metasploit | 15340ef62f68faa89580da965333eade30a56dd50ec961089801e3e56ab7c333

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
Size

246KB
MD5

9f442fbd0d524ace9f540c38751d7c2e
SHA1

fc0a7dc9421d8817c47d0c279d2b11801f95733a
SHA256

15340ef62f68faa89580da965333eade30a56dd50ec961089801e3e56ab7c333
SHA512

0ca1c52eb1fb0532456354c7fd2a8b6e2cb90276c5e61d211be1d37cb21a1ee1613f6e0bfeac8562b9ef2d1ed27cf01b2c761d3d779e259a562a13b2c23ad9b5
SSDEEP

6144:LqRWEzuXcpYMtVLq47Sduit/QX9gvw0IgXn:+R3zuX0VORtYNgIOXn

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 41 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	igfxdct32.exe

Deletes itself 1 IoCs

pid	Process
2600	igfxdct32.exe

Executes dropped EXE 41 IoCs

pid	Process
2600	igfxdct32.exe
2348	igfxdct32.exe
620	igfxdct32.exe
4332	igfxdct32.exe
3048	igfxdct32.exe
3416	igfxdct32.exe
2136	igfxdct32.exe
1060	igfxdct32.exe
3388	igfxdct32.exe
4412	igfxdct32.exe
1748	igfxdct32.exe
1132	igfxdct32.exe
1456	igfxdct32.exe
640	igfxdct32.exe
3252	igfxdct32.exe
3336	igfxdct32.exe
1144	igfxdct32.exe
3664	igfxdct32.exe
4012	igfxdct32.exe
3804	igfxdct32.exe
1744	igfxdct32.exe
936	igfxdct32.exe
3016	igfxdct32.exe
4980	igfxdct32.exe
4800	igfxdct32.exe
1280	igfxdct32.exe
3192	igfxdct32.exe
4124	igfxdct32.exe
3672	igfxdct32.exe
2428	igfxdct32.exe
1880	igfxdct32.exe
3496	igfxdct32.exe
3148	igfxdct32.exe
2532	igfxdct32.exe
4740	igfxdct32.exe
1264	igfxdct32.exe
4572	igfxdct32.exe
876	igfxdct32.exe
4896	igfxdct32.exe
4012	igfxdct32.exe
1736	igfxdct32.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	igfxdct32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File created	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\	igfxdct32.exe
File opened for modification	C:\Windows\SysWOW64\igfxdct32.exe	igfxdct32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 42 IoCs

pid	Process
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
2600	igfxdct32.exe
2348	igfxdct32.exe
620	igfxdct32.exe
4332	igfxdct32.exe
3048	igfxdct32.exe
3416	igfxdct32.exe
2136	igfxdct32.exe
1060	igfxdct32.exe
3388	igfxdct32.exe
4412	igfxdct32.exe
1748	igfxdct32.exe
1132	igfxdct32.exe
1456	igfxdct32.exe
640	igfxdct32.exe
3252	igfxdct32.exe
3336	igfxdct32.exe
1144	igfxdct32.exe
3664	igfxdct32.exe
4012	igfxdct32.exe
3804	igfxdct32.exe
1744	igfxdct32.exe
936	igfxdct32.exe
3016	igfxdct32.exe
4980	igfxdct32.exe
4800	igfxdct32.exe
1280	igfxdct32.exe
3192	igfxdct32.exe
4124	igfxdct32.exe
3672	igfxdct32.exe
2428	igfxdct32.exe
1880	igfxdct32.exe
3496	igfxdct32.exe
3148	igfxdct32.exe
2532	igfxdct32.exe
4740	igfxdct32.exe
1264	igfxdct32.exe
4572	igfxdct32.exe
876	igfxdct32.exe
4896	igfxdct32.exe
4012	igfxdct32.exe
1736	igfxdct32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfxdct32.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	igfxdct32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe
2600	igfxdct32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2600	3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe	87
PID 3260 wrote to memory of 2600	3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe	87
PID 3260 wrote to memory of 2600	3260	9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe	87
PID 2600 wrote to memory of 2348	2600	igfxdct32.exe	94
PID 2600 wrote to memory of 2348	2600	igfxdct32.exe	94
PID 2600 wrote to memory of 2348	2600	igfxdct32.exe	94
PID 2348 wrote to memory of 620	2348	igfxdct32.exe	99
PID 2348 wrote to memory of 620	2348	igfxdct32.exe	99
PID 2348 wrote to memory of 620	2348	igfxdct32.exe	99
PID 620 wrote to memory of 4332	620	igfxdct32.exe	101
PID 620 wrote to memory of 4332	620	igfxdct32.exe	101
PID 620 wrote to memory of 4332	620	igfxdct32.exe	101
PID 4332 wrote to memory of 3048	4332	igfxdct32.exe	102
PID 4332 wrote to memory of 3048	4332	igfxdct32.exe	102
PID 4332 wrote to memory of 3048	4332	igfxdct32.exe	102
PID 3048 wrote to memory of 3416	3048	igfxdct32.exe	103
PID 3048 wrote to memory of 3416	3048	igfxdct32.exe	103
PID 3048 wrote to memory of 3416	3048	igfxdct32.exe	103
PID 3416 wrote to memory of 2136	3416	igfxdct32.exe	104
PID 3416 wrote to memory of 2136	3416	igfxdct32.exe	104
PID 3416 wrote to memory of 2136	3416	igfxdct32.exe	104
PID 2136 wrote to memory of 1060	2136	igfxdct32.exe	105
PID 2136 wrote to memory of 1060	2136	igfxdct32.exe	105
PID 2136 wrote to memory of 1060	2136	igfxdct32.exe	105
PID 1060 wrote to memory of 3388	1060	igfxdct32.exe	108
PID 1060 wrote to memory of 3388	1060	igfxdct32.exe	108
PID 1060 wrote to memory of 3388	1060	igfxdct32.exe	108
PID 3388 wrote to memory of 4412	3388	igfxdct32.exe	109
PID 3388 wrote to memory of 4412	3388	igfxdct32.exe	109
PID 3388 wrote to memory of 4412	3388	igfxdct32.exe	109
PID 4412 wrote to memory of 1748	4412	igfxdct32.exe	111
PID 4412 wrote to memory of 1748	4412	igfxdct32.exe	111
PID 4412 wrote to memory of 1748	4412	igfxdct32.exe	111
PID 1748 wrote to memory of 1132	1748	igfxdct32.exe	112
PID 1748 wrote to memory of 1132	1748	igfxdct32.exe	112
PID 1748 wrote to memory of 1132	1748	igfxdct32.exe	112
PID 1132 wrote to memory of 1456	1132	igfxdct32.exe	113
PID 1132 wrote to memory of 1456	1132	igfxdct32.exe	113
PID 1132 wrote to memory of 1456	1132	igfxdct32.exe	113
PID 1456 wrote to memory of 640	1456	igfxdct32.exe	114
PID 1456 wrote to memory of 640	1456	igfxdct32.exe	114
PID 1456 wrote to memory of 640	1456	igfxdct32.exe	114
PID 640 wrote to memory of 3252	640	igfxdct32.exe	115
PID 640 wrote to memory of 3252	640	igfxdct32.exe	115
PID 640 wrote to memory of 3252	640	igfxdct32.exe	115
PID 3252 wrote to memory of 3336	3252	igfxdct32.exe	116
PID 3252 wrote to memory of 3336	3252	igfxdct32.exe	116
PID 3252 wrote to memory of 3336	3252	igfxdct32.exe	116
PID 3336 wrote to memory of 1144	3336	igfxdct32.exe	117
PID 3336 wrote to memory of 1144	3336	igfxdct32.exe	117
PID 3336 wrote to memory of 1144	3336	igfxdct32.exe	117
PID 1144 wrote to memory of 3664	1144	igfxdct32.exe	119
PID 1144 wrote to memory of 3664	1144	igfxdct32.exe	119
PID 1144 wrote to memory of 3664	1144	igfxdct32.exe	119
PID 3664 wrote to memory of 4012	3664	igfxdct32.exe	120
PID 3664 wrote to memory of 4012	3664	igfxdct32.exe	120
PID 3664 wrote to memory of 4012	3664	igfxdct32.exe	120
PID 4012 wrote to memory of 3804	4012	igfxdct32.exe	121
PID 4012 wrote to memory of 3804	4012	igfxdct32.exe	121
PID 4012 wrote to memory of 3804	4012	igfxdct32.exe	121
PID 3804 wrote to memory of 1744	3804	igfxdct32.exe	122
PID 3804 wrote to memory of 1744	3804	igfxdct32.exe	122
PID 3804 wrote to memory of 1744	3804	igfxdct32.exe	122
PID 1744 wrote to memory of 936	1744	igfxdct32.exe	123

C:\Users\Admin\AppData\Local\Temp\9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f442fbd0d524ace9f540c38751d7c2e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\igfxdct32.exe
  "C:\Windows\system32\igfxdct32.exe" C:\Users\Admin\AppData\Local\Temp\9F442F~1.EXE
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\igfxdct32.exe
    "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\igfxdct32.exe
      "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\igfxdct32.exe
        
        "C:\Windows\system32\igfxdct32.exe" C:\Windows\SysWOW64\IGFXDC~1.EXE
        42⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\igfxdct32.exe

Filesize
246KB

MD5
9f442fbd0d524ace9f540c38751d7c2e

SHA1
fc0a7dc9421d8817c47d0c279d2b11801f95733a

SHA256
15340ef62f68faa89580da965333eade30a56dd50ec961089801e3e56ab7c333

SHA512
0ca1c52eb1fb0532456354c7fd2a8b6e2cb90276c5e61d211be1d37cb21a1ee1613f6e0bfeac8562b9ef2d1ed27cf01b2c761d3d779e259a562a13b2c23ad9b5

Download Submit
memory/620-57-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/640-105-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/876-204-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/936-140-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/936-133-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1060-77-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1132-97-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1144-118-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1264-195-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1264-198-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1280-156-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1456-99-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1744-135-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1748-92-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1748-86-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1880-178-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2136-74-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2348-53-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2348-49-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2348-48-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2428-173-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2532-192-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2600-39-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2600-43-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2600-40-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2600-46-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3016-138-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3016-144-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3048-66-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3048-60-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3148-185-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3192-161-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3252-109-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3260-1-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3260-42-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3260-4-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3260-2-0x0000000000478000-0x0000000000493000-memory.dmp

Filesize
108KB

Download
memory/3260-3-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3260-0-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3336-114-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3388-83-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3416-69-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3496-176-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3496-183-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3664-122-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3672-169-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/3804-130-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4012-210-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4012-126-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4124-165-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4332-62-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4412-88-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4572-201-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4800-151-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4896-207-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/4980-148-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download