Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 08:04
Behavioral task
behavioral1
Sample
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8a73cfa81faba2406e9d5667bb2e1bb
-
SHA1
bee5a324ee2a725507189bb65e1750f0a6e8d152
-
SHA256
0156d1f5123b44015999b9c8ba3b431fb5a7cbc35f4a4a8e898801c536a01d81
-
SHA512
05c441f4e460fdfea233b604021ec53258c9e3c8436b14eb6b9c42dba744a75ca8040494548fadefbd4044ae888442b50bdc75e2749ef41a02a709f56eca1bc7
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZr:0UzeyQMS4DqodCnoe+iitjWwwv
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 2 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2528 explorer.exe 2364 explorer.exe 616 spoolsv.exe 2040 spoolsv.exe 2304 spoolsv.exe 408 spoolsv.exe 2000 spoolsv.exe 2136 spoolsv.exe 300 spoolsv.exe 2472 spoolsv.exe 2300 spoolsv.exe 2944 spoolsv.exe 1404 spoolsv.exe 2124 spoolsv.exe 860 spoolsv.exe 2908 spoolsv.exe 2236 spoolsv.exe 2888 spoolsv.exe 2772 spoolsv.exe 2840 spoolsv.exe 1056 spoolsv.exe 1460 spoolsv.exe 2156 spoolsv.exe 1524 spoolsv.exe 2792 spoolsv.exe 2684 spoolsv.exe 2808 spoolsv.exe 2420 spoolsv.exe 1912 spoolsv.exe 1004 spoolsv.exe 1468 spoolsv.exe 2700 spoolsv.exe 1116 spoolsv.exe 756 spoolsv.exe 2324 spoolsv.exe 1696 spoolsv.exe 2788 spoolsv.exe 2708 spoolsv.exe 2152 spoolsv.exe 832 spoolsv.exe 2260 spoolsv.exe 2752 spoolsv.exe 2692 spoolsv.exe 1708 spoolsv.exe 1664 spoolsv.exe 2912 spoolsv.exe 2508 spoolsv.exe 852 spoolsv.exe 492 spoolsv.exe 376 spoolsv.exe 2668 spoolsv.exe 1436 spoolsv.exe 2452 spoolsv.exe 2868 spoolsv.exe 1356 spoolsv.exe 2664 spoolsv.exe 880 spoolsv.exe 2676 spoolsv.exe 1916 spoolsv.exe 2060 spoolsv.exe 2796 spoolsv.exe 1428 spoolsv.exe 1616 spoolsv.exe 1544 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exepid process 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exedescription pid process target process PID 1968 set thread context of 2308 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 2528 set thread context of 2364 2528 explorer.exe explorer.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exepid process 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2364 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exepid process 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exea8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exeexplorer.exeexplorer.exedescription pid process target process PID 1968 wrote to memory of 2860 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe splwow64.exe PID 1968 wrote to memory of 2860 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe splwow64.exe PID 1968 wrote to memory of 2860 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe splwow64.exe PID 1968 wrote to memory of 2860 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe splwow64.exe PID 1968 wrote to memory of 2308 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1968 wrote to memory of 2308 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1968 wrote to memory of 2308 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1968 wrote to memory of 2308 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1968 wrote to memory of 2308 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 1968 wrote to memory of 2308 1968 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe PID 2308 wrote to memory of 2528 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe explorer.exe PID 2308 wrote to memory of 2528 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe explorer.exe PID 2308 wrote to memory of 2528 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe explorer.exe PID 2308 wrote to memory of 2528 2308 a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe explorer.exe PID 2528 wrote to memory of 2364 2528 explorer.exe explorer.exe PID 2528 wrote to memory of 2364 2528 explorer.exe explorer.exe PID 2528 wrote to memory of 2364 2528 explorer.exe explorer.exe PID 2528 wrote to memory of 2364 2528 explorer.exe explorer.exe PID 2528 wrote to memory of 2364 2528 explorer.exe explorer.exe PID 2528 wrote to memory of 2364 2528 explorer.exe explorer.exe PID 2364 wrote to memory of 616 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 616 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 616 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 616 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2040 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2040 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2040 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2040 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2304 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2304 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2304 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2304 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 408 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 408 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 408 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 408 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2000 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2000 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2000 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2000 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2136 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2136 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2136 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2136 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2472 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2472 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2472 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2472 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2300 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2944 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2944 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2944 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 2944 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 1404 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 1404 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 1404 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 1404 2364 explorer.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8a73cfa81faba2406e9d5667bb2e1bb_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\system\spoolsv.exeFilesize
2.2MB
MD5bc84065bdcb35db2c64a5d4c476a0958
SHA1e5b87e5f2ffe22d917ba0bfb331e9cfe2554e614
SHA2562649722a6278637327601fa3eb5eb489428ba7f6589a6350109d6e197b484bed
SHA51236e682f231f9e0e119b1d3421bc1fa1182654f2ebdedee7a3dcf2dfc7d85a7b50292ed08b3dda6ef7e98e7b433a30a91011b058c778f9c96e2805fbd345016e3
-
\Windows\system\explorer.exeFilesize
2.2MB
MD5c38a552578c5a6bd2edc600e6ab0800a
SHA17d349734dca6678694f4eaf49be7c5212180d000
SHA256a0fb99fb079e67104217c74cab40e168d4b5da9569dd16c9db832c077ea9389a
SHA512eae9bc461727cf71e28bb2ef8abb7ac4a35544557bcb72d5958fa42af372f956d5c3c5d4ddf8347c6679160aed2527c4d1640b1ff21b3945139dac9e28dbe864
-
memory/300-2456-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/408-2453-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/616-2445-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/860-2891-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1004-3244-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1056-2902-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1404-2889-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1460-2903-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1468-3245-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1524-2905-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1912-3243-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1968-19-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1968-17-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1968-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1968-29-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2000-2454-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2040-2446-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2124-2890-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2136-2455-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2156-2904-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2236-2893-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2300-2887-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2304-2452-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2308-28-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2308-49-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2308-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2308-25-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2308-20-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2364-2439-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2420-3242-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2472-2886-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2528-60-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2528-42-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2528-70-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2684-3240-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2700-3246-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2772-2895-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2792-2906-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2808-3241-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2840-2896-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2888-2894-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2908-2892-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2944-2888-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4920-5230-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5032-5242-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5164-5288-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/6192-5378-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/6324-5423-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB