Malware Analysis Report

2025-06-16 05:03

Sample ID 240425-z9hs5sfb6y
Target 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118
SHA256 9be961908d3e404139a1aa7ddeed2b032866dc4e2a6e4f7c3f53901b573f2133
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9be961908d3e404139a1aa7ddeed2b032866dc4e2a6e4f7c3f53901b573f2133

Threat Level: Known bad

The file 001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Modifies WinLogon for persistence

Pony family

Modifies visiblity of hidden/system files in Explorer

Pony,Fareit

Modifies Installed Components in the registry

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-25 21:24

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 21:24

Reported

2024-04-25 21:27

Platform

win7-20240221-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2492 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2492 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2492 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2492 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 2492 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 2492 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 2492 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 2492 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 2492 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 2452 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 328 wrote to memory of 1992 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 328 wrote to memory of 1992 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 328 wrote to memory of 1992 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 328 wrote to memory of 1992 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 328 wrote to memory of 1992 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 328 wrote to memory of 1992 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1992 wrote to memory of 1796 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1796 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1796 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1796 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2840 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1992 wrote to memory of 1056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

N/A

Files

memory/2492-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2492-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2492-19-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2452-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2452-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2492-27-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2452-28-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\explorer.exe

MD5 962bd5eedb4c774a8174b9a3a8d731dd
SHA1 aa3867911f64a071c8b36968efba24625cb52644
SHA256 a18a5d2deb31bd19f34ae8fe216a81d1b65819b014b9a7d56aa22f0841f0bcca
SHA512 0b6af64ec644a47966c9b4929c525a45404a63b824b3752c4abac723e9c9b1c3457900c0ba4716f7300640fd41301255671a978fa8ccbf394dd4d83213034473

memory/328-41-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2452-49-0x0000000000400000-0x000000000043E000-memory.dmp

memory/328-60-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/328-62-0x0000000000220000-0x0000000000221000-memory.dmp

memory/328-71-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1992-75-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\spoolsv.exe

MD5 30a890b1a038f4df491149f937626cb5
SHA1 c913c61ff396fd04a2d4ec20870930567e268451
SHA256 2e33d78b211e73256a42169e8bd53d482847ba5b73e4b992c3fc535a6a98c5ac
SHA512 512f40d90638d19fb95ed1656f1cdb02569e0362e97e122f37128819889fb3def1efdeb34f784b659070ebd7c6cd5da3ab579e9cd79296c47a592152428b86d0

memory/1796-86-0x0000000000220000-0x0000000000221000-memory.dmp

memory/844-113-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1816-150-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1084-198-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2024-263-0x0000000000320000-0x0000000000321000-memory.dmp

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2840-351-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/940-387-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2232-428-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1992-469-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2764-470-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1796-511-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1056-512-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/844-553-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1508-554-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1816-595-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2908-596-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1084-637-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1680-638-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1492-680-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2024-679-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2224-721-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2840-759-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2996-760-0x0000000000220000-0x0000000000221000-memory.dmp

memory/940-801-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1136-802-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1128-843-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2764-884-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1664-885-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1056-927-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2244-928-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1508-969-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2720-970-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1796-1011-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2908-1012-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2204-1013-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/844-1055-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1680-1054-0x0000000000220000-0x0000000000221000-memory.dmp

memory/944-1056-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1492-1095-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1816-1136-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2224-1137-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2684-1138-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1084-1179-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2996-1180-0x0000000000220000-0x0000000000221000-memory.dmp

memory/856-1181-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2024-1221-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1136-1222-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1128-1263-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1612-1264-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2636-1304-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2840-1345-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2244-1346-0x0000000000230000-0x0000000000231000-memory.dmp

memory/940-1387-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2720-1388-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2068-1389-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2232-1430-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2204-1431-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2764-1472-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/944-1473-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1512-1474-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1056-1515-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1800-1516-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1508-1557-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2684-1558-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2908-1599-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/856-1611-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1680-1600-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2852-1612-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1492-1643-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2224-1644-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2996-1679-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1612-1680-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1136-1721-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1128-1762-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1664-1763-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2616-1764-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2244-1806-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2720-1807-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2068-1808-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1860-1809-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2204-1850-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2176-1851-0x0000000000220000-0x0000000000221000-memory.dmp

memory/944-1893-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2904-1937-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2684-1938-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/856-1981-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2668-2023-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1612-2067-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1864-2109-0x0000000000400000-0x00000000005D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 21:24

Reported

2024-04-25 21:27

Platform

win10v2004-20240412-en

Max time kernel

143s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4392 set thread context of 5012 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 4348 set thread context of 5112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1392 set thread context of 5964 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1296 set thread context of 6088 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1388 set thread context of 5144 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 380 set thread context of 5164 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 784 set thread context of 5304 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1676 set thread context of 5384 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1436 set thread context of 5412 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3680 set thread context of 5564 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3816 set thread context of 5680 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4312 set thread context of 5752 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 216 set thread context of 5920 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2796 set thread context of 1608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3540 set thread context of 6072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4736 set thread context of 4468 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3048 set thread context of 4268 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2368 set thread context of 740 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4680 set thread context of 4556 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1248 set thread context of 5264 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2972 set thread context of 5524 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2644 set thread context of 5648 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 744 set thread context of 5700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3996 set thread context of 5768 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3476 set thread context of 5836 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2876 set thread context of 5900 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 396 set thread context of 5772 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4760 set thread context of 3132 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4872 set thread context of 4768 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5008 set thread context of 2096 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4200 set thread context of 6076 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1460 set thread context of 4828 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2996 set thread context of 3848 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2060 set thread context of 4664 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5168 set thread context of 5160 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5528 set thread context of 1044 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5840 set thread context of 440 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 4392 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 4392 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 4392 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 4392 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 4392 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 4392 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe
PID 5012 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 5012 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 5012 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4348 wrote to memory of 5112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4348 wrote to memory of 5112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4348 wrote to memory of 5112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4348 wrote to memory of 5112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4348 wrote to memory of 5112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5112 wrote to memory of 1392 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1392 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1392 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1296 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1296 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1296 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1388 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1388 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1388 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 4312 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 4312 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 4312 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 216 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 216 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 216 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 2796 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 2796 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 2796 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 4736 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 4736 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 4736 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3048 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3048 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 3048 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 2368 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 2368 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 2368 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5112 wrote to memory of 4680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\001b557e9b3c5e946cdbd9ec1bee9311_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 163.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 38.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 219.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4392-0-0x0000000002370000-0x0000000002371000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/4392-41-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4392-43-0x0000000002370000-0x0000000002371000-memory.dmp

memory/5012-44-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5012-46-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4392-49-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 b98fc04520b42f20b679160909b18472
SHA1 b425520b2221fa8a17dd3333576396c2862c54c7
SHA256 239f409fc89523dca89e0557a068bc0fcb233c9f5296925510ec628c878402b1
SHA512 6d07987f5023fa0a08a8c027ee1b5b602125ccb85fc0ce4bb0915a2dc1b16348347df89173fdbe99d18dca49b789db3bf6a909299b1b9ec7040ffbb94a617b81

memory/4348-57-0x0000000002340000-0x0000000002341000-memory.dmp

memory/5012-79-0x0000000000440000-0x0000000000509000-memory.dmp

memory/5012-80-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4348-91-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4348-93-0x0000000002340000-0x0000000002341000-memory.dmp

memory/4348-98-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5112-97-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 83b17abda23308eb05e211383ab1f913
SHA1 dd1c74269327b5af01ac510eaea597ad7ef5ad1e
SHA256 45e0031f37e437dba7eaa5ff60baae20ded4166e727c1434a950fc06b327559c
SHA512 257ccec8d4e765de5fb1e927a36eba445d456e1c725847b312c496f1228e8442e66bf99fd50526b83f151488dcb34f64b01ad2df7ef6178e1a1569e848485bc1

memory/1392-107-0x0000000002310000-0x0000000002311000-memory.dmp

memory/1296-157-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1388-207-0x0000000000860000-0x0000000000861000-memory.dmp

memory/380-274-0x0000000000680000-0x0000000000681000-memory.dmp

memory/784-341-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1676-413-0x0000000002210000-0x0000000002211000-memory.dmp

memory/1436-496-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/3680-573-0x0000000002300000-0x0000000002301000-memory.dmp

memory/3816-633-0x0000000000870000-0x0000000000871000-memory.dmp

memory/4312-701-0x0000000000690000-0x0000000000691000-memory.dmp

memory/5112-700-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1392-768-0x0000000002310000-0x0000000002311000-memory.dmp

memory/216-769-0x0000000000760000-0x0000000000761000-memory.dmp

memory/2796-846-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1296-845-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1392-913-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1388-914-0x0000000000860000-0x0000000000861000-memory.dmp

memory/3540-915-0x0000000000760000-0x0000000000761000-memory.dmp

memory/380-981-0x0000000000680000-0x0000000000681000-memory.dmp

memory/4736-982-0x0000000000770000-0x0000000000771000-memory.dmp

memory/784-1047-0x0000000000730000-0x0000000000731000-memory.dmp

memory/3048-1049-0x0000000000760000-0x0000000000761000-memory.dmp

memory/1296-1110-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1676-1116-0x0000000002210000-0x0000000002211000-memory.dmp

memory/2368-1117-0x0000000002320000-0x0000000002321000-memory.dmp

memory/1388-1183-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/380-1184-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1436-1185-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/4680-1186-0x0000000000760000-0x0000000000761000-memory.dmp

memory/784-1237-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3680-1238-0x0000000002300000-0x0000000002301000-memory.dmp

memory/1248-1244-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1676-1290-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2644-1292-0x0000000000770000-0x0000000000771000-memory.dmp

memory/3816-1291-0x0000000000870000-0x0000000000871000-memory.dmp

memory/1436-1353-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2972-1360-0x0000000000760000-0x0000000000761000-memory.dmp

memory/4312-1359-0x0000000000690000-0x0000000000691000-memory.dmp

memory/3680-1406-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/216-1407-0x0000000000760000-0x0000000000761000-memory.dmp

memory/744-1408-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3816-1480-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2796-1479-0x0000000002200000-0x0000000002201000-memory.dmp

memory/3996-1481-0x0000000000640000-0x0000000000641000-memory.dmp

memory/3540-1562-0x0000000000760000-0x0000000000761000-memory.dmp

memory/3476-1563-0x0000000002200000-0x0000000002201000-memory.dmp

memory/4312-1619-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2876-1621-0x0000000000770000-0x0000000000771000-memory.dmp

memory/4736-1620-0x0000000000770000-0x0000000000771000-memory.dmp

memory/216-1687-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3048-1688-0x0000000000760000-0x0000000000761000-memory.dmp

memory/396-1689-0x0000000000860000-0x0000000000861000-memory.dmp

memory/2796-1766-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4760-1768-0x0000000000750000-0x0000000000751000-memory.dmp

memory/2368-1767-0x0000000002320000-0x0000000002321000-memory.dmp

memory/4680-1826-0x0000000000760000-0x0000000000761000-memory.dmp

memory/3540-1825-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4872-1832-0x0000000000760000-0x0000000000761000-memory.dmp

memory/4736-1898-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5008-1900-0x0000000000780000-0x0000000000781000-memory.dmp

memory/1248-1899-0x0000000002200000-0x0000000002201000-memory.dmp

memory/3048-1952-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2644-1953-0x0000000000770000-0x0000000000771000-memory.dmp

memory/1460-1954-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2368-1955-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2972-2028-0x0000000000760000-0x0000000000761000-memory.dmp

memory/4200-2029-0x0000000000750000-0x0000000000751000-memory.dmp

memory/4680-2095-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/744-2096-0x0000000002310000-0x0000000002311000-memory.dmp

memory/2996-2097-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1248-2169-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3996-2170-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2060-2171-0x0000000000750000-0x0000000000751000-memory.dmp

memory/2644-2238-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3476-2239-0x0000000002200000-0x0000000002201000-memory.dmp

memory/5168-2240-0x0000000000860000-0x0000000000861000-memory.dmp

memory/2972-2317-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2876-2318-0x0000000000770000-0x0000000000771000-memory.dmp

memory/744-2385-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3996-2386-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/396-2393-0x0000000000860000-0x0000000000861000-memory.dmp

memory/5840-2399-0x0000000000690000-0x0000000000691000-memory.dmp

memory/3476-2404-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1392-2403-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2876-2406-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/396-2415-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1296-2421-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4760-2422-0x0000000000400000-0x00000000005D3000-memory.dmp