5040 wrote to memory of 2160 5040 igfxsvr86.exe igfxsvr86.exe PID 5040 wrote to memory of 2160 5040 igfxsvr86.exe igfxsvr86.exe PID 2160 wrote to memory of 3004 2160 igfxsvr86.exe igfxsvr86.exe PID 2160 wrote to memory of 3004 2160 igfxsvr86.exe igfxsvr86.exe PID 2160 wrote to memory of 3004 2160 igfxsvr86.exe igfxsvr86.exe PID 3004 wrote to memory of 3708 3004 igfxsvr86.exe igfxsvr86.exe PID 3004 wrote to memory of 3708 3004 igfxsvr86.exe igfxsvr86.exe PID 3004 wrote to memory of 3708 3004 igfxsvr86.exe igfxsvr86.exe PID 3708 wrote to memory of 4196 3708 igfxsvr86.exe igfxsvr86.exe PID 3708 wrote to memory of 4196 3708 igfxsvr86.exe igfxsvr86.exe PID 3708 wrote to memory of 4196 3708 igfxsvr86.exe igfxsvr86.exe PID 4196 wrote to memory of 4232 4196 igfxsvr86.exe igfxsvr86.exe PID 4196 wrote to memory of 4232 4196 igfxsvr86.exe igfxsvr86.exe PID 4196 wrote to memory of 4232 4196 igfxsvr86.exe igfxsvr86.exe PID 4232 wrote to memory of 1912 4232 igfxsvr86.exe igfxsvr86.exe PID 4232 wrote to memory of 1912 4232 igfxsvr86.exe igfxsvr86.exe PID 4232 wrote to memory of 1912 4232 igfxsvr86.exe igfxsvr86.exe PID 1912 wrote to memory of 5024 1912 igfxsvr86.exe igfxsvr86.exe PID 1912 wrote to memory of 5024 1912 igfxsvr86.exe igfxsvr86.exe PID 1912 wrote to memory of 5024 1912 igfxsvr86.exe igfxsvr86.exe PID 5024 wrote to memory of 3768 5024 igfxsvr86.exe igfxsvr86.exe PID 5024 wrote to memory of 3768 5024 igfxsvr86.exe igfxsvr86.exe PID 5024 wrote to memory of 3768 5024 igfxsvr86.exe igfxsvr86.exe PID 3768 wrote to memory of 4008 3768 igfxsvr86.exe igfxsvr86.exe PID 3768 wrote to memory of 4008 3768 igfxsvr86.exe igfxsvr86.exe PID 3768 wrote to memory of 4008 3768 igfxsvr86.exe igfxsvr86.exe PID 4008 wrote to memory of 3616 4008 igfxsvr86.exe igfxsvr86.exe PID 4008 wrote to memory of 3616 4008 igfxsvr86.exe igfxsvr86.exe PID 4008 wrote to memory of 3616 4008 igfxsvr86.exe igfxsvr86.exe PID 3616 wrote to memory of 4460 3616 igfxsvr86.exe igfxsvr86.exe PID 3616 wrote to memory of 4460 3616 igfxsvr86.exe igfxsvr86.exe PID 3616 wrote to memory of 4460 3616 igfxsvr86.exe igfxsvr86.exe PID 4460 wrote to memory of 2624 4460 igfxsvr86.exe igfxsvr86.exe PID 4460 wrote to memory of 2624 4460 igfxsvr86.exe igfxsvr86.exe PID 4460 wrote to memory of 2624 4460 igfxsvr86.exe igfxsvr86.exe PID 2624 wrote to memory of 4404 2624 igfxsvr86.exe igfxsvr86.exe PID 2624 wrote to memory of 4404 2624 igfxsvr86.exe igfxsvr86.exe PID 2624 wrote to memory of 4404 2624 igfxsvr86.exe igfxsvr86.exe PID 4404 wrote to memory of 2908 4404 igfxsvr86.exe igfxsvr86.exe PID 4404 wrote to memory of 2908 4404 igfxsvr86.exe igfxsvr86.exe PID 4404 wrote to memory of 2908 4404 igfxsvr86.exe igfxsvr86.exe PID 2908 wrote to memory of 1600 2908 igfxsvr86.exe igfxsvr86.exe PID 2908 wrote to memory of 1600 2908 igfxsvr86.exe igfxsvr86.exe PID 2908 wrote to memory of 1600 2908 igfxsvr86.exe igfxsvr86.exe PID 1600 wrote to memory of 224 1600 igfxsvr86.exe igfxsvr86.exe PID 1600 wrote to memory of 224 1600 igfxsvr86.exe igfxsvr86.exe PID 1600 wrote to memory of 224 1600 igfxsvr86.exe igfxsvr86.exe PID 224 wrote to memory of 4656 224 igfxsvr86.exe igfxsvr86.exe PID 224 wrote to memory of 4656 224 igfxsvr86.exe igfxsvr86.exe PID 224 wrote to memory of 4656 224 igfxsvr86.exe igfxsvr86.exe PID 4656 wrote to memory of 1884 4656 igfxsvr86.exe igfxsvr86.exe PID 4656 wrote to memory of 1884 4656 igfxsvr86.exe igfxsvr86.exe PID 4656 wrote to memory of 1884 4656 igfxsvr86.exe igfxsvr86.exe PID 1884 wrote to memory of 4020 1884 igfxsvr86.exe igfxsvr86.exe PID 1884 wrote to memory of 4020 1884 igfxsvr86.exe igfxsvr86.exe PID 1884 wrote to memory of 4020 1884 igfxsvr86.exe igfxsvr86.exe PID 4020 wrote to memory of 4352 4020 igfxsvr86.exe igfxsvr86.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02cb022f503bbef3b833f920dd8fb6c2_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Users\Admin\AppData\Local\Temp\02CB02~1.EXE2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE3⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE4⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE7⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE9⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE11⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE13⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE15⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE17⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE19⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE25⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE26⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE27⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE28⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE29⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE31⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE33⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE35⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE37⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE38⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE39⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE41⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE43⤵
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\igfxsvr86.exe"C:\Windows\system32\igfxsvr86.exe" C:\Windows\SysWOW64\IGFXSV~1.EXE44⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\igfxsvr86.exeFilesize
329KB
MD502cb022f503bbef3b833f920dd8fb6c2
SHA1170a1e8bd5505cdd9f4a4f47459af755ddf5de87
SHA2563469692e0429097f567c960b9805a205c2b232fedb42fd47c2b0cc3a4f0eb00f
SHA51288819fa7ce289de87255d50706fdcbb45d29c296f8590b2ebd244990c7f768de730f8d3af4c1db5d8eca16f8fc0e05a37c62086625f13a3109828eba5faca0f5
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/224-151-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/224-111-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/232-130-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/232-134-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/432-131-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/996-190-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/996-195-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1288-204-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1552-138-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1556-161-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1556-155-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1600-106-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1784-178-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1884-120-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1884-115-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1912-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1912-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2052-164-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2052-170-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2160-52-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2372-148-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2624-93-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2624-95-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2872-47-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2872-43-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2872-42-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2872-41-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2908-104-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2908-100-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3004-56-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3144-0-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3144-40-0x0000000000480000-0x00000000004A2000-memory.dmpFilesize
136KB
-
memory/3144-39-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3144-3-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3144-1-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3144-2-0x0000000000480000-0x00000000004A2000-memory.dmpFilesize
136KB
-
memory/3144-4-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3464-198-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3464-193-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3616-89-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3616-85-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3708-61-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3708-58-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3708-166-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3768-78-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3768-81-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4008-86-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4020-123-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4020-119-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4132-187-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4132-184-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4196-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4232-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4232-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4352-126-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4404-101-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4448-182-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4456-156-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4460-92-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4480-201-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4588-145-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4588-142-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4592-141-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4608-173-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4656-116-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4656-112-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4740-191-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4772-205-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/5024-74-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/5024-79-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/5040-46-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/5040-49-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB