Malware Analysis Report

2024-10-19 01:17

Sample ID 240612-r663kayfng
Target a10bc331ea2f742117a44570d5babff0_JaffaCakes118
SHA256 854e7caed27ffc50df05d4942a8ac451757c13926f08255ce4e66b147f5b819d
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

854e7caed27ffc50df05d4942a8ac451757c13926f08255ce4e66b147f5b819d

Threat Level: Known bad

The file a10bc331ea2f742117a44570d5babff0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Pony family

Pony,Fareit

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:49

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:49

Reported

2024-06-12 14:51

Platform

win7-20231129-en

Max time kernel

146s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2468 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2468 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2468 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2468 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 2468 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 2468 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 2468 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 2468 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 2468 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 1792 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1792 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1792 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1792 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1888 wrote to memory of 1584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1888 wrote to memory of 1584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1888 wrote to memory of 1584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1888 wrote to memory of 1584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1888 wrote to memory of 1584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1888 wrote to memory of 1584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1584 wrote to memory of 2888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1268 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1268 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1268 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1268 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 3004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 3004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 3004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 3004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2544 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2544 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2544 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2544 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 868 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 868 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 868 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 868 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 2380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1584 wrote to memory of 1060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

N/A

Files

memory/2468-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2468-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2468-19-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1792-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1792-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1792-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1792-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2468-28-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1792-31-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\explorer.exe

MD5 8725b9b63d706fed6d6c02b4266bbb48
SHA1 5fac88be6e7c43e8631668d8b7e29f8d0bedd70f
SHA256 93d05d26e86d98915fa88ae035994c83a5baf16424b8d772f28f356e776c260f
SHA512 f989dd9628b5225d3c3e245c9ac0c399e3a7c52c73073774f58b6e1241fd20b05a999ae746aa2dd233694503d2864f60ea248bba82ae905b846bb786bad161a7

memory/1888-42-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1792-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1888-61-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1888-71-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 7b120935c6c2b08a692666077d652755
SHA1 71b6b53cd87a935fff9f4db6436c398f8aed6101
SHA256 f8900c091b51f6e9d527ec7efca5eda518a2fa4058c8dc4bf9a9e16edfffdbce
SHA512 9b30aca155216b87efaa96810e9d6b536529df0c822b1e8946ba3aec8c74cf9989f373bd9145a6a3875808b814de032612a9d12d00f6ae02d61c9ecd5b5847b3

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1584-2550-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2888-2551-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2124-2554-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/976-2560-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1268-2559-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1272-2558-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3004-2561-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1060-3049-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/868-3045-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2544-3044-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2596-3043-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2380-3047-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1824-3068-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3020-3067-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2508-3066-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2572-3065-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2696-3056-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1604-3055-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1128-3054-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1612-3050-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1100-3613-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2856-3617-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2652-3616-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1596-3615-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1104-3614-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2336-3612-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2848-3611-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2752-3610-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/952-3609-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2016-3608-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1884-3607-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5080-5623-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5056-5635-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5124-5659-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4480-5648-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5544-5674-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6340-5685-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6912-5699-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:49

Reported

2024-06-12 14:52

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1884 set thread context of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 864 set thread context of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2424 set thread context of 5316 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1788 set thread context of 5436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2088 set thread context of 5748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2032 set thread context of 5828 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3028 set thread context of 5904 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2068 set thread context of 5972 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3788 set thread context of 5576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3660 set thread context of 4036 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4012 set thread context of 5776 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4836 set thread context of 5888 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 228 set thread context of 5344 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4936 set thread context of 5504 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4396 set thread context of 5460 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2464 set thread context of 3172 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2744 set thread context of 4020 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4648 set thread context of 5184 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3520 set thread context of 3464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 640 set thread context of 5324 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2624 set thread context of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4900 set thread context of 6016 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3044 set thread context of 6080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2712 set thread context of 5148 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5032 set thread context of 5484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1608 set thread context of 5136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4364 set thread context of 4676 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1880 set thread context of 1012 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4912 set thread context of 1892 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4308 set thread context of 6012 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 864 set thread context of 5852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5236 set thread context of 5964 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5372 set thread context of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5676 set thread context of 4960 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5584 set thread context of 6104 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5624 set thread context of 2480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4204 set thread context of 4340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 624 set thread context of 3304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4344 set thread context of 4084 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 6100 set thread context of 6112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2356 set thread context of 5756 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 6048 set thread context of 5280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 804 set thread context of 5532 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5916 set thread context of 5156 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2788 set thread context of 5132 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5808 set thread context of 5772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4956 set thread context of 6116 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3000 set thread context of 3236 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 180 set thread context of 2340 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3136 set thread context of 5140 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3004 set thread context of 5272 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1448 set thread context of 5648 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4444 set thread context of 4560 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5788 set thread context of 5228 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4280 set thread context of 972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4848 set thread context of 2172 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1884 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1884 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 1884 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 1884 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 1884 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 1884 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe
PID 4712 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4712 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4712 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 864 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 864 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 864 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 864 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 864 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4000 wrote to memory of 2424 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2424 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2424 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 1788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 1788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 1788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2088 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2088 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2088 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2068 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2068 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2068 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3660 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3660 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3660 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4836 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4836 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4836 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 228 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 228 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 228 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4936 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4936 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4936 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2464 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2464 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2464 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2744 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2744 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 2744 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 4648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4000 wrote to memory of 3520 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a10bc331ea2f742117a44570d5babff0_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1884-0-0x00000000008B0000-0x00000000008B1000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/1884-26-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1884-28-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/4712-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4712-30-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1884-33-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 9cc996362b7143ca7d49a9f03e53918b
SHA1 dfb50f9d31904e3e85ffd41f37dc21a94bd01775
SHA256 4e557b25ecbb3c59cf0408df745cfa9f74b913b5ffafaa68b30fb9d2e995f33d
SHA512 182c928fa98da2baccfaf7b848a4df1916493f15b91a6b8883f8c8feb83b748240eee9fa41d0689b5eeb1a75cf4d7fbd3f26c5b293e248274e2456a8b296540e

memory/4712-79-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4712-62-0x0000000000440000-0x0000000000509000-memory.dmp

memory/864-90-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4000-94-0x0000000000400000-0x000000000043E000-memory.dmp

memory/864-95-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 55938a2d04fe8695e7d076e6b2620c91
SHA1 58b969f9d30510b05db4f21ae9479b2a56001494
SHA256 4883586c94fbaefb22bb5d5704103a7fb79860000f0f413a2a128f8d500f5378
SHA512 83eb845685624bf1d41527781b6027db6e3100871fdf58320f57e6ced72b70b49dc5cbcc49a4d55f97f45ca2318ba4b532b482070ad98676b9ee7a0db87a2d4e

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4000-849-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2424-850-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1788-1051-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2032-1053-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2088-1052-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3028-1214-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2068-1215-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3660-1367-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3788-1366-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4012-1368-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4836-1521-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4936-1523-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/228-1522-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4396-1711-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2744-1713-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2464-1712-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4648-1892-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/640-1894-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3520-1893-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5316-1990-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2424-1989-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4900-1988-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2624-1987-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3044-2000-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1788-2003-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5436-2001-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2712-2064-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5748-2062-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2088-2056-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5032-2071-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5828-2072-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5904-2083-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5972-2095-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5316-2165-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5576-2248-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4036-2269-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5776-2280-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5888-2291-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5576-2420-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5504-2447-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5460-2457-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3172-2467-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3172-2469-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5344-2602-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4020-2624-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5184-2635-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3464-2641-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5324-2653-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2484-2751-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4020-2814-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6016-2832-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6080-2842-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5148-2860-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5484-2941-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5136-3025-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4676-3040-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1892-3124-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5136-3188-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5852-3213-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6012-3310-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5964-3411-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5964-3517-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2208-3591-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4960-3655-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4960-3773-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6104-3872-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2480-3882-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4340-3950-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3304-4015-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4340-4092-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4084-4181-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6112-4190-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4084-4292-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5756-4378-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5756-4496-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5280-4523-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5532-4664-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5156-4730-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5532-4787-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5132-4808-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5772-4832-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5772-4835-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6116-4875-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3236-4883-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2340-4895-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5140-4905-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5132-4969-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5272-5059-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5648-5068-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4560-5081-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5228-5087-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5228-5091-0x0000000000400000-0x000000000043E000-memory.dmp

memory/972-5201-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2172-5339-0x0000000000400000-0x000000000043E000-memory.dmp