Malware Analysis Report

2025-01-03 03:03

Sample ID 240616-p196xstepc
Target b396dea6220017002fb9c76c37e16e89_JaffaCakes118
SHA256 0b2fd472b037d9464ea4d6ba10d6f9fc0cd30b01dbcc1e514d824371b372b343
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b2fd472b037d9464ea4d6ba10d6f9fc0cd30b01dbcc1e514d824371b372b343

Threat Level: Known bad

The file b396dea6220017002fb9c76c37e16e89_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Pony family

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Pony,Fareit

Modifies Installed Components in the registry

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 12:48

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 12:48

Reported

2024-06-16 12:51

Platform

win7-20240220-en

Max time kernel

105s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2064 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2064 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2064 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 2064 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 2064 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 2064 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 2064 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 2064 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 2064 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 2560 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2560 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2560 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2560 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2544 wrote to memory of 1192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2544 wrote to memory of 1192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2544 wrote to memory of 1192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2544 wrote to memory of 1192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2544 wrote to memory of 1192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2544 wrote to memory of 1192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1192 wrote to memory of 1020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1444 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1444 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1444 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1444 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1980 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2968 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1952 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1952 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1952 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 1952 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2304 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 2328 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1192 wrote to memory of 540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

N/A

Files

memory/2064-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2064-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2064-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2560-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-28-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-27-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2560-31-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\explorer.exe

MD5 65f5d22c8d0b4dbbd5e169e7f751475e
SHA1 8e4383a63896024ceb4341203d7b785d59c3b1d6
SHA256 330620be1b76c6cc2e8c0d547c500a58726b4f042e10f195cf4a07cb43dcc74b
SHA512 a5b9d53839cbde1cb73957b55000a0bcd10d584180417b053378eedf1552835cd6e50315bba073d118e6588c07542ce1f7c738e414eed1126ed024cfb3a465bb

memory/2544-42-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2560-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2544-61-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2544-71-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e7ef585af92330553aff220f8935136e
SHA1 a1971a043fd75e22348e7c86dc9e918dd3c7e7df
SHA256 bc032528be3b90992403394fdf1e913ba995ffad4de8c6fe62e119c276197992
SHA512 dbf609460736276597bdad2ca87f7e1db4926dcc67891f136a36ac3379b49f820d952cc5110b3767e71aa27b1f2a65dc3bde1d8a6febdce6cf7187f65606b1dd

memory/1192-2615-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-2616-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1980-2619-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3032-2620-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1444-2618-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/756-2617-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2968-2621-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2304-3140-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1952-3133-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2472-3139-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1640-3145-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1696-3143-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1264-3157-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2980-3144-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1128-3156-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2848-3155-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2332-3154-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1344-3153-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2132-3152-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/540-3142-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2632-3148-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2328-3141-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/884-3630-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2592-3636-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2772-3642-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3044-3641-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/852-3640-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2388-3639-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1868-3638-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1544-3637-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2432-3635-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4928-5772-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4920-5784-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5596-5807-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6556-5821-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4928-5835-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6968-5834-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5608-5797-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 12:48

Reported

2024-06-16 12:51

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1376 set thread context of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 4588 set thread context of 4556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4244 set thread context of 1888 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4156 set thread context of 2288 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4552 set thread context of 5052 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2396 set thread context of 4716 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4760 set thread context of 1872 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3460 set thread context of 3388 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4236 set thread context of 4580 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1052 set thread context of 4008 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4112 set thread context of 2964 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3708 set thread context of 3648 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4320 set thread context of 2084 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2976 set thread context of 2196 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1532 set thread context of 3536 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3032 set thread context of 2900 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2412 set thread context of 2952 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1376 set thread context of 8 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4708 set thread context of 2808 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3296 set thread context of 4764 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3364 set thread context of 1400 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4620 set thread context of 1200 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4036 set thread context of 1048 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2576 set thread context of 3704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2104 set thread context of 3084 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2712 set thread context of 3712 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2948 set thread context of 392 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1436 set thread context of 1404 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2640 set thread context of 4172 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 856 set thread context of 4924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4448 set thread context of 980 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4528 set thread context of 4952 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4704 set thread context of 1980 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1160 set thread context of 4456 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2460 set thread context of 4472 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1484 set thread context of 4192 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2520 set thread context of 468 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2736 set thread context of 1776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3284 set thread context of 3788 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2344 set thread context of 4748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4316 set thread context of 2740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 812 set thread context of 748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2588 set thread context of 2764 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1012 set thread context of 4748 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5032 set thread context of 4796 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2388 set thread context of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3184 set thread context of 528 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3660 set thread context of 2360 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2428 set thread context of 4588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3344 set thread context of 3968 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2824 set thread context of 548 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1512 set thread context of 4940 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1764 set thread context of 2924 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3992 set thread context of 324 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1376 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 1376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 1376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 1376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 1376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe
PID 2400 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2400 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2400 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4588 wrote to memory of 4556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4588 wrote to memory of 4556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4588 wrote to memory of 4556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4588 wrote to memory of 4556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4588 wrote to memory of 4556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4556 wrote to memory of 4244 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4244 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4244 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4156 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4156 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4156 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4552 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4552 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4552 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4760 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4760 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4760 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4236 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4112 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4320 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3708 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3708 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3708 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1532 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1532 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1532 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 3032 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2412 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2412 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 2412 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1376 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1376 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 1376 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4556 wrote to memory of 4708 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b396dea6220017002fb9c76c37e16e89_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Files

memory/1376-0-0x0000000002370000-0x0000000002371000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/1376-21-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1376-23-0x0000000002370000-0x0000000002371000-memory.dmp

memory/2400-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2400-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1376-27-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 69c0a4c2864860b168372ad858e8016f
SHA1 d29fae24c81c4fca60a35e019424be605cba3419
SHA256 7140c6671b2b394445c6279277d53837e16634619abe55657949b9c35ca10ad1
SHA512 5cbf1cea895f66bc4034c68263c2f943ee2f4583aea58ed0d28e101b8b73f4592d1fe956f53f9590abefee744d4dcedfbf260655a2278f7878f224dd7f0a9313

memory/2400-69-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2400-67-0x0000000000440000-0x0000000000509000-memory.dmp

memory/4588-80-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4556-84-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4588-85-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 3a05df73fc3af46a392fe0223e435406
SHA1 73ecf4a7b9aced8fdfbbac37357cf0b7d9b7e8b2
SHA256 bedba05fb3d0546723cf4a7cac3f69311599483beee60a3b9b6d2697bad53ae5
SHA512 aa32e466420953f7035b0c51b367af6c91cdb6224b8b9580e67f8fd513f3de9605dd04e81624d432114c739ae149c6f74a32a86ab6c03a3f3ab6667e339dbf6b

memory/4556-1149-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4244-1160-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4552-1162-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4156-1161-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2396-1163-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4236-1286-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3708-1290-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4320-1289-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1052-1287-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3460-1285-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4760-1284-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4112-1288-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2976-1436-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3032-1438-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1532-1437-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2412-1554-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1376-1555-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4708-1676-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3296-1677-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4620-1830-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3364-1829-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4244-1982-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1888-1981-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2712-1980-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2104-1979-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2576-1978-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4036-1977-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2288-1991-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2948-1990-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4156-1992-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1872-2032-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4716-2022-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5052-2013-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3388-2046-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4580-2056-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3648-2080-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2084-2089-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2196-2099-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3536-2108-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2900-2118-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2952-2131-0x0000000000400000-0x000000000043E000-memory.dmp

memory/8-2139-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1888-2143-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-2151-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4764-2158-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1400-2166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1400-2171-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1200-2178-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1200-2181-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1048-2325-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3084-2549-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3084-2546-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3712-2664-0x0000000000400000-0x000000000043E000-memory.dmp

memory/392-2743-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1404-2750-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3712-2803-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4172-2820-0x0000000000400000-0x000000000043E000-memory.dmp

memory/980-2915-0x0000000000400000-0x000000000043E000-memory.dmp

memory/980-2911-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4952-3156-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1980-3825-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4456-3836-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4472-3845-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4192-3858-0x0000000000400000-0x000000000043E000-memory.dmp

memory/468-3922-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1980-3971-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1776-4014-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3788-4011-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4748-4024-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3788-4132-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2740-4159-0x0000000000400000-0x000000000043E000-memory.dmp

memory/748-4218-0x0000000000400000-0x000000000043E000-memory.dmp

memory/748-4321-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2764-4419-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4748-4426-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1932-4442-0x0000000000400000-0x000000000043E000-memory.dmp

memory/528-4454-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4748-4581-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4588-4600-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4588-4727-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3968-4746-0x0000000000400000-0x000000000043E000-memory.dmp

memory/548-4756-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4940-4877-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2924-4901-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2924-4926-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4940-5033-0x0000000000400000-0x000000000043E000-memory.dmp

memory/324-5060-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2908-5132-0x0000000000400000-0x000000000043E000-memory.dmp

memory/324-5166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1664-5264-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1664-5328-0x0000000000400000-0x000000000043E000-memory.dmp