metasploit | 1f4b3f0512bea37cab96565fe336363c7d0f10261510aca157cddfb1684bc566

Analysis

max time kernel
149s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Size

193KB
MD5

f34361ec2b5f66bdc4569591a444d556
SHA1

66fe2e16bba3e729a02e657df7a70884de61e410
SHA256

1f4b3f0512bea37cab96565fe336363c7d0f10261510aca157cddfb1684bc566
SHA512

ad4e0067d94d241c3d3f97af1b3c09ed3e2f6a408c9a017a2a2dd947145f48da552235700b9db710799d5148c9e68fb2eb95abbb201f743826b7151116da7d38
SSDEEP

6144:Jy77SwIUtvbXC7ONW2EjFbnWViSNjjDA5:M7SdU4i6ZWRNj45

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Checks computer location settings 2 TTPs 41 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	CtDrvDxh.exe

Deletes itself 1 IoCs

pid	Process
1844	CtDrvDxh.exe

Executes dropped EXE 64 IoCs

pid	Process
3472	CtDrvDxh.exe
1844	CtDrvDxh.exe
452	CtDrvDxh.exe
2260	CtDrvDxh.exe
4344	CtDrvDxh.exe
2196	CtDrvDxh.exe
5028	CtDrvDxh.exe
3256	CtDrvDxh.exe
4440	CtDrvDxh.exe
1936	CtDrvDxh.exe
1584	CtDrvDxh.exe
2660	CtDrvDxh.exe
2376	CtDrvDxh.exe
1332	CtDrvDxh.exe
4540	CtDrvDxh.exe
3936	CtDrvDxh.exe
4844	CtDrvDxh.exe
2620	CtDrvDxh.exe
2284	CtDrvDxh.exe
4636	CtDrvDxh.exe
3232	CtDrvDxh.exe
2056	CtDrvDxh.exe
4000	CtDrvDxh.exe
3084	CtDrvDxh.exe
4308	CtDrvDxh.exe
3020	CtDrvDxh.exe
1692	CtDrvDxh.exe
4596	CtDrvDxh.exe
620	CtDrvDxh.exe
2904	CtDrvDxh.exe
388	CtDrvDxh.exe
4440	CtDrvDxh.exe
3564	CtDrvDxh.exe
1420	CtDrvDxh.exe
5088	CtDrvDxh.exe
4312	CtDrvDxh.exe
1556	CtDrvDxh.exe
4540	CtDrvDxh.exe
968	CtDrvDxh.exe
4840	CtDrvDxh.exe
2108	CtDrvDxh.exe
224	CtDrvDxh.exe
2836	CtDrvDxh.exe
1240	CtDrvDxh.exe
940	CtDrvDxh.exe
1660	CtDrvDxh.exe
4332	CtDrvDxh.exe
4512	CtDrvDxh.exe
4436	CtDrvDxh.exe
4468	CtDrvDxh.exe
4088	CtDrvDxh.exe
1912	CtDrvDxh.exe
4264	CtDrvDxh.exe
2912	CtDrvDxh.exe
3712	CtDrvDxh.exe
1000	CtDrvDxh.exe
4552	CtDrvDxh.exe
3516	CtDrvDxh.exe
3052	CtDrvDxh.exe
2096	CtDrvDxh.exe
1336	CtDrvDxh.exe
460	CtDrvDxh.exe
3352	CtDrvDxh.exe
968	CtDrvDxh.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe

Suspicious use of SetThreadContext 42 IoCs

description	pid	Process	procid_target
PID 4300 set thread context of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 3472 set thread context of 1844	3472	CtDrvDxh.exe	86
PID 452 set thread context of 2260	452	CtDrvDxh.exe	91
PID 4344 set thread context of 2196	4344	CtDrvDxh.exe	95
PID 5028 set thread context of 3256	5028	CtDrvDxh.exe	97
PID 4440 set thread context of 1936	4440	CtDrvDxh.exe	99
PID 1584 set thread context of 2660	1584	CtDrvDxh.exe	101
PID 2376 set thread context of 1332	2376	CtDrvDxh.exe	103
PID 4540 set thread context of 3936	4540	CtDrvDxh.exe	105
PID 4844 set thread context of 2620	4844	CtDrvDxh.exe	108
PID 2284 set thread context of 4636	2284	CtDrvDxh.exe	111
PID 3232 set thread context of 2056	3232	CtDrvDxh.exe	113
PID 4000 set thread context of 3084	4000	CtDrvDxh.exe	115
PID 4308 set thread context of 3020	4308	CtDrvDxh.exe	117
PID 1692 set thread context of 4596	1692	CtDrvDxh.exe	119
PID 620 set thread context of 2904	620	CtDrvDxh.exe	121
PID 388 set thread context of 4440	388	CtDrvDxh.exe	123
PID 3564 set thread context of 1420	3564	CtDrvDxh.exe	125
PID 5088 set thread context of 4312	5088	CtDrvDxh.exe	127
PID 1556 set thread context of 4540	1556	CtDrvDxh.exe	129
PID 968 set thread context of 4840	968	CtDrvDxh.exe	131
PID 2108 set thread context of 224	2108	CtDrvDxh.exe	133
PID 2836 set thread context of 1240	2836	CtDrvDxh.exe	135
PID 940 set thread context of 1660	940	CtDrvDxh.exe	137
PID 4332 set thread context of 4512	4332	CtDrvDxh.exe	139
PID 4436 set thread context of 4468	4436	CtDrvDxh.exe	141
PID 4088 set thread context of 1912	4088	CtDrvDxh.exe	143
PID 4264 set thread context of 2912	4264	CtDrvDxh.exe	145
PID 3712 set thread context of 1000	3712	CtDrvDxh.exe	147
PID 4552 set thread context of 3516	4552	CtDrvDxh.exe	149
PID 3052 set thread context of 2096	3052	CtDrvDxh.exe	151
PID 1336 set thread context of 460	1336	CtDrvDxh.exe	153
PID 3352 set thread context of 968	3352	CtDrvDxh.exe	155
PID 3992 set thread context of 1868	3992	CtDrvDxh.exe	157
PID 3980 set thread context of 4884	3980	CtDrvDxh.exe	159
PID 2044 set thread context of 4008	2044	CtDrvDxh.exe	161
PID 1724 set thread context of 3232	1724	CtDrvDxh.exe	163
PID 1460 set thread context of 3620	1460	CtDrvDxh.exe	165
PID 212 set thread context of 3896	212	CtDrvDxh.exe	167
PID 4436 set thread context of 3104	4436	CtDrvDxh.exe	169
PID 4736 set thread context of 5116	4736	CtDrvDxh.exe	171
PID 4156 set thread context of 4264	4156	CtDrvDxh.exe	173

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1564-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-10-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-9-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-8-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1564-44-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-54-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-58-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-56-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-53-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-52-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-55-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1844-60-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2260-68-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2260-70-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2260-69-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2260-74-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2196-85-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2196-84-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2196-82-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2196-83-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2196-88-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3256-96-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3256-99-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3256-98-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3256-101-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1936-112-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1936-111-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1936-110-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1936-109-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1936-118-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2660-132-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1332-142-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1332-147-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3936-155-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3936-162-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2620-176-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4636-184-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4636-191-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2056-206-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3084-220-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3020-228-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3020-235-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4596-250-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2904-258-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2904-265-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4440-275-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4440-280-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1420-295-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4312-303-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4312-310-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4540-318-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4540-325-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4840-333-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4840-340-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/224-348-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/224-355-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1240-369-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1660-377-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1660-384-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4512-396-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvDxh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1564	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
1564	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
1844	CtDrvDxh.exe
1844	CtDrvDxh.exe
2260	CtDrvDxh.exe
2260	CtDrvDxh.exe
2196	CtDrvDxh.exe
2196	CtDrvDxh.exe
3256	CtDrvDxh.exe
3256	CtDrvDxh.exe
1936	CtDrvDxh.exe
1936	CtDrvDxh.exe
2660	CtDrvDxh.exe
2660	CtDrvDxh.exe
1332	CtDrvDxh.exe
1332	CtDrvDxh.exe
3936	CtDrvDxh.exe
3936	CtDrvDxh.exe
2620	CtDrvDxh.exe
2620	CtDrvDxh.exe
4636	CtDrvDxh.exe
4636	CtDrvDxh.exe
2056	CtDrvDxh.exe
2056	CtDrvDxh.exe
3084	CtDrvDxh.exe
3084	CtDrvDxh.exe
3020	CtDrvDxh.exe
3020	CtDrvDxh.exe
4596	CtDrvDxh.exe
4596	CtDrvDxh.exe
2904	CtDrvDxh.exe
2904	CtDrvDxh.exe
4440	CtDrvDxh.exe
4440	CtDrvDxh.exe
1420	CtDrvDxh.exe
1420	CtDrvDxh.exe
4312	CtDrvDxh.exe
4312	CtDrvDxh.exe
4540	CtDrvDxh.exe
4540	CtDrvDxh.exe
4840	CtDrvDxh.exe
4840	CtDrvDxh.exe
224	CtDrvDxh.exe
224	CtDrvDxh.exe
1240	CtDrvDxh.exe
1240	CtDrvDxh.exe
1660	CtDrvDxh.exe
1660	CtDrvDxh.exe
4512	CtDrvDxh.exe
4512	CtDrvDxh.exe
4468	CtDrvDxh.exe
4468	CtDrvDxh.exe
1912	CtDrvDxh.exe
1912	CtDrvDxh.exe
2912	CtDrvDxh.exe
2912	CtDrvDxh.exe
1000	CtDrvDxh.exe
1000	CtDrvDxh.exe
3516	CtDrvDxh.exe
3516	CtDrvDxh.exe
2096	CtDrvDxh.exe
2096	CtDrvDxh.exe
460	CtDrvDxh.exe
460	CtDrvDxh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 4300 wrote to memory of 1564	4300	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	82
PID 1564 wrote to memory of 3472	1564	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	85
PID 1564 wrote to memory of 3472	1564	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	85
PID 1564 wrote to memory of 3472	1564	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	85
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 3472 wrote to memory of 1844	3472	CtDrvDxh.exe	86
PID 1844 wrote to memory of 452	1844	CtDrvDxh.exe	90
PID 1844 wrote to memory of 452	1844	CtDrvDxh.exe	90
PID 1844 wrote to memory of 452	1844	CtDrvDxh.exe	90
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 452 wrote to memory of 2260	452	CtDrvDxh.exe	91
PID 2260 wrote to memory of 4344	2260	CtDrvDxh.exe	94
PID 2260 wrote to memory of 4344	2260	CtDrvDxh.exe	94
PID 2260 wrote to memory of 4344	2260	CtDrvDxh.exe	94
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 4344 wrote to memory of 2196	4344	CtDrvDxh.exe	95
PID 2196 wrote to memory of 5028	2196	CtDrvDxh.exe	96
PID 2196 wrote to memory of 5028	2196	CtDrvDxh.exe	96
PID 2196 wrote to memory of 5028	2196	CtDrvDxh.exe	96
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 5028 wrote to memory of 3256	5028	CtDrvDxh.exe	97
PID 3256 wrote to memory of 4440	3256	CtDrvDxh.exe	98
PID 3256 wrote to memory of 4440	3256	CtDrvDxh.exe	98
PID 3256 wrote to memory of 4440	3256	CtDrvDxh.exe	98
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 4440 wrote to memory of 1936	4440	CtDrvDxh.exe	99
PID 1936 wrote to memory of 1584	1936	CtDrvDxh.exe	100

C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\CtDrvDxh.exe
    "C:\Windows\system32\CtDrvDxh.exe" C:\Users\Admin\AppData\Local\Temp\F34361~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\CtDrvDxh.exe
      "C:\Windows\system32\CtDrvDxh.exe" C:\Users\Admin\AppData\Local\Temp\F34361~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2376
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3936
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4636
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4000
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3084
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:620
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4440
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4312
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4540
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4840
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:224
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2836
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1240
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2096
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1336
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:460
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        67⤵
        Suspicious use of SetThreadContext
        
        PID:3992
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        70⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        72⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        74⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        75⤵
        Suspicious use of SetThreadContext
        
        PID:1460
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        76⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        78⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        80⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        82⤵
        Checks computer location settings
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        84⤵
        Maps connected drives based on registry
        
        PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CtDrvDxh.exe

Filesize
193KB

MD5
f34361ec2b5f66bdc4569591a444d556

SHA1
66fe2e16bba3e729a02e657df7a70884de61e410

SHA256
1f4b3f0512bea37cab96565fe336363c7d0f10261510aca157cddfb1684bc566

SHA512
ad4e0067d94d241c3d3f97af1b3c09ed3e2f6a408c9a017a2a2dd947145f48da552235700b9db710799d5148c9e68fb2eb95abbb201f743826b7151116da7d38

Download Submit
memory/224-355-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/224-348-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/452-71-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/460-482-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/968-494-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1000-446-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1240-369-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1332-147-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1332-142-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1420-295-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-44-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-9-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-10-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1564-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1660-377-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1660-384-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-60-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-55-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-52-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-53-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-56-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-58-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1844-54-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1868-506-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1912-415-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1912-421-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1936-109-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1936-112-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1936-118-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1936-111-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1936-110-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2056-206-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2096-470-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2196-83-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2196-84-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2196-82-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2196-85-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2196-88-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2260-68-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2260-74-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2260-70-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2260-69-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2620-176-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2660-132-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2904-265-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2904-258-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2912-428-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2912-434-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3020-235-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3020-228-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3084-220-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3104-579-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3232-542-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3256-96-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3256-98-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3256-101-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3256-99-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3472-57-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3516-458-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3620-554-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3896-567-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3896-561-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3936-162-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3936-155-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4008-530-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4300-5-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4312-310-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4312-303-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4344-86-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4440-113-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4440-275-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4440-280-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4468-408-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4512-396-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4540-325-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4540-318-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4596-250-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4636-191-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4636-184-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4840-340-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4840-333-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4884-518-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5028-97-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5116-591-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download