Malware Analysis Report

2024-09-22 17:33

Sample ID 240614-efc1ksyalk
Target a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118
SHA256 5e9df29e20efde9c58245487b302a0a5c95b7f61941e96883a79a6f6b6ebd9b2
Tags
pony persistence rat spyware stealer evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e9df29e20efde9c58245487b302a0a5c95b7f61941e96883a79a6f6b6ebd9b2

Threat Level: Known bad

The file a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony persistence rat spyware stealer evasion

Pony family

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Pony,Fareit

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:52

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:52

Reported

2024-06-14 03:55

Platform

win7-20240611-en

Max time kernel

57s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2420 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2420 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2420 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2420 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 2420 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 2420 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 2420 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 2420 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 2420 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 2748 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2748 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2748 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2748 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2468 wrote to memory of 1864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2468 wrote to memory of 1864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2468 wrote to memory of 1864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2468 wrote to memory of 1864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2468 wrote to memory of 1864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2468 wrote to memory of 1864 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1864 wrote to memory of 732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1864 wrote to memory of 732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1864 wrote to memory of 732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1864 wrote to memory of 732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

N/A

Files

memory/2420-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2420-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2420-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2748-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2420-29-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2748-28-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2748-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2748-20-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\explorer.exe

MD5 a7de108f43c3601c988c4bbb3bfef325
SHA1 1c5cf14561c52b13200f3d58b41ae023143b44a1
SHA256 fac7c8e436650aaac6793d188b018170e5bf8e2bfb2db02e3c6221688955466d
SHA512 ae97be0ee9b3796a020b2a1bf3bfc0f52c738ee539038162e43e9dc5e632b5e57725d7af01fca43953d5ab6a3a2ed280808b9234de8f3a88b5bfd5aa4100d4af

memory/2468-42-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2748-49-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2468-60-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2468-70-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 abd6890ccd8e82d26986b073c791be4e
SHA1 9b2712cca90c1be96e03214734651a9c65938e3e
SHA256 7c4726eae7f98f7b541962c7bda8bffb171407fab00563fd4af2f924a6fc6d76
SHA512 ce26e0eff8a90a8a3b420090facc76b03accdf995d5a5b32184d3a3d75eeb2806147f55c36af77a2491a757dad97fef0d4070a4b24f0f9847f8e0fca5ef2a703

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2304-1381-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2364-1380-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2768-1379-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/732-1373-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1864-1372-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2644-1662-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2484-1663-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2292-1661-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2040-1664-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2096-1660-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2956-1924-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2952-1927-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2468-1930-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2636-1929-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2540-1926-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1244-1925-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2652-1928-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2324-1923-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1744-2194-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2668-2199-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2688-2203-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2784-2200-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3040-2198-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1276-2202-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1504-2197-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1840-2196-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1852-2195-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1492-2201-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2248-2445-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1704-2443-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1576-2444-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3244-3002-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3364-3015-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3244-3020-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3280-3077-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3144-3104-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3144-3141-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4656-3174-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4596-3198-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5044-3252-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4596-3298-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4268-3335-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4192-3323-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:52

Reported

2024-06-14 03:55

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3736 set thread context of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 5076 set thread context of 2052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2936 set thread context of 752 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4032 set thread context of 748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 700 set thread context of 5056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 808 set thread context of 5076 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4024 set thread context of 1508 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3480 set thread context of 2980 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3468 set thread context of 4048 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3272 set thread context of 4200 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4648 set thread context of 3608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2908 set thread context of 2884 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4652 set thread context of 2984 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2308 set thread context of 1676 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3444 set thread context of 4792 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2640 set thread context of 860 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3820 set thread context of 184 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4920 set thread context of 3672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4344 set thread context of 2212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4272 set thread context of 3852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4876 set thread context of 2424 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2560 set thread context of 1796 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5112 set thread context of 64 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3484 set thread context of 1936 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5088 set thread context of 3588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4984 set thread context of 428 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3948 set thread context of 4888 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4000 set thread context of 1064 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4220 set thread context of 1360 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2436 set thread context of 4536 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4700 set thread context of 2696 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4084 set thread context of 448 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3096 set thread context of 5072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4880 set thread context of 3512 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4028 set thread context of 2812 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3168 set thread context of 2664 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4040 set thread context of 2388 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4656 set thread context of 848 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1388 set thread context of 2412 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1368 set thread context of 5044 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3524 set thread context of 3552 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4632 set thread context of 4460 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3716 set thread context of 3968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4856 set thread context of 3664 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4448 set thread context of 3304 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 340 set thread context of 4280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3164 set thread context of 4528 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2456 set thread context of 5008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3692 set thread context of 4672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4180 set thread context of 392 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2480 set thread context of 4540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1236 set thread context of 3264 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1564 set thread context of 3392 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1484 set thread context of 2264 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3908 set thread context of 4772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 3736 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 3736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 3736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 3736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 3736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 3736 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe
PID 2732 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2732 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2732 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 5076 wrote to memory of 2052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5076 wrote to memory of 2052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5076 wrote to memory of 2052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5076 wrote to memory of 2052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5076 wrote to memory of 2052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2052 wrote to memory of 2936 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2936 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2936 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4024 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3468 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3468 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3468 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3272 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2908 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2908 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2908 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2308 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2308 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2308 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3444 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3444 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3444 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 2640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3820 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3820 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 3820 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2052 wrote to memory of 4344 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7e929d3bf41f075b2f0e5000075d3ad_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3736-0-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/3736-26-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3736-28-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/2732-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2732-30-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3736-33-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 c76cd319d6d395bc81aaa7a2bfa19580
SHA1 c5a730d48df7d1ebc9b60d72eab1e3a39efd3e62
SHA256 21b053e3659019980f8f7e70dcff8e819d6c4b4dd09fe32c834a3c7bedddf774
SHA512 1114501cc99fa5ea255f68b21cb8ea0e2e5721d259d503a9aed74e57d68c44aa841d8d45a8f4e036d693ca32a69e1315c341bb8fefce1ddfe21a055e5fafa2c8

memory/2732-64-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2732-57-0x0000000000440000-0x0000000000509000-memory.dmp

memory/5076-70-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2052-75-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5076-76-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a55b87f8b8a618bb4982004f1b5fecb3
SHA1 bf2a82f359c3081d7afbab3cb18c1165eb86e7e3
SHA256 f5cabec497ddbd578cc61ac7845250b714a1e9104ea2ab0be2c40a5997bbb701
SHA512 2605d7480d038777955e4fb6bfb104b43146ddbf3ebf0e88f81caf5f212c8af3845d4feba7985ae080b75a5c5786bba06d0a04e76c519c0a505d08c6aa2be804

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2052-815-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2936-816-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4032-1022-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/700-1023-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/808-1224-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3480-1226-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4024-1225-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3468-1427-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4648-1429-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3272-1428-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2308-1639-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4652-1638-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2908-1637-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3444-1842-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3820-1844-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2640-1843-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4344-2054-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4272-2055-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4920-2053-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2936-2195-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4876-2200-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/752-2202-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-2201-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/748-2301-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5112-2300-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4032-2302-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3484-2307-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5088-2308-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/700-2314-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5056-2315-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5076-2325-0x0000000000400000-0x000000000043E000-memory.dmp

memory/752-2398-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1508-2417-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2980-2425-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4048-2526-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3608-2553-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2884-2577-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1508-2626-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2984-2644-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1676-2708-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4792-2720-0x0000000000400000-0x000000000043E000-memory.dmp

memory/860-2730-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2984-2805-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3672-2822-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2212-2900-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3852-2921-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3852-2925-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2424-2932-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1796-3015-0x0000000000400000-0x000000000043E000-memory.dmp

memory/64-3117-0x0000000000400000-0x000000000043E000-memory.dmp

memory/64-3112-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1936-3127-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3588-3136-0x0000000000400000-0x000000000043E000-memory.dmp

memory/428-3146-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1796-3224-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1064-3287-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1360-3322-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4536-3331-0x0000000000400000-0x000000000043E000-memory.dmp

memory/448-3351-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1064-3443-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5072-3476-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5072-3573-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3512-3590-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2812-3880-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2664-3970-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2664-4092-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2388-4179-0x0000000000400000-0x000000000043E000-memory.dmp

memory/848-4355-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2412-4516-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5044-4579-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5044-4629-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3552-4651-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4460-4662-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4460-4774-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3968-4872-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3664-4982-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3304-5075-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4280-5084-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4528-5183-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5008-5195-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4672-5203-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4540-5224-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3392-5362-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2264-5370-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4772-5382-0x0000000000400000-0x000000000043E000-memory.dmp

memory/996-5389-0x0000000000400000-0x000000000043E000-memory.dmp

memory/996-5393-0x0000000000400000-0x000000000043E000-memory.dmp

memory/208-5508-0x0000000000400000-0x000000000043E000-memory.dmp