Malware Analysis Report

2024-10-19 01:16

Sample ID 240612-th2jaa1clc
Target a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118
SHA256 525adddf04d091bbaf392dec7c7c6d27c3ca97d772eafa8f36f10ae222de906e
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

525adddf04d091bbaf392dec7c7c6d27c3ca97d772eafa8f36f10ae222de906e

Threat Level: Known bad

The file a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Modifies WinLogon for persistence

Pony,Fareit

Pony family

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 16:04

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 16:04

Reported

2024-06-12 16:06

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1812 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1812 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1812 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1812 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 1812 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 1812 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 1812 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 1812 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 1812 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 2528 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2528 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2528 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2528 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1632 wrote to memory of 2680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1632 wrote to memory of 2680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1632 wrote to memory of 2680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1632 wrote to memory of 2680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1632 wrote to memory of 2680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1632 wrote to memory of 2680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2680 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 984 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 984 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 984 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 984 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 636 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1684 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1684 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1684 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1684 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1728 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1728 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1728 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 1728 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2680 wrote to memory of 2492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

N/A

Files

memory/1812-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/1812-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1812-19-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2528-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2528-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1812-27-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2528-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2528-20-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system\explorer.exe

MD5 ddb7730f5318b39640f36e4d5e485d41
SHA1 cecafff0d8abfca8718582cf793323d3d64768b4
SHA256 ebe049f46921e31048abdde19b0f7ace900c7871f0e5b600713713f12f05182c
SHA512 aa70cd93080ca5ed94154670f2c0bdc4133d4df80078aed2407ae0de612bb24e4cde363758775ef9bc519ae6318c39a4f55ea28b66e1234e4e01f2901be963eb

memory/1632-42-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2528-49-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1632-60-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2680-71-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1632-73-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e1a87528b5091b85561ad3bec5844a2b
SHA1 8e528ee87889462d3803b84c0ce8bb202c5b1f7b
SHA256 4fe6fecd941b548b9afef7a9b61284b833e4ad1326d8940e2306f2e471924f2e
SHA512 b8539d3d0f14cd5fe9dfc7ce232e22a5e8d2e1e338ee8547ede246572c5d39a52eb18d3d0dbb95333e66ddfe7055ee4f62a52b366208bf8b23898287a268b3ab

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2680-1805-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2568-1806-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/984-1807-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2428-2242-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1684-2243-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/636-2240-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1776-2235-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/452-2234-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2864-2233-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1728-2673-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2896-2676-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1672-2687-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1884-2686-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/756-2685-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2348-2684-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2488-2683-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1632-2682-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2732-2681-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2404-2680-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2292-2678-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/704-2677-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2492-2675-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/696-2674-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2844-2679-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2956-3401-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1952-3404-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/332-3408-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1952-3407-0x0000000002ED0000-0x000000000302C000-memory.dmp

memory/1808-3403-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1440-3402-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2380-3395-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1956-3394-0x0000000000400000-0x00000000005D3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 16:04

Reported

2024-06-12 16:06

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3492 set thread context of 4376 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 1400 set thread context of 4832 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2316 set thread context of 3216 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2800 set thread context of 4432 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4200 set thread context of 3744 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4500 set thread context of 4916 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2292 set thread context of 4900 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2428 set thread context of 4264 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4872 set thread context of 4064 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4184 set thread context of 3816 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4012 set thread context of 1112 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3976 set thread context of 4928 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4020 set thread context of 672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1560 set thread context of 4424 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3772 set thread context of 3992 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 320 set thread context of 4432 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3292 set thread context of 4904 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 224 set thread context of 2624 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4952 set thread context of 2560 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3008 set thread context of 1084 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1616 set thread context of 3980 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4688 set thread context of 4632 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3596 set thread context of 3728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3116 set thread context of 3456 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4452 set thread context of 3576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 64 set thread context of 2736 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 660 set thread context of 3868 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4496 set thread context of 2364 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3836 set thread context of 888 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5112 set thread context of 4696 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1232 set thread context of 4064 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 652 set thread context of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4852 set thread context of 892 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 904 set thread context of 2784 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1960 set thread context of 4724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2932 set thread context of 3140 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3784 set thread context of 1716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 920 set thread context of 440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4512 set thread context of 1664 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4052 set thread context of 3764 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1796 set thread context of 3136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4836 set thread context of 3528 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 556 set thread context of 4144 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3588 set thread context of 4488 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4932 set thread context of 3164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1460 set thread context of 4040 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1988 set thread context of 5008 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3492 set thread context of 3164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5100 set thread context of 4972 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4728 set thread context of 2076 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3652 set thread context of 4304 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3044 set thread context of 4804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3348 set thread context of 2984 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4800 set thread context of 464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 3492 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 3492 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 3492 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 3492 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 3492 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 3492 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe
PID 4376 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4376 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4376 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1400 wrote to memory of 4832 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1400 wrote to memory of 4832 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1400 wrote to memory of 4832 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1400 wrote to memory of 4832 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1400 wrote to memory of 4832 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4832 wrote to memory of 4948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2316 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2316 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2316 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2800 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4200 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4200 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4200 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4872 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4872 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4872 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 4020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 1560 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 1560 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 1560 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 3292 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4832 wrote to memory of 224 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a1418590ec2308b80f45853f46d4a1e8_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

Files

memory/3492-0-0x0000000002490000-0x0000000002491000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/3492-21-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3492-23-0x0000000002490000-0x0000000002491000-memory.dmp

memory/4376-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4376-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3492-27-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 2ae61e0298798617ae4d9d2ad03c532c
SHA1 a3e2c2c4f77da9d66af898dcb58a3c78373b2416
SHA256 4c165887dfae92d3ad6d2a68fc70bc1ffa8f59793119d8638204fa4b84225491
SHA512 0cae730150ef9e51805301f7ed72564065a30b4abcf2c02f733535f432b250e4bb6c04ffe84c699761d8ca4e1fb632d4b3080c3cbd56e86c1ef553e691b06748

memory/4376-63-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1400-69-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4832-74-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1400-75-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9badc35c0c78129f297767650b767505
SHA1 bf1ea9486a4e615cd98a6e4c782b66894f4afc54
SHA256 265d1a5162dde0cb53b650331988649aeab013ae6e973025fc4d1a0d467df364
SHA512 3526719a2e028b6e94d1fff913f5dae73cfb3e160e1a99415152dea9b747694fd55f0a23d99081e593aea87f7cd08ce05172114f45e60afc56c52322a74452bd

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4948-824-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4832-823-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2316-1008-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4200-1010-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2800-1009-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4500-1157-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2428-1159-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2292-1158-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4184-1357-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4012-1358-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4872-1356-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4020-1550-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1560-1551-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3976-1549-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/320-1697-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3292-1698-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3772-1696-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/224-1820-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4952-1821-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4948-1888-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1616-1894-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2620-1895-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3008-1893-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4688-1902-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3216-1903-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2316-1905-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4432-2000-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3596-1999-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4432-2001-0x0000000000440000-0x0000000000509000-memory.dmp

memory/2800-1997-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3116-2009-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3744-2010-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3744-2013-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4200-2011-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4916-2022-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4900-2032-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2620-2078-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4264-2166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4064-2185-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3816-2197-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4928-2280-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4264-2344-0x0000000000400000-0x000000000043E000-memory.dmp

memory/672-2359-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4424-2370-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4432-2390-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4904-2542-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2624-2559-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-2570-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1084-2583-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4632-2733-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3728-2745-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3456-2836-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3576-2896-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2736-2905-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3868-2911-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3868-2916-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2364-2925-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4696-3043-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4696-3181-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4064-3277-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4064-3389-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2188-3542-0x0000000000400000-0x000000000043E000-memory.dmp

memory/892-3551-0x0000000000400000-0x000000000043E000-memory.dmp

memory/892-3644-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2784-3790-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4724-3801-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2784-3859-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3140-3949-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-3958-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1716-3962-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3140-4074-0x0000000000400000-0x000000000043E000-memory.dmp

memory/440-4162-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1664-4235-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1664-4344-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3764-4365-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3136-4447-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3528-4627-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4144-4708-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4144-4710-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4488-4717-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3164-4729-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4040-4736-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3528-4806-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5008-4835-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3164-4850-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2076-4908-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4304-4995-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4804-5063-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2984-5081-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4304-5166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/464-5177-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1604-5202-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4708-5232-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4708-5230-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1800-5283-0x0000000000400000-0x000000000043E000-memory.dmp