Malware Analysis Report

2024-10-24 16:45

Sample ID 240420-s55zjsbh63
Target fd1a4389ae602d038236500becb9e716_JaffaCakes118
SHA256 e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
Tags
rat upx warzonerat evasion infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40

Threat Level: Known bad

The file fd1a4389ae602d038236500becb9e716_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

rat upx warzonerat evasion infostealer persistence

Warzonerat family

WarzoneRat, AveMaria

Modifies WinLogon for persistence

Warzone RAT payload

Modifies visiblity of hidden/system files in Explorer

Warzone RAT payload

Modifies Installed Components in the registry

Executes dropped EXE

Drops startup file

Loads dropped DLL

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 15:43

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 15:43

Reported

2024-04-20 15:46

Platform

win7-20240221-en

Max time kernel

124s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 2032 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 1164 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 1164 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 1164 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 1164 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 1164 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 1164 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 764 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 764 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 764 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 764 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 1900 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 1900 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 1900 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 1900 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1780 wrote to memory of 2000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2032-3-0x0000000000330000-0x0000000000376000-memory.dmp

memory/1164-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1164-5-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-13-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-17-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-19-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1164-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-31-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2032-30-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1164-32-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1164-33-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-34-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1164-35-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-36-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-37-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-38-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-39-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-40-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-41-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1164-42-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1164-43-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1164-44-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1164-45-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1164-47-0x0000000000220000-0x0000000000221000-memory.dmp

memory/764-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/764-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/764-55-0x0000000000400000-0x000000000043E000-memory.dmp

memory/764-59-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1164-52-0x0000000007000000-0x0000000007046000-memory.dmp

memory/764-65-0x0000000000400000-0x000000000043E000-memory.dmp

memory/572-66-0x0000000000400000-0x0000000000412000-memory.dmp

memory/572-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/572-70-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-74-0x0000000000400000-0x0000000001400000-memory.dmp

memory/572-75-0x0000000000400000-0x0000000000412000-memory.dmp

memory/572-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1164-79-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\system\explorer.exe

MD5 0a28678fc5256a3cc696cd7ee68e9ce6
SHA1 b2a30d41a9958198178face6decebe06c708124a
SHA256 86716de6c4a309f778c640c08230500f004fddf575832addb99f52330c519b06
SHA512 a09ffa695591a253a38095e10cce4bbb6cf077d88cf33c3dbd16ed6f3eb2fe72f61f8fc9137b668a2053eeb7219f61d11f2cea6c99251f43f94ba5d2bfdc408d

memory/764-89-0x0000000002D00000-0x0000000002D46000-memory.dmp

memory/764-90-0x0000000002D00000-0x0000000002D46000-memory.dmp

memory/1780-92-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/2000-135-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1780-134-0x0000000000400000-0x0000000000446000-memory.dmp

memory/764-139-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2000-149-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2000-152-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 fd1a4389ae602d038236500becb9e716
SHA1 07391dfac902cf86854020fc1a869ba40c0a83ed
SHA256 e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
SHA512 6e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822

memory/1828-181-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2000-185-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b96b2fcc2a91c145d5dcc419c717f51a
SHA1 51f68b78e818a304ffcaadf37e743713ac3b2de8
SHA256 91af657ea44058f4e56a7635be9df8ccbc2bbc96ddf70ddafda87f5a936402ed
SHA512 1c61524d1eac6e474dbaaef76b394499f31f5b0c867442756c29c2c0691403f8d866f52869af57b9615342ad35d5e5be51b93183a27e5c1885e6ce803594cf1c

memory/1600-196-0x0000000002650000-0x0000000002696000-memory.dmp

memory/2892-198-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2892-200-0x0000000000450000-0x0000000000496000-memory.dmp

memory/844-229-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1600-238-0x0000000002650000-0x0000000002696000-memory.dmp

memory/1972-240-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1600-239-0x0000000002650000-0x0000000002696000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/844-261-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1600-260-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1252-289-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1600-295-0x0000000002650000-0x0000000002696000-memory.dmp

memory/2656-296-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1600-294-0x0000000002650000-0x0000000002696000-memory.dmp

memory/1252-303-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1600-307-0x0000000002650000-0x0000000002696000-memory.dmp

memory/2656-310-0x00000000002D0000-0x0000000000316000-memory.dmp

memory/1252-326-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 096c2ce614a147a5c7c96baedaa50a10
SHA1 560e7ccb2211276fcb2640254cb2386c7fc2fc6e
SHA256 f8f72f4b558b1b8746508f8164fe3c46494bb78ea8c10cdac9ff4ce75b6cdac2
SHA512 63ae893b55b25dbc2d40d23fe5f57766b984c518322d1cd2c47d64747922d7ca93b7ca8e654a1613ffca0b79e1b8d78609e400303d12dab4a3c86a5dad9ba2ed

memory/1600-354-0x0000000002650000-0x0000000002696000-memory.dmp

memory/1928-355-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 4a7bee372a85993ec48738d126983448
SHA1 02068f0cbbdeab13175623cfd51415b3c2bfc46c
SHA256 11030f1dca04385b1c22b1178eb6bbb3b3fcf44cccd1739de8000ef1b09887ea
SHA512 7c8f20f90795a2eb00c637c64d40a3fc2d5c9d9619f4ec3bd5b4f8b86b7602a6c9e79bc97a843eb32d6620c3cdcbe6ed2a85752f0dae0a9fa890f27abc245926

memory/1600-361-0x0000000002650000-0x0000000002696000-memory.dmp

memory/1600-363-0x0000000002650000-0x0000000002696000-memory.dmp

memory/2792-391-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 3629a8555a44b8a9ae27032ddf110395
SHA1 c997c261438c87e45575a5040972037398b0b4a5
SHA256 f263d356db73f49f1e339f8d9928727bb47cf889bdb1e52ee414f3a5a4db57af
SHA512 7f15d8685c9215f92dcaebc7388a0fa11bc05dfb3aacd66c1b495aa8ecef0a8c8ed8ab9df2283702044dc9ae4a775d4ed5c454a296a1e8b6d210a8c92fd0ed76

\Windows\system\spoolsv.exe

MD5 a44393f5b245e44c0c217d3f177ea7ab
SHA1 0f4dd280eec9cc5f0b2df50a9eb6fe8e008b6c61
SHA256 6c614746e9f60716d09c9523ca7b62af021ee1f43a3042dd91b2310a8bea4ade
SHA512 67a4ff0dce71247e73d57804dbbdd61ff6aa78ecd904852e0767ba934913efbe033f3af281eeb0632fa34c3df0b4e28ee14723135e2c205b04bd93a3dcd1472e

C:\Windows\system\spoolsv.exe

MD5 67a965e20c4f6f7875a0bd59cef3f072
SHA1 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002
SHA256 ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe
SHA512 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c

C:\Windows\system\spoolsv.exe

MD5 d2beec20d78a80ad3eba9a4c33683ac0
SHA1 6d3b4e890631cc9fa9792315d4ad45492ec2b54d
SHA256 f009e4b01923bd6b961929499abe69a0bcdf0ed840b3e84449dc32304063049e
SHA512 b96e0e7faf6192002313a2af635806c581c8ea16e4ab60030a6af3b4d0aba077df559b86fbff4d46c8da316b39ffaa190ca06fc448f2153e1c5d8c340beb75e9

memory/2668-410-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1924-411-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1600-408-0x0000000002650000-0x0000000002696000-memory.dmp

\Windows\system\spoolsv.exe

MD5 fcb24441fd64fe17f85a4387f8cab4da
SHA1 907eae02a8da423afe25325bbb65e0e214be47a8
SHA256 a7f35cae5fbc5eb5f7b944455ce0fe15b01cc42f330c1e27942aad93e0625150
SHA512 563e17f0793f0b418425c42dba57197ecd924d7813109234477c6d1fcb0ccb77653f50086db7e1f0061c0a0e325f90428f2a7bb1e303e90a88e604356a9c7d93

memory/1600-414-0x0000000002650000-0x0000000002696000-memory.dmp

memory/1252-419-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2668-422-0x0000000000390000-0x00000000003D6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 15:43

Reported

2024-04-20 15:46

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 3980 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe
PID 848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 848 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe C:\Windows\SysWOW64\diskperf.exe
PID 4312 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4312 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4312 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 1184 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 1184 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 1184 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3764 wrote to memory of 4808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd1a4389ae602d038236500becb9e716_JaffaCakes118.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2764 -ip 2764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3860 -ip 3860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 560

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2680 -ip 2680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1476 -ip 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 396

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 9.244.122.92.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/3980-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3980-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/848-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/848-3-0x0000000000400000-0x0000000001990000-memory.dmp

memory/848-5-0x0000000000400000-0x0000000001990000-memory.dmp

memory/848-6-0x0000000000400000-0x0000000001990000-memory.dmp

memory/848-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/848-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/848-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/848-10-0x0000000000400000-0x0000000001990000-memory.dmp

memory/848-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/848-12-0x0000000007140000-0x0000000007141000-memory.dmp

memory/848-13-0x0000000000400000-0x0000000001990000-memory.dmp

memory/848-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4312-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4304-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4312-22-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4304-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4304-30-0x0000000000400000-0x0000000000412000-memory.dmp

memory/848-28-0x0000000000400000-0x0000000001400000-memory.dmp

memory/848-32-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\System\explorer.exe

MD5 11ecfa831747ccfa35cb2d8dc7928f1d
SHA1 2af61cea3a43da272c32f70ee2b6403168b3cc89
SHA256 de820e899d4838c54db97172ba3962ca97bbe64ae35a218e9c4db8fcf57ade70
SHA512 ccd62af2fea13124037d8ba3401e29573676c6b6763b4e8c496ad5f3290fd62ee88bedd61f9abeaf18b4317ad02b89b23df9c23201acacd123756e9880dc1270

memory/3764-38-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/4808-45-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4312-46-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4808-48-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3764-44-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4808-43-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-49-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-52-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-53-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-54-0x0000000007160000-0x0000000007161000-memory.dmp

memory/4808-55-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-57-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 fd1a4389ae602d038236500becb9e716
SHA1 07391dfac902cf86854020fc1a869ba40c0a83ed
SHA256 e0b18b43ed99a197b72b79de7d522eea4eec6cd356d7b185661b171e3cbb4c40
SHA512 6e34b60c7aac1ec6b7dbdf810dc0f93a51cd2a0e9d6a337fe7db5066c42ee050d141fe1af05a289f507fff3e01a982ad69197bfbff739e8253f23a3326ed6822

memory/1532-67-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4808-69-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-71-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 935e18a313ed5afcefac710654fd9621
SHA1 3edc1f87ce9365f0a4252732d36f4bcb59904075
SHA256 818da8b75f4828c828d5d6c17a318cdf56e044337faa29eabde90beb59e251ad
SHA512 a8008f356795a126b5e24414418f107480b31d3d23a996838c1c2ec551642ae0495d857ba089a607008b7ae1077f71bf12f0cd6eca134369f9728eaaac8f27df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/1612-84-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3440-90-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4812-89-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4812-91-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4812-92-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4812-93-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4812-94-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4812-96-0x0000000007390000-0x0000000007391000-memory.dmp

memory/216-102-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1972-101-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1972-103-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1972-104-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1972-105-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1972-106-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1972-110-0x0000000007290000-0x0000000007291000-memory.dmp

memory/4712-114-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2532-113-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2532-117-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4432-127-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1532-130-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4316-140-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2532-145-0x00000000074A0000-0x00000000074A1000-memory.dmp

memory/1144-148-0x0000000000400000-0x0000000000628000-memory.dmp

memory/904-149-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4316-154-0x0000000007260000-0x0000000007261000-memory.dmp

memory/1144-157-0x00000000074F0000-0x00000000074F1000-memory.dmp

memory/1040-159-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4516-164-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3244-167-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1040-163-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4812-170-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1040-177-0x0000000007360000-0x0000000007361000-memory.dmp

memory/3812-182-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2400-189-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1692-194-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4188-204-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1692-201-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3812-206-0x0000000007350000-0x0000000007351000-memory.dmp

memory/4608-209-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2128-219-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1692-224-0x0000000007210000-0x0000000007211000-memory.dmp

memory/4608-226-0x0000000007100000-0x0000000007101000-memory.dmp

memory/2928-243-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3728-248-0x0000000008C40000-0x0000000008C41000-memory.dmp

memory/5112-249-0x0000000007210000-0x0000000007211000-memory.dmp

memory/2532-256-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4316-261-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2144-262-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1040-268-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1144-271-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2192-276-0x000000000F810000-0x000000000F811000-memory.dmp

memory/2392-281-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2392-284-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2100-280-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3812-286-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2392-288-0x0000000007150000-0x0000000007151000-memory.dmp

memory/4368-292-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4160-297-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3144-303-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1008-305-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4368-307-0x0000000007170000-0x0000000007171000-memory.dmp

memory/3144-342-0x0000000008C40000-0x0000000008C41000-memory.dmp

memory/5036-387-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4940-399-0x0000000000400000-0x0000000000446000-memory.dmp