Analysis Overview
SHA256
ee919008ba32a50ed1917f498a8692ca77ec934175fb6a7914ff82f3c8d9db72
Threat Level: Known bad
The file JaffaCakes118_072f9fd4055b7edbf63808259f11abc7 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Pony family
Pony,Fareit
Mofksys
Detects Mofksys worm
Mofksys family
Modifies visiblity of hidden/system files in Explorer
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-20 03:17
Signatures
Pony family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-20 03:17
Reported
2025-05-20 03:19
Platform
win10v2004-20250502-en
Max time kernel
148s
Max time network
139s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
Mofksys
Mofksys family
Pony family
Pony,Fareit
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_072f9fd4055b7edbf63808259f11abc7.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe RO
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| NL | 95.101.136.223:443 | www.bing.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
memory/2532-0-0x0000000002370000-0x0000000002371000-memory.dmp
C:\Windows\Parameters.ini
| MD5 | 6687785d6a31cdf9a5f80acb3abc459b |
| SHA1 | 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9 |
| SHA256 | 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b |
| SHA512 | 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962 |
memory/2532-32-0x0000000002370000-0x0000000002371000-memory.dmp
memory/2532-31-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2784-34-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2784-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2532-39-0x0000000000400000-0x00000000005D3000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 22bbd24bf5dbf6fbe1785c126134a6ab |
| SHA1 | cc41969c674963d581540d33593dd1401e02062d |
| SHA256 | 6214eae132aad948a288ff9c2e54c66d65496b24f6153d65dcf8383ac5b27b35 |
| SHA512 | 90b9c8a8826af9b4d49bdec4a9cf86f52b8113011297928eeb253031050cf15ea78b1c6d252d661cf37d7b15eb779fb3c47a0e3852f2fca873c8281461b9f0f1 |
memory/2784-72-0x0000000000440000-0x0000000000509000-memory.dmp
memory/2784-74-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1876-80-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4392-85-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1876-86-0x0000000000400000-0x00000000005D3000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b0bc8b9e7e9323a836ee1a251ef528c4 |
| SHA1 | f16f1efba9ea381fc3361dbfc895180c314481db |
| SHA256 | be5f65bb19d4a6667981dc890c6a1ef40a62b2a4de6598a40e030ca2b6566356 |
| SHA512 | 35d03bd3bc187016674c75a5cf0dbd78eb90de29837a275b13025d65af76353ff61e89ab6c81f508a28324fde73521b867d4026f3211d68298c9cabb10cb10a0 |
memory/4392-691-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4416-754-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1100-962-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/948-963-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1412-1034-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/312-1100-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3584-1166-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1616-1222-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3644-1293-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5108-1369-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4880-1370-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3680-1432-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1324-1504-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4060-1575-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/228-1648-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3988-1649-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1464-1721-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/664-1823-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3972-1895-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3628-1971-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1152-2019-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4416-2038-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4624-2037-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2344-2036-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1476-2041-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/948-2052-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1100-2049-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2488-2047-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4376-2058-0x0000000000400000-0x000000000043E000-memory.dmp
memory/844-2066-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4948-2067-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1412-2065-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/852-2077-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2608-2088-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5212-2195-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4624-2244-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5636-2293-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5720-2303-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5788-2311-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5168-2479-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5292-2488-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5320-2499-0x0000000000400000-0x000000000043E000-memory.dmp
memory/536-2510-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5436-2518-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5436-2521-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5608-2528-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5608-2532-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5168-2655-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6136-2672-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3840-2681-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3756-2749-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3756-2705-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6136-2823-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5468-2842-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5560-2849-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5560-2851-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5076-2863-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5076-2859-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2620-2870-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2620-2874-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5468-3001-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4328-3018-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5252-3035-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5404-3148-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5404-3151-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1364-3186-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4200-3192-0x0000000000400000-0x000000000043E000-memory.dmp
memory/220-3478-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3632-3488-0x0000000000400000-0x000000000043E000-memory.dmp
memory/220-3621-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5224-3714-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5892-3948-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3196-3957-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5892-4044-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4392-4124-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2536-4132-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4284-4142-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5376-4410-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2432-4420-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5376-4478-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6132-4570-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2140-4581-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6132-4701-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5776-4722-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3520-4733-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5124-4820-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5776-4894-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-5085-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4240-5104-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5640-5115-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5188-5124-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4240-5236-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2560-5343-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4848-5354-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6080-5361-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6020-5372-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6020-5374-0x0000000000400000-0x000000000043E000-memory.dmp