Analysis Overview
SHA256
2c1d110b0c75dd1a347f967a608ccad7d681ce46968fe7fef762207e053acad2
Threat Level: Known bad
The file JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173 was found to be: Known bad.
Malicious Activity Summary
Mofksys family
Modifies WinLogon for persistence
Detects Mofksys worm
Pony,Fareit
Pony family
Modifies visiblity of hidden/system files in Explorer
Mofksys
Boot or Logon Autostart Execution: Active Setup
Drops startup file
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 01:14
Signatures
Pony family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 01:14
Reported
2025-05-20 01:17
Platform
win10v2004-20250502-en
Max time kernel
148s
Max time network
133s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
Mofksys
Mofksys family
Pony family
Pony,Fareit
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072b03cd5fbc369fd68bcf35be14a173.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe RO
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
memory/2348-0-0x0000000000780000-0x0000000000781000-memory.dmp
C:\Windows\Parameters.ini
| MD5 | 6687785d6a31cdf9a5f80acb3abc459b |
| SHA1 | 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9 |
| SHA256 | 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b |
| SHA512 | 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962 |
memory/2348-32-0x0000000000780000-0x0000000000781000-memory.dmp
memory/2348-31-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4508-34-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4508-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-39-0x0000000000400000-0x00000000005D3000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | c6a84aa40f43d4e72e9c53d90a7ccae5 |
| SHA1 | e70b20d20703795cbeb104e7516f3fa62ef6ab5d |
| SHA256 | 378bb3a40026fe41216b217258e9ccad0595fbbbe3341298831e1f6d3e59c1d1 |
| SHA512 | 2c6c75e314b5ecef97d5bc45cacce5489445786da050f0666d26001c2c1baa45589d8c256f2ee5505d0533f78536695ab13cfc4f248590218263be8557327ab8 |
memory/4508-79-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4508-77-0x0000000000440000-0x0000000000509000-memory.dmp
memory/3104-85-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3004-89-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3104-90-0x0000000000400000-0x00000000005D3000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 3d856d3a0100c1eb96a4ccf33ea4286b |
| SHA1 | bf030f58dad6da68a0128133b5fdf03599ad56a8 |
| SHA256 | 80dcce359e9af8a6b9a8aebee3a90a18345f8a6f0d3610cceec43dc4f7c34689 |
| SHA512 | 489ea41ca07155f59bcb7fec3988060595acaabeeaec26416e0480669eeb5e3a220fb04a6bcd3c4b4b9fdc02159f7efd19f3fcff0fed7f2f78c03e70043d56e5 |
memory/3004-671-0x0000000000400000-0x000000000043E000-memory.dmp
memory/376-753-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5080-936-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3128-937-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4472-1008-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1800-1109-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3648-1185-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2856-1251-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3852-1307-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3528-1343-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1620-1436-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4556-1497-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3568-1578-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1124-1579-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4288-1647-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3972-1719-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2364-1786-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4160-1787-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2936-1839-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2400-1896-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4832-1978-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/376-1986-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4964-1985-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3168-2069-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5080-2072-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2720-2071-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5184-2081-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3128-2084-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5244-2090-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2668-2092-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5364-2097-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5364-2101-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5424-2109-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5424-2112-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5484-2121-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5556-2131-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4964-2236-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6096-2255-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3592-2267-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3328-2278-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3328-2274-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5176-2287-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6096-2416-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5588-2433-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5724-2442-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5784-2456-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5884-2465-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5960-2474-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6004-2485-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6004-2482-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5588-2592-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5208-2609-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5384-2618-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5384-2623-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5428-2633-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5208-2774-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3496-2802-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3712-2893-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5680-2899-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5680-2902-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3784-2959-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5472-2967-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5728-3038-0x0000000000400000-0x000000000043E000-memory.dmp
memory/216-3252-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5788-3400-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5836-3410-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5788-3498-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5448-3638-0x0000000000400000-0x000000000043E000-memory.dmp
memory/244-3649-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3004-3866-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3344-3936-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4352-3948-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5248-4141-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5400-4152-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5248-4289-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4108-4494-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2992-4515-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4796-4569-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2424-4581-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4796-4712-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3696-4797-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5688-4808-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4828-4814-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2152-4886-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3368-5011-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5992-5021-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4020-5028-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3752-5113-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1992-5183-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5320-5193-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5012-5202-0x0000000000400000-0x000000000043E000-memory.dmp