Malware Analysis Report

2025-01-03 03:04

Sample ID 240616-phacksxapr
Target b378b396b7441e2fa676132e873cdbc0_JaffaCakes118
SHA256 21421261763772484070252e1783723bebbc3f05ddf63cfaf16a9c3c3edd2b4f
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21421261763772484070252e1783723bebbc3f05ddf63cfaf16a9c3c3edd2b4f

Threat Level: Known bad

The file b378b396b7441e2fa676132e873cdbc0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Pony family

Pony,Fareit

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 12:19

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 12:19

Reported

2024-06-16 12:21

Platform

win7-20240508-en

Max time kernel

143s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1640 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1640 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1640 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1640 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 1640 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 1640 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 1640 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 1640 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 1640 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 2536 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2536 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2536 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2536 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2988 wrote to memory of 1860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2988 wrote to memory of 1860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2988 wrote to memory of 1860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2988 wrote to memory of 1860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2988 wrote to memory of 1860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2988 wrote to memory of 1860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1860 wrote to memory of 280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 1704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 1704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 1704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 1704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 536 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 536 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 536 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 536 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2348 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 3052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 3052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 3052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 3052 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2812 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2812 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2812 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2812 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1860 wrote to memory of 2460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

N/A

Files

memory/1640-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1640-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1640-19-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2536-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2536-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2536-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2536-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1640-28-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\explorer.exe

MD5 98980d2ebf49de405a6c5b3923d067ee
SHA1 5f6f1c7ff1f69f045561f2138c843856738acd0e
SHA256 daf9495e45eddd00ea235c3dbae99c044eb9cec726a89cb3fc10c38e03ed2a28
SHA512 0dc658c9a57f28f9418c67555c9be170e6016c44d955e1dcd04ba4431edf7f837cd22e377d9508f2172db15966d11290cc3d3f58f1715a57b78f35d0fe9ceeff

memory/2988-42-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2536-49-0x0000000000440000-0x000000000051F000-memory.dmp

memory/2536-51-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2988-62-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2988-71-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b88d7923008711edb4aa4d2b73e1405f
SHA1 b5b26414af0f36743548687950cc979d9ffff1d0
SHA256 e3465e401782042e87096b0d687af7ab04b3e007e405b2e5443f69984d10fddc
SHA512 5214ce8c27e4bcbc8bdd079b3a823cacfd2dfb342fd98359af0c6bc65a894c5f2eed0fd5eab2160d94f39412b0d7031d8e2e3a4e2e88258444236d0d6fdf2a5f

memory/1860-2251-0x0000000000400000-0x000000000043E000-memory.dmp

memory/280-2256-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2348-2259-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/536-2258-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1704-2257-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3052-2260-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2076-2694-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2472-2703-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2748-2695-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2548-2702-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1928-2709-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2776-2708-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1636-2707-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/828-2706-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2304-2705-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2460-2704-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2812-2698-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2972-3094-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/380-3105-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2692-3104-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/904-3103-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/400-3102-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2700-3101-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3000-3100-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1632-3099-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2532-3098-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2640-3097-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2252-3096-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1832-3095-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3020-3093-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2504-3092-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4536-5030-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4904-5059-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5064-5090-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4524-5102-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5380-5147-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5988-5228-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5180-5226-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 12:19

Reported

2024-06-16 12:21

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3224 set thread context of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 4228 set thread context of 3504 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3480 set thread context of 4180 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3948 set thread context of 1428 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4668 set thread context of 5212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3244 set thread context of 5272 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2536 set thread context of 5352 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3376 set thread context of 5420 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3880 set thread context of 5484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 716 set thread context of 5568 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3120 set thread context of 5852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4000 set thread context of 6044 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3196 set thread context of 5192 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3544 set thread context of 4036 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3704 set thread context of 5296 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4352 set thread context of 5380 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1592 set thread context of 872 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 608 set thread context of 1632 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1924 set thread context of 5028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1852 set thread context of 3472 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4680 set thread context of 3264 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2108 set thread context of 5236 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3564 set thread context of 5244 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3924 set thread context of 5616 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4532 set thread context of 5808 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3568 set thread context of 1692 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2412 set thread context of 5732 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4720 set thread context of 5180 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4808 set thread context of 5364 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1932 set thread context of 5392 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4756 set thread context of 1756 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1952 set thread context of 5940 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4684 set thread context of 6116 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 396 set thread context of 6076 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3404 set thread context of 888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5152 set thread context of 4164 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5968 set thread context of 5608 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4128 set thread context of 552 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5840 set thread context of 5824 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5796 set thread context of 3848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5460 set thread context of 5724 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5644 set thread context of 4156 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5132 set thread context of 5072 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3152 set thread context of 2680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5700 set thread context of 5960 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1432 set thread context of 5928 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5232 set thread context of 4384 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5060 set thread context of 640 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3592 set thread context of 4728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4580 set thread context of 6048 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 6088 set thread context of 2080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5488 set thread context of 4028 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3068 set thread context of 1228 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 3224 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 3224 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 3224 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 3224 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 3224 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 3224 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe
PID 1348 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1348 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 1348 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 4228 wrote to memory of 3504 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4228 wrote to memory of 3504 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4228 wrote to memory of 3504 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4228 wrote to memory of 3504 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4228 wrote to memory of 3504 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3504 wrote to memory of 3480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4668 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3244 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3244 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3244 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 2536 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 2536 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 2536 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3376 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3376 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3376 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3880 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3880 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3880 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3120 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3120 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3120 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4000 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3544 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3544 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3544 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 3704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4352 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4352 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 4352 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 1592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 1592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 1592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 608 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 608 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 608 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3504 wrote to memory of 1924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4404,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b378b396b7441e2fa676132e873cdbc0_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3224-0-0x0000000002240000-0x0000000002241000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/3224-41-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3224-43-0x0000000002240000-0x0000000002241000-memory.dmp

memory/1348-44-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1348-46-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3224-47-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 be5ff639421203a4c206476fcd0f7bab
SHA1 92e1af2334b769488b9f1c71a09de086edb4fc15
SHA256 0ad78e45def8e41493a221224ae7f1858a56749097d3068926e452a012d871c8
SHA512 658ab858795a8c7cbbe4f67fcb86dd1f9bd57195c14c32b6c7e0a7e29c3d1f5013b7b2eec7cabe1ad3af3c7bc85cebe4c78b898dd742bf3f5642836d26d44231

memory/1348-74-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4228-80-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3504-84-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4228-85-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 7b1d698c42e89a380dedb11e5141dd32
SHA1 52f1d607bd76311e6cf573ecff5cb6ab3c69b0e1
SHA256 24418e1aca07dd880fc57ee5f235b3f2c51a4f7b99f13325e3613ac1b1ed62c5
SHA512 0a25f314fa449117fa3cb02b0f4eb2ffdbd83b43728cc19c8e370171ec343a15d1385b44a4fc21d3d48c7f4fc3fcde8c23a4bb25ca8bac0907730f2b601832fb

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3504-989-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3480-990-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4668-1157-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3244-1158-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3948-1156-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2536-1303-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3376-1304-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3880-1305-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3120-1507-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4000-1508-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/716-1506-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3196-1711-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3704-1713-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3544-1712-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4352-1922-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/608-1924-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1592-1923-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1924-2088-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4680-2090-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1852-2089-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3480-2183-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4180-2182-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3924-2181-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3564-2180-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2108-2179-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4532-2188-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1428-2205-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1428-2193-0x0000000000440000-0x0000000000509000-memory.dmp

memory/3948-2192-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4668-2279-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3568-2280-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5212-2277-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5272-2291-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5352-2298-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5352-2303-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5420-2312-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5484-2321-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5568-2332-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4180-2400-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6044-2429-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6044-2434-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5192-2502-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4036-2516-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5296-2526-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5380-2535-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5380-2539-0x0000000000400000-0x000000000043E000-memory.dmp

memory/872-2550-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5852-2623-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1632-2630-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3472-2737-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3264-2746-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5236-2756-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5244-2775-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1632-2869-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5616-2920-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5808-2929-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1692-2940-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5616-3095-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5364-3113-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5392-3121-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1756-3131-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1756-3135-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5940-3201-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5364-3276-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6116-3418-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6076-3570-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6076-3698-0x0000000000400000-0x000000000043E000-memory.dmp

memory/888-3959-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4164-3997-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4164-4144-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5608-4281-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5608-4283-0x0000000000400000-0x000000000043E000-memory.dmp

memory/552-4288-0x0000000000400000-0x000000000043E000-memory.dmp

memory/552-4403-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3848-4500-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5724-4706-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4156-4771-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5072-4942-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2680-4954-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5960-4961-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4384-4975-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5928-4984-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4384-4982-0x0000000000400000-0x000000000043E000-memory.dmp

memory/640-5051-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4728-5063-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6048-5074-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2080-5082-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4028-5166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4028-5289-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1228-5306-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1152-5431-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3896-5516-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6072-5528-0x0000000000400000-0x000000000043E000-memory.dmp

memory/536-5534-0x0000000000400000-0x000000000043E000-memory.dmp

memory/536-5537-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1152-5565-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4988-5659-0x0000000000400000-0x000000000043E000-memory.dmp