metasploit | 2115f6f9e274b823456ef662cc6b511952596e82c908738da0e2dca57d8550b0

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
Size

296KB
MD5

dc40396ba7a60db040dc0cc8a5f50b62
SHA1

4aa7f692e7b19338932785e403bb1a798552f2fa
SHA256

2115f6f9e274b823456ef662cc6b511952596e82c908738da0e2dca57d8550b0
SHA512

5c8bcd36508fb95b0e048c3ebdf196a33fd30307b207dbd965dc6fddfe1568df9114172cffe637605c7cab42b58fcb713091c7f7e923dde3a1aaf4d3b4c9f28b
SSDEEP

3072:j7g00jC8lIT5EDwVLRfbAfmQWJg+1R5xUxb3P0QgcsHkxw/////////////////5:Y00jC8lIKyLt8WCtx7M3cYk

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2836	igfxdvb32.exe

Executes dropped EXE 64 IoCs

pid	Process
2324	igfxdvb32.exe
2836	igfxdvb32.exe
1888	igfxdvb32.exe
2648	igfxdvb32.exe
2868	igfxdvb32.exe
1244	igfxdvb32.exe
2984	igfxdvb32.exe
2932	igfxdvb32.exe
3028	igfxdvb32.exe
2668	igfxdvb32.exe
2304	igfxdvb32.exe
1096	igfxdvb32.exe
1916	igfxdvb32.exe
1528	igfxdvb32.exe
952	igfxdvb32.exe
2516	igfxdvb32.exe
2216	igfxdvb32.exe
1688	igfxdvb32.exe
1564	igfxdvb32.exe
1404	igfxdvb32.exe
2772	igfxdvb32.exe
3068	igfxdvb32.exe
2684	igfxdvb32.exe
2692	igfxdvb32.exe
1788	igfxdvb32.exe
2696	igfxdvb32.exe
2988	igfxdvb32.exe
2120	igfxdvb32.exe
1532	igfxdvb32.exe
2100	igfxdvb32.exe
1628	igfxdvb32.exe
1712	igfxdvb32.exe
1408	igfxdvb32.exe
1872	igfxdvb32.exe
1916	igfxdvb32.exe
2264	igfxdvb32.exe
2196	igfxdvb32.exe
2508	igfxdvb32.exe
2188	igfxdvb32.exe
1908	igfxdvb32.exe
2920	igfxdvb32.exe
1732	igfxdvb32.exe
1160	igfxdvb32.exe
2852	igfxdvb32.exe
2652	igfxdvb32.exe
2764	igfxdvb32.exe
992	igfxdvb32.exe
1044	igfxdvb32.exe
2968	igfxdvb32.exe
2936	igfxdvb32.exe
1100	igfxdvb32.exe
372	igfxdvb32.exe
836	igfxdvb32.exe
2724	igfxdvb32.exe
2496	igfxdvb32.exe
236	igfxdvb32.exe
1696	igfxdvb32.exe
1708	igfxdvb32.exe
2492	igfxdvb32.exe
2368	igfxdvb32.exe
2332	igfxdvb32.exe
3052	igfxdvb32.exe
2388	igfxdvb32.exe
1600	igfxdvb32.exe

Loads dropped DLL 64 IoCs

pid	Process
2712	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
2712	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
2324	igfxdvb32.exe
2836	igfxdvb32.exe
2836	igfxdvb32.exe
2648	igfxdvb32.exe
2648	igfxdvb32.exe
1244	igfxdvb32.exe
1244	igfxdvb32.exe
2932	igfxdvb32.exe
2932	igfxdvb32.exe
2668	igfxdvb32.exe
2668	igfxdvb32.exe
1096	igfxdvb32.exe
1096	igfxdvb32.exe
1528	igfxdvb32.exe
1528	igfxdvb32.exe
2516	igfxdvb32.exe
2516	igfxdvb32.exe
1688	igfxdvb32.exe
1688	igfxdvb32.exe
1404	igfxdvb32.exe
1404	igfxdvb32.exe
3068	igfxdvb32.exe
3068	igfxdvb32.exe
2692	igfxdvb32.exe
2692	igfxdvb32.exe
2696	igfxdvb32.exe
2696	igfxdvb32.exe
2120	igfxdvb32.exe
2120	igfxdvb32.exe
2100	igfxdvb32.exe
2100	igfxdvb32.exe
1712	igfxdvb32.exe
1712	igfxdvb32.exe
1872	igfxdvb32.exe
1872	igfxdvb32.exe
2264	igfxdvb32.exe
2264	igfxdvb32.exe
2508	igfxdvb32.exe
2508	igfxdvb32.exe
1908	igfxdvb32.exe
1908	igfxdvb32.exe
1732	igfxdvb32.exe
1732	igfxdvb32.exe
2852	igfxdvb32.exe
2852	igfxdvb32.exe
2764	igfxdvb32.exe
2764	igfxdvb32.exe
1044	igfxdvb32.exe
1044	igfxdvb32.exe
2936	igfxdvb32.exe
2936	igfxdvb32.exe
372	igfxdvb32.exe
372	igfxdvb32.exe
2724	igfxdvb32.exe
2724	igfxdvb32.exe
236	igfxdvb32.exe
236	igfxdvb32.exe
1708	igfxdvb32.exe
1708	igfxdvb32.exe
2368	igfxdvb32.exe
2368	igfxdvb32.exe
3052	igfxdvb32.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2712-7-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-17-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-16-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-15-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-14-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-10-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-5-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-12-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2712-30-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2836-44-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2836-43-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2836-46-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2836-45-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2836-55-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2648-64-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2648-66-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2648-68-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2648-67-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2648-75-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1244-89-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1244-88-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1244-87-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1244-86-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2932-110-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2932-112-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2932-109-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2932-108-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1244-99-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2932-120-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2668-129-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2668-143-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1096-154-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1096-165-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1528-185-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2516-196-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1688-220-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2516-206-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1688-230-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1404-241-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1404-247-0x0000000003130000-0x000000000317A000-memory.dmp	upx
behavioral1/memory/1404-251-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/3068-264-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/3068-273-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2692-297-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2696-305-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2120-329-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2696-318-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2120-337-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2100-345-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2100-355-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1712-365-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1712-369-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1872-386-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2264-397-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2264-402-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2508-414-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2508-421-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1908-431-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1908-434-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1732-445-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1732-453-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/1732-448-0x0000000003130000-0x000000000317A000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdvb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File created	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdvb32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdvb32.exe	igfxdvb32.exe

Suspicious use of SetThreadContext 61 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 2324 set thread context of 2836	2324	igfxdvb32.exe	32
PID 1888 set thread context of 2648	1888	igfxdvb32.exe	34
PID 2868 set thread context of 1244	2868	igfxdvb32.exe	37
PID 2984 set thread context of 2932	2984	igfxdvb32.exe	39
PID 3028 set thread context of 2668	3028	igfxdvb32.exe	41
PID 2304 set thread context of 1096	2304	igfxdvb32.exe	43
PID 1916 set thread context of 1528	1916	igfxdvb32.exe	45
PID 952 set thread context of 2516	952	igfxdvb32.exe	47
PID 2216 set thread context of 1688	2216	igfxdvb32.exe	49
PID 1564 set thread context of 1404	1564	igfxdvb32.exe	51
PID 2772 set thread context of 3068	2772	igfxdvb32.exe	53
PID 2684 set thread context of 2692	2684	igfxdvb32.exe	55
PID 1788 set thread context of 2696	1788	igfxdvb32.exe	57
PID 2988 set thread context of 2120	2988	igfxdvb32.exe	59
PID 1532 set thread context of 2100	1532	igfxdvb32.exe	61
PID 1628 set thread context of 1712	1628	igfxdvb32.exe	63
PID 1408 set thread context of 1872	1408	igfxdvb32.exe	65
PID 1916 set thread context of 2264	1916	igfxdvb32.exe	67
PID 2196 set thread context of 2508	2196	igfxdvb32.exe	69
PID 2188 set thread context of 1908	2188	igfxdvb32.exe	71
PID 2920 set thread context of 1732	2920	igfxdvb32.exe	73
PID 1160 set thread context of 2852	1160	igfxdvb32.exe	75
PID 2652 set thread context of 2764	2652	igfxdvb32.exe	77
PID 992 set thread context of 1044	992	igfxdvb32.exe	79
PID 2968 set thread context of 2936	2968	igfxdvb32.exe	81
PID 1100 set thread context of 372	1100	igfxdvb32.exe	83
PID 836 set thread context of 2724	836	igfxdvb32.exe	85
PID 2496 set thread context of 236	2496	igfxdvb32.exe	87
PID 1696 set thread context of 1708	1696	igfxdvb32.exe	89
PID 2492 set thread context of 2368	2492	igfxdvb32.exe	91
PID 2332 set thread context of 3052	2332	igfxdvb32.exe	93
PID 2388 set thread context of 1600	2388	igfxdvb32.exe	95
PID 2548 set thread context of 3060	2548	igfxdvb32.exe	97
PID 2844 set thread context of 2640	2844	igfxdvb32.exe	99
PID 2660 set thread context of 2896	2660	igfxdvb32.exe	101
PID 2716 set thread context of 2372	2716	igfxdvb32.exe	103
PID 2804 set thread context of 2140	2804	igfxdvb32.exe	105
PID 2320 set thread context of 1960	2320	igfxdvb32.exe	107
PID 1112 set thread context of 304	1112	igfxdvb32.exe	109
PID 1356 set thread context of 1644	1356	igfxdvb32.exe	111
PID 2412 set thread context of 2464	2412	igfxdvb32.exe	113
PID 2196 set thread context of 2420	2196	igfxdvb32.exe	115
PID 2560 set thread context of 1744	2560	igfxdvb32.exe	117
PID 2768 set thread context of 1952	2768	igfxdvb32.exe	119
PID 2628 set thread context of 2672	2628	igfxdvb32.exe	121
PID 2016 set thread context of 1008	2016	igfxdvb32.exe	123
PID 2868 set thread context of 2688	2868	igfxdvb32.exe	125
PID 2988 set thread context of 2344	2988	igfxdvb32.exe	127
PID 2996 set thread context of 2392	2996	igfxdvb32.exe	129
PID 2380 set thread context of 2032	2380	igfxdvb32.exe	131
PID 1888 set thread context of 2096	1888	igfxdvb32.exe	133
PID 1408 set thread context of 1696	1408	igfxdvb32.exe	135
PID 2412 set thread context of 896	2412	igfxdvb32.exe	137
PID 2068 set thread context of 2540	2068	igfxdvb32.exe	139
PID 3044 set thread context of 2840	3044	igfxdvb32.exe	141
PID 2772 set thread context of 2756	2772	igfxdvb32.exe	143
PID 1812 set thread context of 3012	1812	igfxdvb32.exe	145
PID 2296 set thread context of 1580	2296	igfxdvb32.exe	147
PID 2504 set thread context of 2168	2504	igfxdvb32.exe	149
PID 1276 set thread context of 2200	1276	igfxdvb32.exe	151

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdvb32.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
2712	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
2836	igfxdvb32.exe
2648	igfxdvb32.exe
1244	igfxdvb32.exe
2932	igfxdvb32.exe
2668	igfxdvb32.exe
1096	igfxdvb32.exe
1528	igfxdvb32.exe
2516	igfxdvb32.exe
1688	igfxdvb32.exe
1404	igfxdvb32.exe
3068	igfxdvb32.exe
2692	igfxdvb32.exe
2696	igfxdvb32.exe
2120	igfxdvb32.exe
2100	igfxdvb32.exe
1712	igfxdvb32.exe
1872	igfxdvb32.exe
2264	igfxdvb32.exe
2508	igfxdvb32.exe
1908	igfxdvb32.exe
1732	igfxdvb32.exe
2852	igfxdvb32.exe
2764	igfxdvb32.exe
1044	igfxdvb32.exe
2936	igfxdvb32.exe
372	igfxdvb32.exe
2724	igfxdvb32.exe
236	igfxdvb32.exe
1708	igfxdvb32.exe
2368	igfxdvb32.exe
3052	igfxdvb32.exe
1600	igfxdvb32.exe
3060	igfxdvb32.exe
2640	igfxdvb32.exe
2896	igfxdvb32.exe
2372	igfxdvb32.exe
2140	igfxdvb32.exe
1960	igfxdvb32.exe
304	igfxdvb32.exe
1644	igfxdvb32.exe
2464	igfxdvb32.exe
2420	igfxdvb32.exe
1744	igfxdvb32.exe
1952	igfxdvb32.exe
2672	igfxdvb32.exe
1008	igfxdvb32.exe
2688	igfxdvb32.exe
2344	igfxdvb32.exe
2392	igfxdvb32.exe
2032	igfxdvb32.exe
2096	igfxdvb32.exe
1696	igfxdvb32.exe
896	igfxdvb32.exe
2540	igfxdvb32.exe
2840	igfxdvb32.exe
2756	igfxdvb32.exe
3012	igfxdvb32.exe
1580	igfxdvb32.exe
2168	igfxdvb32.exe
2200	igfxdvb32.exe

Suspicious use of SetWindowsHookEx 61 IoCs

pid	Process
3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
2324	igfxdvb32.exe
1888	igfxdvb32.exe
2868	igfxdvb32.exe
2984	igfxdvb32.exe
3028	igfxdvb32.exe
2304	igfxdvb32.exe
1916	igfxdvb32.exe
952	igfxdvb32.exe
2216	igfxdvb32.exe
1564	igfxdvb32.exe
2772	igfxdvb32.exe
2684	igfxdvb32.exe
1788	igfxdvb32.exe
2988	igfxdvb32.exe
1532	igfxdvb32.exe
1628	igfxdvb32.exe
1408	igfxdvb32.exe
1916	igfxdvb32.exe
2196	igfxdvb32.exe
2188	igfxdvb32.exe
2920	igfxdvb32.exe
1160	igfxdvb32.exe
2652	igfxdvb32.exe
992	igfxdvb32.exe
2968	igfxdvb32.exe
1100	igfxdvb32.exe
836	igfxdvb32.exe
2496	igfxdvb32.exe
1696	igfxdvb32.exe
2492	igfxdvb32.exe
2332	igfxdvb32.exe
2388	igfxdvb32.exe
2548	igfxdvb32.exe
2844	igfxdvb32.exe
2660	igfxdvb32.exe
2716	igfxdvb32.exe
2804	igfxdvb32.exe
2320	igfxdvb32.exe
1112	igfxdvb32.exe
1356	igfxdvb32.exe
2412	igfxdvb32.exe
2196	igfxdvb32.exe
2560	igfxdvb32.exe
2768	igfxdvb32.exe
2628	igfxdvb32.exe
2016	igfxdvb32.exe
2868	igfxdvb32.exe
2988	igfxdvb32.exe
2996	igfxdvb32.exe
2380	igfxdvb32.exe
1888	igfxdvb32.exe
1408	igfxdvb32.exe
2412	igfxdvb32.exe
2068	igfxdvb32.exe
3044	igfxdvb32.exe
2772	igfxdvb32.exe
1812	igfxdvb32.exe
2296	igfxdvb32.exe
2504	igfxdvb32.exe
1276	igfxdvb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2712	3048	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2324	2712	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2324	2712	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2324	2712	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2324	2712	dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2324 wrote to memory of 2836	2324	igfxdvb32.exe	32
PID 2836 wrote to memory of 1888	2836	igfxdvb32.exe	33
PID 2836 wrote to memory of 1888	2836	igfxdvb32.exe	33
PID 2836 wrote to memory of 1888	2836	igfxdvb32.exe	33
PID 2836 wrote to memory of 1888	2836	igfxdvb32.exe	33
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 1888 wrote to memory of 2648	1888	igfxdvb32.exe	34
PID 2648 wrote to memory of 2868	2648	igfxdvb32.exe	36
PID 2648 wrote to memory of 2868	2648	igfxdvb32.exe	36
PID 2648 wrote to memory of 2868	2648	igfxdvb32.exe	36
PID 2648 wrote to memory of 2868	2648	igfxdvb32.exe	36
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 2868 wrote to memory of 1244	2868	igfxdvb32.exe	37
PID 1244 wrote to memory of 2984	1244	igfxdvb32.exe	38
PID 1244 wrote to memory of 2984	1244	igfxdvb32.exe	38
PID 1244 wrote to memory of 2984	1244	igfxdvb32.exe	38
PID 1244 wrote to memory of 2984	1244	igfxdvb32.exe	38
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2984 wrote to memory of 2932	2984	igfxdvb32.exe	39
PID 2932 wrote to memory of 3028	2932	igfxdvb32.exe	40
PID 2932 wrote to memory of 3028	2932	igfxdvb32.exe	40
PID 2932 wrote to memory of 3028	2932	igfxdvb32.exe	40
PID 2932 wrote to memory of 3028	2932	igfxdvb32.exe	40
PID 3028 wrote to memory of 2668	3028	igfxdvb32.exe	41
PID 3028 wrote to memory of 2668	3028	igfxdvb32.exe	41
PID 3028 wrote to memory of 2668	3028	igfxdvb32.exe	41
PID 3028 wrote to memory of 2668	3028	igfxdvb32.exe	41

C:\Users\Admin\AppData\Local\Temp\dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dc40396ba7a60db040dc0cc8a5f50b62_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\igfxdvb32.exe
    "C:\Windows\system32\igfxdvb32.exe" C:\Users\Admin\AppData\Local\Temp\DC4039~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\igfxdvb32.exe
      "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Users\Admin\AppData\Local\Temp\DC4039~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2120
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:372
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:236
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        66⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1600
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        68⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        69⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        70⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        72⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        74⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        76⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2140
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        78⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        80⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:304
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        81⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        82⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        84⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        86⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        87⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        88⤵
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        90⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        92⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        94⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        96⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        97⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        98⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        99⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        100⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        104⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        106⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        108⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:896
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        110⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        111⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        112⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        113⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        114⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        115⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1812
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        116⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        118⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        120⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\system32\igfxdvb32.exe" C:\Windows\SysWOW64\IGFXDV~1.EXE
        121⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\igfxdvb32.exe
        
        "C:\Windows\SysWOW64\igfxdvb32.exe " C:\Windows\SysWOW64\IGFXDV~1.EXE
        122⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\igfxdvb32.exe

Filesize
296KB

MD5
dc40396ba7a60db040dc0cc8a5f50b62

SHA1
4aa7f692e7b19338932785e403bb1a798552f2fa

SHA256
2115f6f9e274b823456ef662cc6b511952596e82c908738da0e2dca57d8550b0

SHA512
5c8bcd36508fb95b0e048c3ebdf196a33fd30307b207dbd965dc6fddfe1568df9114172cffe637605c7cab42b58fcb713091c7f7e923dde3a1aaf4d3b4c9f28b

Download Submit
memory/952-197-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1096-160-0x0000000003710000-0x000000000375A000-memory.dmp

Filesize
296KB

Download
memory/1096-154-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1096-165-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1096-159-0x0000000003710000-0x000000000375A000-memory.dmp

Filesize
296KB

Download
memory/1160-454-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1244-87-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-88-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-94-0x00000000030E0000-0x000000000312A000-memory.dmp

Filesize
296KB

Download
memory/1244-95-0x00000000030E0000-0x000000000312A000-memory.dmp

Filesize
296KB

Download
memory/1244-99-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-86-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1404-241-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1404-246-0x0000000003130000-0x000000000317A000-memory.dmp

Filesize
296KB

Download
memory/1404-251-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1404-247-0x0000000003130000-0x000000000317A000-memory.dmp

Filesize
296KB

Download
memory/1528-185-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1528-179-0x0000000003340000-0x000000000338A000-memory.dmp

Filesize
296KB

Download
memory/1528-180-0x0000000003340000-0x000000000338A000-memory.dmp

Filesize
296KB

Download
memory/1532-348-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1532-334-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1564-242-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1628-366-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1688-224-0x0000000002FC0000-0x000000000300A000-memory.dmp

Filesize
296KB

Download
memory/1688-225-0x0000000002FC0000-0x000000000300A000-memory.dmp

Filesize
296KB

Download
memory/1688-230-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1688-220-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-369-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1712-365-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1732-448-0x0000000003130000-0x000000000317A000-memory.dmp

Filesize
296KB

Download
memory/1732-453-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1732-445-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1872-381-0x0000000003200000-0x000000000324A000-memory.dmp

Filesize
296KB

Download
memory/1872-386-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1872-382-0x0000000003200000-0x000000000324A000-memory.dmp

Filesize
296KB

Download
memory/1888-65-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1888-56-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1908-431-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1908-434-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1908-435-0x0000000003080000-0x00000000030CA000-memory.dmp

Filesize
296KB

Download
memory/1908-464-0x0000000003080000-0x00000000030CA000-memory.dmp

Filesize
296KB

Download
memory/2100-355-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2100-349-0x0000000003060000-0x00000000030AA000-memory.dmp

Filesize
296KB

Download
memory/2100-350-0x0000000003060000-0x00000000030AA000-memory.dmp

Filesize
296KB

Download
memory/2100-345-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2120-329-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2120-332-0x00000000031E0000-0x000000000322A000-memory.dmp

Filesize
296KB

Download
memory/2120-333-0x00000000031E0000-0x000000000322A000-memory.dmp

Filesize
296KB

Download
memory/2120-337-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2196-415-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2216-219-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2264-398-0x0000000002F80000-0x0000000002FCA000-memory.dmp

Filesize
296KB

Download
memory/2264-397-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2264-399-0x0000000002F80000-0x0000000002FCA000-memory.dmp

Filesize
296KB

Download
memory/2264-402-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2324-41-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2508-421-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2508-416-0x00000000031D0000-0x000000000321A000-memory.dmp

Filesize
296KB

Download
memory/2508-414-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2516-196-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2516-206-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2516-203-0x0000000003130000-0x000000000317A000-memory.dmp

Filesize
296KB

Download
memory/2516-202-0x0000000003130000-0x000000000317A000-memory.dmp

Filesize
296KB

Download
memory/2648-66-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2648-68-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2648-75-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2648-67-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2648-64-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2648-74-0x0000000003310000-0x000000000335A000-memory.dmp

Filesize
296KB

Download
memory/2668-129-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2668-137-0x0000000003030000-0x000000000307A000-memory.dmp

Filesize
296KB

Download
memory/2668-143-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2668-138-0x0000000003030000-0x000000000307A000-memory.dmp

Filesize
296KB

Download
memory/2684-286-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2692-297-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2692-292-0x0000000004930000-0x000000000497A000-memory.dmp

Filesize
296KB

Download
memory/2692-291-0x0000000004930000-0x000000000497A000-memory.dmp

Filesize
296KB

Download
memory/2696-312-0x0000000003170000-0x00000000031BA000-memory.dmp

Filesize
296KB

Download
memory/2696-318-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2696-314-0x0000000003170000-0x00000000031BA000-memory.dmp

Filesize
296KB

Download
memory/2696-305-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-16-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-7-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-3-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-17-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-10-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-5-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-12-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-28-0x0000000003140000-0x000000000318A000-memory.dmp

Filesize
296KB

Download
memory/2712-30-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2772-265-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2836-50-0x0000000003210000-0x000000000325A000-memory.dmp

Filesize
296KB

Download
memory/2836-44-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-43-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-46-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-45-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-55-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2852-465-0x00000000031C0000-0x000000000320A000-memory.dmp

Filesize
296KB

Download
memory/2868-90-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2932-120-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-109-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-112-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-108-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2932-110-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2984-111-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2988-328-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3028-132-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3048-13-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3048-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3068-264-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3068-269-0x0000000003560000-0x00000000035AA000-memory.dmp

Filesize
296KB

Download
memory/3068-273-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3068-268-0x0000000003560000-0x00000000035AA000-memory.dmp

Filesize
296KB

Download