Malware Analysis Report

2025-01-03 03:02

Sample ID 240616-n9zk4swgjp
Target b36bc8419cfc68cbf557932211090e50_JaffaCakes118
SHA256 0cac737acd71e8c5985d0ebf279071a359a969eab1a21865ec097417302f332f
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cac737acd71e8c5985d0ebf279071a359a969eab1a21865ec097417302f332f

Threat Level: Known bad

The file b36bc8419cfc68cbf557932211090e50_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Pony,Fareit

Pony family

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 12:06

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 12:06

Reported

2024-06-16 12:09

Platform

win7-20240221-en

Max time kernel

147s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2008 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2008 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 2008 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 2008 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 2008 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 2008 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 2008 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 2388 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2388 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2388 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2388 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2752 wrote to memory of 320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 320 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1916 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1916 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1916 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1916 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2004 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 1920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 320 wrote to memory of 696 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

N/A

Files

memory/2008-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2008-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2008-19-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2008-28-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2388-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2388-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2388-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2388-20-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system\explorer.exe

MD5 52677d1fbfc8821d99773349d555afee
SHA1 6efb379042d59d676042454ae1ce674abe4ba90c
SHA256 527538f440dabefb8f61360a8ce989b40fdc2a2c8b357c0ffe5dccd24efa56f2
SHA512 473a1aa3e8a8343ee61e9cfaa54f342ab6cb7869a6be384578fa389096003fbda0fac83540f609303b0ccdb44ad2aa3e09a50cd9ceea90dbe6260222e88f4192

memory/2752-42-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2388-49-0x0000000000440000-0x000000000051F000-memory.dmp

memory/2388-51-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2752-62-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2752-71-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 5b0150441730eb2714b4e4964ec2b785
SHA1 5413891357085a27bbe8e5eb4de4660581ccf524
SHA256 a48680c7de8f955db472f77a808d4793c482c01f66e802d134f17d007d694b90
SHA512 4261cee921c3bcf475c7aa717e8d32f9616a2290b148032e8fe3298c802b635c017ce06f4b0ae6c70afdb8c0a82a78f8cbfc21a0340ece2db82645c0e409719c

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/320-1761-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1452-1762-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1600-2213-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2676-2214-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2004-2212-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2848-2211-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2648-2210-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1916-2209-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1008-2739-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2512-2760-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1276-2761-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1320-2759-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2516-2757-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2472-2756-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2548-2755-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2888-2754-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1020-2753-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/696-2752-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2968-2751-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1920-2750-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2084-2758-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2508-3194-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2860-3193-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1844-3192-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1688-3191-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3000-3190-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1764-3189-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1628-3188-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2352-3187-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2144-3181-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2556-3186-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4224-4559-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 12:06

Reported

2024-06-16 12:09

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1076 set thread context of 1484 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 2100 set thread context of 860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4176 set thread context of 5628 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2008 set thread context of 6068 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4872 set thread context of 6136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 784 set thread context of 5336 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2756 set thread context of 5996 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4688 set thread context of 6072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3732 set thread context of 4480 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3192 set thread context of 5704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4328 set thread context of 5952 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4360 set thread context of 6028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2700 set thread context of 3180 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2668 set thread context of 5332 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 764 set thread context of 4116 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3684 set thread context of 5956 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3056 set thread context of 4348 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1232 set thread context of 5196 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2360 set thread context of 5540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3992 set thread context of 1172 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4564 set thread context of 5920 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2868 set thread context of 2844 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3672 set thread context of 2020 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4980 set thread context of 5320 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 604 set thread context of 2824 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2892 set thread context of 816 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4932 set thread context of 6120 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1448 set thread context of 676 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1124 set thread context of 1644 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5172 set thread context of 4256 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5520 set thread context of 5292 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5752 set thread context of 2124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5968 set thread context of 3152 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5872 set thread context of 5528 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5464 set thread context of 5700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5384 set thread context of 3804 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5788 set thread context of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5356 set thread context of 392 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5616 set thread context of 440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5148 set thread context of 4888 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5680 set thread context of 1084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1636 set thread context of 4080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5768 set thread context of 1600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3704 set thread context of 5776 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4948 set thread context of 5740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5732 set thread context of 1820 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1632 set thread context of 5260 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3392 set thread context of 4700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1776 set thread context of 3156 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3496 set thread context of 4748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2520 set thread context of 1352 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2392 set thread context of 5468 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4512 set thread context of 5316 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 6048 set thread context of 436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4008 set thread context of 2780 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1076 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1076 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 1076 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 1076 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 1076 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 1076 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe
PID 1484 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1484 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1484 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2100 wrote to memory of 860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2100 wrote to memory of 860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2100 wrote to memory of 860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2100 wrote to memory of 860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2100 wrote to memory of 860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 860 wrote to memory of 4176 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4176 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4176 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4872 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4872 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4872 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4688 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4688 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4688 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4360 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4360 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 4360 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3684 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3684 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3684 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 3056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 1232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 1232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 1232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 860 wrote to memory of 2360 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b36bc8419cfc68cbf557932211090e50_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

Files

memory/1076-0-0x0000000002470000-0x0000000002471000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/1076-21-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1076-23-0x0000000002470000-0x0000000002471000-memory.dmp

memory/1484-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1484-25-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1076-27-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 d137ccd2d90459edb5d7f7475ba4fbb8
SHA1 9bd9cde4f6d2aaa39b1acd724df1fa61e742dd2d
SHA256 ca8fcf9d7c31b9c020cf133c612b8468d34f1ebafed460b9c1e6b75467d6836e
SHA512 330ae46b24539a5871988bc7583b16f218384cdc840443b0ec465b4b681538a3e08aa964b65ca2effa3fbd8c07d3883c4df6d9e3f8aaf3eaafefaf22b336eccb

memory/1484-79-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1484-58-0x0000000000440000-0x0000000000509000-memory.dmp

memory/2100-85-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/860-89-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2100-90-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 475ee97816dc576a20aa18155bf984f0
SHA1 12193d2b7c0a9a6c32f17b740336b85dd86b2a2c
SHA256 fe50a35539832cfdb139bb61ce39c6f2c01c7708d42a0916ad453d5f88b9e919
SHA512 6d3aaac136b245ad636c001506ce68be08d2e77cd7f5855c669a9edbed4cf424254d201b833dbb655bcbf8b7f1bea33be0bfce00d40c33a64457938d0ba17c0f

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/860-809-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4176-810-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4872-1007-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/784-1008-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2008-1006-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2756-1184-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3732-1186-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4688-1185-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3192-1312-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4328-1313-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4360-1486-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2668-1488-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2700-1487-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/764-1657-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3684-1658-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3056-1659-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3992-1788-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2360-1787-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1232-1786-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4564-1885-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5628-1886-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4176-1887-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/6068-1951-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2868-1954-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2008-1950-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/6136-1964-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3672-1962-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4872-1966-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5628-2026-0x0000000000400000-0x000000000043E000-memory.dmp

memory/784-2029-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5336-2034-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5996-2143-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4480-2161-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4480-2164-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5336-2283-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5704-2326-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5952-2335-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6028-2349-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3180-2358-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5704-2517-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4116-2548-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5956-2559-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4348-2570-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4116-2718-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1172-2748-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5920-2758-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2844-2841-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2844-2845-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5540-2892-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5320-2913-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2824-3004-0x0000000000400000-0x000000000043E000-memory.dmp

memory/816-3024-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6120-3034-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5320-3088-0x0000000000400000-0x000000000043E000-memory.dmp

memory/676-3127-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1644-3199-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4256-3285-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5292-3348-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5292-3351-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4256-3418-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2124-3434-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3152-3473-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3152-3576-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5528-3591-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5700-3600-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5528-3723-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3804-3800-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4000-3874-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3804-3922-0x0000000000400000-0x000000000043E000-memory.dmp

memory/392-3961-0x0000000000400000-0x000000000043E000-memory.dmp

memory/440-3971-0x0000000000400000-0x000000000043E000-memory.dmp

memory/440-3974-0x0000000000400000-0x000000000043E000-memory.dmp

memory/392-4101-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4888-4174-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1084-4308-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4080-4444-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4080-4546-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1600-4567-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5776-4631-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5740-4649-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1820-4738-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5260-4800-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4700-4810-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5260-4943-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3156-5034-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4748-5048-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1352-5055-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5316-5130-0x0000000000400000-0x000000000043E000-memory.dmp

memory/436-5219-0x0000000000400000-0x000000000043E000-memory.dmp

memory/436-5313-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2780-5413-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1216-5426-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1904-5433-0x0000000000400000-0x000000000043E000-memory.dmp