Analysis
-
max time kernel
144s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:31
Behavioral task
behavioral1
Sample
a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
a8bf771808e89aa6084c5091a6ce9b2f
-
SHA1
5888caf9cadad17440909324b52f0e6903fc721d
-
SHA256
9925e19a07d20610e98857b910206f0067710cf539157110ee0cc789fd802ccb
-
SHA512
0fd940b3c1359ecbfe5a948886657160a6d1c2b58d26e19a17b71d04018a03e2a1c6978322e9d31ef1ad83a0aa0a7b334769cc42db8d02782225ebfc4a22de39
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZr:0UzeyQMS4DqodCnoe+iitjWww3
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe -
Executes dropped EXE 24 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exepid process 3680 explorer.exe 4948 explorer.exe 3884 explorer.exe 4744 explorer.exe 2740 explorer.exe 744 explorer.exe 3868 explorer.exe 4908 explorer.exe 3876 explorer.exe 1484 explorer.exe 3360 explorer.exe 2592 explorer.exe 4260 explorer.exe 3600 explorer.exe 3180 explorer.exe 2528 explorer.exe 2672 explorer.exe 3608 explorer.exe 3276 explorer.exe 1100 explorer.exe 4236 explorer.exe 404 explorer.exe 4444 explorer.exe 1808 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 55 IoCs
Processes:
a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exedescription pid process target process PID 3600 set thread context of 4164 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe PID 3680 set thread context of 4948 3680 explorer.exe explorer.exe PID 1428 set thread context of 2764 1428 spoolsv.exe spoolsv.exe PID 4844 set thread context of 1256 4844 spoolsv.exe spoolsv.exe PID 4604 set thread context of 4788 4604 spoolsv.exe spoolsv.exe PID 752 set thread context of 4648 752 spoolsv.exe spoolsv.exe PID 1412 set thread context of 1824 1412 spoolsv.exe spoolsv.exe PID 4368 set thread context of 2932 4368 spoolsv.exe spoolsv.exe PID 1788 set thread context of 1888 1788 spoolsv.exe spoolsv.exe PID 3152 set thread context of 1220 3152 spoolsv.exe spoolsv.exe PID 3748 set thread context of 3512 3748 spoolsv.exe spoolsv.exe PID 184 set thread context of 4004 184 spoolsv.exe spoolsv.exe PID 400 set thread context of 2520 400 spoolsv.exe spoolsv.exe PID 2904 set thread context of 2628 2904 spoolsv.exe spoolsv.exe PID 1056 set thread context of 4136 1056 spoolsv.exe spoolsv.exe PID 4952 set thread context of 4768 4952 spoolsv.exe spoolsv.exe PID 264 set thread context of 4336 264 spoolsv.exe spoolsv.exe PID 436 set thread context of 3596 436 spoolsv.exe spoolsv.exe PID 3776 set thread context of 4156 3776 spoolsv.exe spoolsv.exe PID 1052 set thread context of 4708 1052 spoolsv.exe spoolsv.exe PID 2832 set thread context of 1588 2832 spoolsv.exe spoolsv.exe PID 2504 set thread context of 4956 2504 spoolsv.exe spoolsv.exe PID 2952 set thread context of 896 2952 spoolsv.exe spoolsv.exe PID 1660 set thread context of 4072 1660 spoolsv.exe spoolsv.exe PID 2136 set thread context of 3040 2136 spoolsv.exe spoolsv.exe PID 4500 set thread context of 4872 4500 spoolsv.exe spoolsv.exe PID 1144 set thread context of 3124 1144 spoolsv.exe spoolsv.exe PID 2080 set thread context of 4628 2080 spoolsv.exe spoolsv.exe PID 3520 set thread context of 2348 3520 spoolsv.exe spoolsv.exe PID 3704 set thread context of 1620 3704 spoolsv.exe spoolsv.exe PID 4020 set thread context of 1948 4020 spoolsv.exe spoolsv.exe PID 2024 set thread context of 1920 2024 spoolsv.exe spoolsv.exe PID 1716 set thread context of 3376 1716 spoolsv.exe spoolsv.exe PID 3768 set thread context of 1864 3768 spoolsv.exe spoolsv.exe PID 2356 set thread context of 4352 2356 spoolsv.exe spoolsv.exe PID 3884 set thread context of 1484 3884 explorer.exe explorer.exe PID 2824 set thread context of 4456 2824 spoolsv.exe spoolsv.exe PID 4744 set thread context of 2592 4744 explorer.exe explorer.exe PID 892 set thread context of 3652 892 spoolsv.exe spoolsv.exe PID 1912 set thread context of 4568 1912 spoolsv.exe spoolsv.exe PID 2740 set thread context of 3180 2740 explorer.exe explorer.exe PID 1544 set thread context of 4060 1544 spoolsv.exe spoolsv.exe PID 744 set thread context of 2672 744 explorer.exe explorer.exe PID 3476 set thread context of 4384 3476 spoolsv.exe spoolsv.exe PID 3868 set thread context of 3276 3868 explorer.exe explorer.exe PID 2352 set thread context of 1748 2352 spoolsv.exe spoolsv.exe PID 3732 set thread context of 1552 3732 spoolsv.exe spoolsv.exe PID 4908 set thread context of 4236 4908 explorer.exe explorer.exe PID 4252 set thread context of 448 4252 spoolsv.exe spoolsv.exe PID 3248 set thread context of 4032 3248 spoolsv.exe spoolsv.exe PID 2440 set thread context of 3952 2440 spoolsv.exe spoolsv.exe PID 4552 set thread context of 2428 4552 spoolsv.exe spoolsv.exe PID 3876 set thread context of 4444 3876 explorer.exe explorer.exe PID 4200 set thread context of 704 4200 spoolsv.exe spoolsv.exe PID 2208 set thread context of 4296 2208 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exepid process 4164 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe 4164 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 4164 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe 4164 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe 2764 spoolsv.exe 2764 spoolsv.exe 1256 spoolsv.exe 1256 spoolsv.exe 4788 spoolsv.exe 4788 spoolsv.exe 4648 spoolsv.exe 4648 spoolsv.exe 1824 spoolsv.exe 1824 spoolsv.exe 2932 spoolsv.exe 2932 spoolsv.exe 1888 spoolsv.exe 1888 spoolsv.exe 1220 spoolsv.exe 1220 spoolsv.exe 3512 spoolsv.exe 3512 spoolsv.exe 4004 spoolsv.exe 4004 spoolsv.exe 2520 spoolsv.exe 2520 spoolsv.exe 2628 spoolsv.exe 2628 spoolsv.exe 4136 spoolsv.exe 4136 spoolsv.exe 4768 spoolsv.exe 4768 spoolsv.exe 4336 spoolsv.exe 4336 spoolsv.exe 3596 spoolsv.exe 3596 spoolsv.exe 4156 spoolsv.exe 4156 spoolsv.exe 4708 spoolsv.exe 4708 spoolsv.exe 1588 spoolsv.exe 1588 spoolsv.exe 4956 spoolsv.exe 4956 spoolsv.exe 896 spoolsv.exe 896 spoolsv.exe 4072 spoolsv.exe 4072 spoolsv.exe 3040 spoolsv.exe 3040 spoolsv.exe 4872 spoolsv.exe 4872 spoolsv.exe 3124 spoolsv.exe 3124 spoolsv.exe 4628 spoolsv.exe 4628 spoolsv.exe 2348 spoolsv.exe 2348 spoolsv.exe 1620 spoolsv.exe 1620 spoolsv.exe 1948 spoolsv.exe 1948 spoolsv.exe 1920 spoolsv.exe 1920 spoolsv.exe 3376 spoolsv.exe 3376 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exea8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 3600 wrote to memory of 2896 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe splwow64.exe PID 3600 wrote to memory of 2896 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe splwow64.exe PID 3600 wrote to memory of 4164 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe PID 3600 wrote to memory of 4164 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe PID 3600 wrote to memory of 4164 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe PID 3600 wrote to memory of 4164 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe PID 3600 wrote to memory of 4164 3600 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe PID 4164 wrote to memory of 3680 4164 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe explorer.exe PID 4164 wrote to memory of 3680 4164 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe explorer.exe PID 4164 wrote to memory of 3680 4164 a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe explorer.exe PID 3680 wrote to memory of 4948 3680 explorer.exe explorer.exe PID 3680 wrote to memory of 4948 3680 explorer.exe explorer.exe PID 3680 wrote to memory of 4948 3680 explorer.exe explorer.exe PID 3680 wrote to memory of 4948 3680 explorer.exe explorer.exe PID 3680 wrote to memory of 4948 3680 explorer.exe explorer.exe PID 1428 wrote to memory of 2764 1428 spoolsv.exe spoolsv.exe PID 1428 wrote to memory of 2764 1428 spoolsv.exe spoolsv.exe PID 1428 wrote to memory of 2764 1428 spoolsv.exe spoolsv.exe PID 1428 wrote to memory of 2764 1428 spoolsv.exe spoolsv.exe PID 1428 wrote to memory of 2764 1428 spoolsv.exe spoolsv.exe PID 2764 wrote to memory of 3884 2764 spoolsv.exe explorer.exe PID 2764 wrote to memory of 3884 2764 spoolsv.exe explorer.exe PID 2764 wrote to memory of 3884 2764 spoolsv.exe explorer.exe PID 4844 wrote to memory of 1256 4844 spoolsv.exe spoolsv.exe PID 4844 wrote to memory of 1256 4844 spoolsv.exe spoolsv.exe PID 4844 wrote to memory of 1256 4844 spoolsv.exe spoolsv.exe PID 4844 wrote to memory of 1256 4844 spoolsv.exe spoolsv.exe PID 4844 wrote to memory of 1256 4844 spoolsv.exe spoolsv.exe PID 4604 wrote to memory of 4788 4604 spoolsv.exe spoolsv.exe PID 4604 wrote to memory of 4788 4604 spoolsv.exe spoolsv.exe PID 4604 wrote to memory of 4788 4604 spoolsv.exe spoolsv.exe PID 4604 wrote to memory of 4788 4604 spoolsv.exe spoolsv.exe PID 4604 wrote to memory of 4788 4604 spoolsv.exe spoolsv.exe PID 752 wrote to memory of 4648 752 spoolsv.exe spoolsv.exe PID 752 wrote to memory of 4648 752 spoolsv.exe spoolsv.exe PID 752 wrote to memory of 4648 752 spoolsv.exe spoolsv.exe PID 752 wrote to memory of 4648 752 spoolsv.exe spoolsv.exe PID 752 wrote to memory of 4648 752 spoolsv.exe spoolsv.exe PID 1412 wrote to memory of 1824 1412 spoolsv.exe spoolsv.exe PID 1412 wrote to memory of 1824 1412 spoolsv.exe spoolsv.exe PID 1412 wrote to memory of 1824 1412 spoolsv.exe spoolsv.exe PID 1412 wrote to memory of 1824 1412 spoolsv.exe spoolsv.exe PID 1412 wrote to memory of 1824 1412 spoolsv.exe spoolsv.exe PID 4368 wrote to memory of 2932 4368 spoolsv.exe spoolsv.exe PID 4368 wrote to memory of 2932 4368 spoolsv.exe spoolsv.exe PID 4368 wrote to memory of 2932 4368 spoolsv.exe spoolsv.exe PID 4368 wrote to memory of 2932 4368 spoolsv.exe spoolsv.exe PID 4368 wrote to memory of 2932 4368 spoolsv.exe spoolsv.exe PID 1788 wrote to memory of 1888 1788 spoolsv.exe spoolsv.exe PID 1788 wrote to memory of 1888 1788 spoolsv.exe spoolsv.exe PID 1788 wrote to memory of 1888 1788 spoolsv.exe spoolsv.exe PID 1788 wrote to memory of 1888 1788 spoolsv.exe spoolsv.exe PID 1788 wrote to memory of 1888 1788 spoolsv.exe spoolsv.exe PID 3152 wrote to memory of 1220 3152 spoolsv.exe spoolsv.exe PID 3152 wrote to memory of 1220 3152 spoolsv.exe spoolsv.exe PID 3152 wrote to memory of 1220 3152 spoolsv.exe spoolsv.exe PID 3152 wrote to memory of 1220 3152 spoolsv.exe spoolsv.exe PID 3152 wrote to memory of 1220 3152 spoolsv.exe spoolsv.exe PID 3748 wrote to memory of 3512 3748 spoolsv.exe spoolsv.exe PID 3748 wrote to memory of 3512 3748 spoolsv.exe spoolsv.exe PID 3748 wrote to memory of 3512 3748 spoolsv.exe spoolsv.exe PID 3748 wrote to memory of 3512 3748 spoolsv.exe spoolsv.exe PID 3748 wrote to memory of 3512 3748 spoolsv.exe spoolsv.exe PID 184 wrote to memory of 4004 184 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Users\Admin\AppData\Local\Temp\a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8bf771808e89aa6084c5091a6ce9b2f_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\Parameters.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\System\explorer.exeFilesize
2.2MB
MD5ab4f0641148bbd93577ec894ea0353e6
SHA13691a0be78bf580bd4b0b7571504bcec8eaedab8
SHA256ed962b9adddb35e09ed3a89b343b426e960fe5de38b1baedcd8110affde2b67d
SHA512a9741f4312a0eed4ed8ac510f67bb71a38a7dc84971409c0f79f931c619e5ec9a8e89d4f3591df94fa14aa44a3eb8f3fdd96bd2fadece1cac2e35410ab9ae932
-
memory/184-1570-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/264-1966-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/400-1571-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/436-1967-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/752-1155-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/896-2886-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1052-2182-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1056-1760-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1220-2389-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1256-2261-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1412-1365-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1428-2245-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1428-947-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1484-4076-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1552-5308-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1588-2791-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1588-2786-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1620-3147-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1660-2249-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1748-5299-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1788-1367-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1824-2312-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1864-3533-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1888-2377-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1920-3236-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1920-3233-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1948-3222-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2136-2253-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2248-5975-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2316-5893-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2348-3303-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2348-3141-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2504-2184-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2520-2419-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2592-4300-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2628-2430-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2672-5101-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2764-2250-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2764-2470-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2832-2183-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2904-1759-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2932-2370-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2952-2248-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3040-2958-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3064-5760-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3100-5873-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3152-1368-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3180-4694-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3276-5290-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3376-3243-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3512-2400-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3600-43-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/3600-41-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3600-47-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3600-0-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/3652-4422-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3680-90-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3680-85-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3748-1569-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3776-1968-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/3952-5498-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4004-2407-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4060-5016-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4060-4889-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4072-2947-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4136-2638-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4156-2666-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4164-79-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4164-77-0x0000000000440000-0x0000000000509000-memory.dmpFilesize
804KB
-
memory/4164-44-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4164-46-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4236-5384-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4296-5680-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4296-5808-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4336-2594-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4336-2590-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4352-3735-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4368-1366-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4384-5169-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4384-5263-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4444-5601-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4456-4214-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4456-4116-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4500-2273-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4568-4592-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4604-2270-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4604-1154-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4628-3056-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4708-2777-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4708-2922-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4768-2581-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4788-2271-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4844-1153-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4844-2258-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4872-2968-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4948-946-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4948-89-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4952-1761-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB