Malware Analysis Report

2025-01-03 03:20

Sample ID 240616-qg2wwavbkh
Target b3b1db5584642249b041624ed525b0c1_JaffaCakes118
SHA256 e9a707793c17d8eb6fb465771a56c3f6f907f29157d2ee6182ba0a3751b1b7a2
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9a707793c17d8eb6fb465771a56c3f6f907f29157d2ee6182ba0a3751b1b7a2

Threat Level: Known bad

The file b3b1db5584642249b041624ed525b0c1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Pony,Fareit

Modifies WinLogon for persistence

Pony family

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 13:14

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 13:14

Reported

2024-06-16 13:17

Platform

win7-20240611-en

Max time kernel

127s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2440 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 2492 set thread context of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2844 set thread context of 276 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2840 set thread context of 2804 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1996 set thread context of 1548 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1732 set thread context of 520 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1092 set thread context of 808 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2040 set thread context of 1276 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2956 set thread context of 3372 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2636 set thread context of 3640 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1200 set thread context of 3668 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1620 set thread context of 3916 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1884 set thread context of 4036 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3000 set thread context of 4080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2104 set thread context of 3160 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2172 set thread context of 3296 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2768 set thread context of 1488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2440 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 2440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 2440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 2440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 2440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 2440 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 2600 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2600 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2600 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2600 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2492 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2492 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2492 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2492 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2492 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2492 wrote to memory of 1528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1528 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1996 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2040 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2040 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2040 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2040 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1092 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 2956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1884 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1884 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1884 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1884 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1200 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1200 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1200 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 1200 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 3000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 3000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 3000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1528 wrote to memory of 3000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

N/A

Files

memory/2440-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2440-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2440-19-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2600-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2600-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2600-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2600-28-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2440-30-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\explorer.exe

MD5 43407fe122bc3cf3f857bc30a3a442bc
SHA1 c250c34f2e12785df1451995d70993078123f61e
SHA256 4eee7b0bdf2335ae23dd771bf144d4932d86bf5df12acbd4d6051c32dac0facf
SHA512 24192f865416b264a4dbbfcaf5187b8137a2ab38a4eee3a2076f7b969ce89e941802c8bdae7a49b1bc6b762b5cba2ef047faa460c150d0f059b75403367af95c

memory/2492-42-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2600-51-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2492-62-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2492-72-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b990404b47b2964fcff8e71f67860981
SHA1 f1173ddf62cf4adcff554cec66f0223fcdd8347f
SHA256 f56fcebfb829d6529189cbc0cc91713f5f1d3a53878087d681f7ee5f496bf0c5
SHA512 d93f4593fc5d91afebee978ce8f96b7a6aaeea081446777cbe43d8a4a582b00da88c2b06abc18228324c39d273a213c217c2dc0e2fb6e08c8a7df2548159001e

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1528-979-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2844-981-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1996-982-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2840-980-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1732-1173-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1092-1175-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2040-1174-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2956-1397-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2636-1396-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1476-1409-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1620-1408-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3000-1407-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1200-1405-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1884-1403-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2104-1570-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1532-1573-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2172-1572-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2768-1571-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/860-1810-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2708-1814-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1600-1813-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/452-1812-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1088-1811-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2448-2027-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2204-2031-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2240-2030-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1164-2029-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1676-2028-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1588-2026-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2672-2226-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/236-2225-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/276-2323-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2804-2336-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1548-2349-0x0000000000400000-0x000000000043E000-memory.dmp

memory/520-2389-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3372-2461-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3640-2489-0x0000000000400000-0x000000000043E000-memory.dmp

memory/808-2567-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3160-2595-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3296-2614-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3884-2728-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4012-3213-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3328-3135-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3100-3033-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1924-3099-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1560-3088-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1480-2980-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1056-3009-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2368-2996-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3580-2886-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3876-2920-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1724-2910-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4000-2847-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3092-2809-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3840-2710-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1032-2739-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3772-2684-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2224-2669-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4080-2583-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4036-2559-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1276-2448-0x0000000000400000-0x000000000043E000-memory.dmp

memory/808-2445-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD

MD5 bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA1 3fd23d4f14da768da7b8364d74c54932d704e74e
SHA256 90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA512 72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

memory/2896-3280-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2896-3283-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 13:14

Reported

2024-06-16 13:17

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1272 set thread context of 3908 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 5656 set thread context of 4564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5512 set thread context of 880 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3304 set thread context of 4796 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4652 set thread context of 1128 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1032 set thread context of 816 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 680 set thread context of 4596 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4568 set thread context of 4648 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5452 set thread context of 2496 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2808 set thread context of 1600 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5264 set thread context of 3592 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1312 set thread context of 4280 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4152 set thread context of 2988 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3476 set thread context of 840 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2100 set thread context of 624 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4592 set thread context of 5824 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5420 set thread context of 3236 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5028 set thread context of 3568 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5488 set thread context of 5804 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1132 set thread context of 2124 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3892 set thread context of 4020 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5128 set thread context of 1612 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5660 set thread context of 2640 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3448 set thread context of 4372 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3480 set thread context of 5552 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4684 set thread context of 5476 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2032 set thread context of 1868 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1280 set thread context of 5900 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5200 set thread context of 5300 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5812 set thread context of 1512 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4936 set thread context of 2864 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5880 set thread context of 2888 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4556 set thread context of 3720 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4780 set thread context of 5184 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2212 set thread context of 5256 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5240 set thread context of 4776 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5756 set thread context of 864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5924 set thread context of 2000 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3020 set thread context of 4264 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3684 set thread context of 2448 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4704 set thread context of 4712 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4864 set thread context of 5788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 468 set thread context of 4612 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3224 set thread context of 1480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5032 set thread context of 3968 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2080 set thread context of 5972 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3216 set thread context of 1400 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2464 set thread context of 3296 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5172 set thread context of 5872 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1892 set thread context of 3172 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4876 set thread context of 3572 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5720 set thread context of 2308 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5876 set thread context of 1524 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 60 set thread context of 208 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 6088 set thread context of 5540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4924 set thread context of 1136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 756 set thread context of 4528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1272 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1272 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 1272 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 1272 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 1272 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 1272 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe
PID 3908 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 3908 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 3908 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 5656 wrote to memory of 4564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5656 wrote to memory of 4564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5656 wrote to memory of 4564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5656 wrote to memory of 4564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5656 wrote to memory of 4564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4564 wrote to memory of 5512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 3304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 3304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 3304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 1032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 1032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 1032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5264 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5264 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5264 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 1312 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 1312 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 1312 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4152 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4152 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4152 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 3476 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 3476 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 3476 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 2100 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 2100 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 2100 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 4592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5420 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5420 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5420 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4564 wrote to memory of 5488 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b3b1db5584642249b041624ed525b0c1_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/1272-0-0x0000000002570000-0x0000000002571000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/1272-46-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1272-48-0x0000000002570000-0x0000000002571000-memory.dmp

memory/3908-51-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1272-53-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3908-52-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 f6c2c5315e74eb5995dfa3a6e17829b0
SHA1 7e008e8326a6c7b522a392279d119279f6b7ccb5
SHA256 9e3ae1ad2ad7496f7b68235c04d327e3b7ac51be7c138d918368b5f9b3b932ca
SHA512 1c2c178d91443c518b798390466d02c6852e501d25fa2abcc7e606c47d16d6bf291699457497395f34e54914bdf7df0e19055d71c7d7b844adbd1b1a8664da21

memory/3908-100-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3908-97-0x0000000000440000-0x0000000000509000-memory.dmp

memory/5656-106-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5656-112-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4564-111-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b1e2a5e185706ac8e4909e3ce3607738
SHA1 01a875b56524d10bcd99072333d0161ce226e22e
SHA256 20a72ab1334f7e15d9e62f689241ea742fbef2a226478e1074eb88a33f1efaf7
SHA512 fd69b2bf8e1c82f675067a10a916dc85b6a980b982e00ae26b61b6137e28fa55874b81296890d9e19d4de2d50ad8097c017e4433bb9e105eb84a274c14bd2771

memory/4564-971-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5512-972-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3304-1153-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4652-1154-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1032-1155-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4568-1327-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2808-1329-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/680-1326-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5452-1328-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1312-1501-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4152-1502-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5264-1500-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2100-1711-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4592-1712-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3476-1710-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5420-1896-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5488-1898-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5028-1897-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1132-2098-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3892-2100-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4848-2099-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/880-2196-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5660-2195-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5128-2194-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5512-2193-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4796-2204-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3304-2207-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3448-2206-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1128-2216-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4652-2218-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3480-2215-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/816-2226-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4596-2317-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4648-2328-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2496-2340-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1600-2350-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3592-2360-0x0000000000400000-0x000000000043E000-memory.dmp

memory/880-2435-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2988-2535-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2988-2471-0x0000000000400000-0x000000000043E000-memory.dmp

memory/624-2565-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5824-2574-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3236-2586-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3568-2595-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5804-2605-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4280-2667-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2124-2725-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2752-2731-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4020-2746-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4020-2743-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1612-2752-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2640-2761-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2640-2764-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4372-2771-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5552-2782-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2124-2842-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5476-2860-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1868-2949-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5900-2958-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5900-2960-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5300-2967-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1512-3010-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2864-3072-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5476-3106-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2888-3129-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3720-3186-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2888-3245-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5184-3659-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5256-3944-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4776-4020-0x0000000000400000-0x000000000043E000-memory.dmp

memory/864-4258-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2000-4259-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2000-4368-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4264-4752-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2448-4909-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5788-5149-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4712-5237-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4612-5253-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3968-5268-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1480-5275-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1400-5293-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3296-5301-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5872-5312-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2308-5341-0x0000000000400000-0x000000000043E000-memory.dmp

memory/208-5482-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5540-5573-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1136-5585-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4528-5596-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4528-5599-0x0000000000400000-0x000000000043E000-memory.dmp

memory/208-5627-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5860-5764-0x0000000000400000-0x000000000043E000-memory.dmp