Analysis Overview
SHA256
e473363480c89b271e7165a41c606644639226749a51fc2b3ea6a302a7579c96
Threat Level: Known bad
The file JaffaCakes118_07c4e640cab5f98750ca5adacef9c814 was found to be: Known bad.
Malicious Activity Summary
Detects Mofksys worm
Mofksys family
Modifies WinLogon for persistence
Pony family
Pony,Fareit
Mofksys
Modifies visiblity of hidden/system files in Explorer
Boot or Logon Autostart Execution: Active Setup
Drops startup file
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-22 18:04
Signatures
Pony family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-22 18:04
Reported
2025-05-22 18:07
Platform
win11-20250502-en
Max time kernel
122s
Max time network
104s
Command Line
Signatures
Detects Mofksys worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
Mofksys
Mofksys family
Pony family
Pony,Fareit
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe RO
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
Network
Files
memory/3328-0-0x0000000002470000-0x0000000002471000-memory.dmp
C:\Windows\Parameters.ini
| MD5 | 6687785d6a31cdf9a5f80acb3abc459b |
| SHA1 | 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9 |
| SHA256 | 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b |
| SHA512 | 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962 |
memory/3328-47-0x0000000002470000-0x0000000002471000-memory.dmp
memory/3328-46-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5004-50-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5004-51-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3328-56-0x0000000000400000-0x00000000005D3000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | db9ab672c2f43b8340a59f2e56cdcccc |
| SHA1 | dae282efd250ac51111a8bb713046704223623ea |
| SHA256 | 1bd2cf13501b89281d3257b304a708b367654010b76cfc200fb73b8f2fe2ba6c |
| SHA512 | c531b3441a232d9616804947f1e91884b7c01f919e12898c17c8eeba00869fd1154eb37c39e3f4de836266ad5acc0c17bc1ea53ee288a4b5b394436d0ad0052b |
memory/5004-74-0x0000000000400000-0x000000000043E000-memory.dmp
memory/560-100-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1816-102-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-104-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-103-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-114-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-113-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-112-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-111-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-110-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-109-0x00000171EE880000-0x00000171EE881000-memory.dmp
memory/1816-108-0x00000171EE880000-0x00000171EE881000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
| MD5 | 07c4e640cab5f98750ca5adacef9c814 |
| SHA1 | 4acc32d617fb9e87480005a3faea95e36fc50a4c |
| SHA256 | e473363480c89b271e7165a41c606644639226749a51fc2b3ea6a302a7579c96 |
| SHA512 | 8c1b4105e83e5cd9ac5456ba06eb571c2f53c58167920cc0da3c257c095e35096409669b2e8d8695dfc2fa2cef63d1c9969e59986111116205dced77910ed2c9 |
memory/560-120-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2532-119-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | a0a3761b833079783b9cc09871050213 |
| SHA1 | aa9e8a215ff160aacdf5240a870ae04185fd48d8 |
| SHA256 | f91d94359d06e22faf90258833f93514822c36efff30c0831fd95adc726ddca3 |
| SHA512 | 8c0be6680df486d681910cba4403f541fd8c61fc12dc4a58f53a1e76db3e72a4a4a1f46d75fafccb5bf7f9483faa1a5d28682bb5e36d6c668fa72c0344e44468 |
C:\Windows\Parameters.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2532-286-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2512-299-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2536-324-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2760-326-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5348-325-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1244-339-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5440-352-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2296-371-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1308-384-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3536-398-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5552-411-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2700-425-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2988-444-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3344-457-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1780-473-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4924-487-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3336-501-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2208-513-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2716-514-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5080-531-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4256-538-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5092-550-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2512-557-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/820-556-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5348-564-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4952-563-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/556-573-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3788-579-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4796-590-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1148-598-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2324-610-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4904-620-0x0000000000400000-0x000000000043E000-memory.dmp
memory/820-628-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2136-659-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4184-667-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5012-678-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4772-694-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2136-727-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1364-741-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1472-753-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2304-771-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1364-799-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2172-817-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3016-822-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3340-835-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2172-872-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4980-887-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5240-897-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5240-901-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4580-974-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2852-998-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2376-1014-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2780-1035-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4580-1046-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3132-1058-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4076-1075-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5524-1084-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5524-1088-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3132-1101-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2004-1138-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3924-1194-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2096-1271-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1332-1301-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5964-1347-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4388-1370-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5964-1393-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2320-1424-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5664-1461-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5672-1502-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2532-1501-0x0000000000400000-0x000000000043E000-memory.dmp
memory/960-1513-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5672-1541-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1636-1588-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1376-1601-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3056-1652-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1932-1684-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-1714-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-1742-0x0000000000400000-0x000000000043E000-memory.dmp
memory/672-1802-0x0000000000400000-0x000000000043E000-memory.dmp
memory/424-1809-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4144-1818-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4784-1850-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4932-1872-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3360-1904-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1564-1922-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3800-1931-0x0000000000400000-0x000000000043E000-memory.dmp
memory/564-1998-0x0000000000400000-0x000000000043E000-memory.dmp