Malware Analysis Report

2025-01-03 04:04

Sample ID 240616-sm5aasyale
Target b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118
SHA256 2383a522e4b2f33f7384a58aeb4abaaeaa677f9f44f92ef34b71c2ba3ceed3d5
Tags
pony evasion persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2383a522e4b2f33f7384a58aeb4abaaeaa677f9f44f92ef34b71c2ba3ceed3d5

Threat Level: Known bad

The file b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pony evasion persistence rat spyware stealer

Modifies WinLogon for persistence

Pony family

Pony,Fareit

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Loads dropped DLL

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:15

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:15

Reported

2024-06-16 15:18

Platform

win7-20240611-en

Max time kernel

124s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1992 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1992 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1992 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1992 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1992 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1992 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1992 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1992 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1992 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 2064 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2064 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2064 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2064 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2476 wrote to memory of 1556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2476 wrote to memory of 1556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2476 wrote to memory of 1556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2476 wrote to memory of 1556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2476 wrote to memory of 1556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2476 wrote to memory of 1556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1556 wrote to memory of 2384 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2384 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2384 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2384 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 948 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 752 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 752 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 752 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 752 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2176 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2176 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2176 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2176 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2128 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2128 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2128 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2128 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1380 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1556 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

Network

N/A

Files

memory/1992-0-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1992-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2064-19-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-23-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2064-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2064-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1992-28-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\explorer.exe

MD5 87e0b09b5825a78abd638d04bf851283
SHA1 0489a20939a37b746c96cead30094d7c8f8de7e8
SHA256 3499393bde57bedd185b97e05e63c7312b101fb4e146bfd2b778d6fde9e3d1fd
SHA512 18f2add488ba5f4e49d6ff58f38331c747627695d3d5f62302002e2cd8e6ab89381ab81ebe6de154bcf1760eb3d7324e94bbcfc16fa0e9bde5e992134ea70878

memory/2476-41-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/2064-48-0x0000000000440000-0x000000000051F000-memory.dmp

memory/2064-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2476-61-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2476-70-0x0000000000400000-0x00000000005D3000-memory.dmp

\Windows\system\spoolsv.exe

MD5 45bae99c16b516254d3fc98cdaf0721a
SHA1 0eda52f4038f27782904ee18fb61c166322c38d3
SHA256 b66fe2de6deea7fbe37698199001d27acf46312db61a8322eb48c92202eceaee
SHA512 2a07789f65b93826bbaf87d9643a532b1ee024d5b9664c0b9e0c69cc78b080e735e30e6f7e09a3b46d06ed8232e0e0cbfbced3aa2c44bc7a3059e47d990ac978

memory/1556-1127-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2844-1129-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/948-1130-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2384-1128-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2176-1375-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2500-1377-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2128-1376-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/752-1374-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1816-1592-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1452-1591-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1380-1590-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2232-1589-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/576-1588-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2592-1610-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1524-1599-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1736-1593-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2872-1755-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1880-1757-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1776-1758-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1612-1756-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1864-1966-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2792-1970-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2096-1973-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1644-1972-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1020-1971-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1628-1969-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2740-1968-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2204-1967-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2776-2105-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2632-2103-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2908-2104-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3028-2446-0x0000000000400000-0x000000000043E000-memory.dmp

memory/772-2458-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2516-2471-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3028-2524-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2972-2508-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3760-2570-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3080-2612-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3652-2691-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1108-2737-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3732-2836-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3584-2936-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3724-3011-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3240-2997-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3332-2956-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3996-2868-0x0000000000400000-0x000000000043E000-memory.dmp

memory/944-2878-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3664-2833-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3232-2811-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2544-2789-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1048-2769-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4044-2715-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3404-2681-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3644-2678-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3216-2657-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3172-2647-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3308-2636-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4032-2598-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4024-2587-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1508-3107-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD

MD5 bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA1 3fd23d4f14da768da7b8364d74c54932d704e74e
SHA256 90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA512 72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

memory/4040-3175-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 15:15

Reported

2024-06-16 15:18

Platform

win10v2004-20240226-en

Max time kernel

116s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Pony,Fareit

rat spyware stealer pony

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1496 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Windows\splwow64.exe
PID 1496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 1496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe
PID 2972 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2972 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2972 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe \??\c:\windows\system\explorer.exe
PID 2328 wrote to memory of 2920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2328 wrote to memory of 2920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2328 wrote to memory of 2920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2328 wrote to memory of 2920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2328 wrote to memory of 2920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2920 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4164 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4628 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4488 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4488 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4488 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 3300 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 3300 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 3300 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1064 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1064 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1064 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1484 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1484 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1484 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 4472 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2808 wrote to memory of 2852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2808 wrote to memory of 2852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2808 wrote to memory of 2852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2808 wrote to memory of 2852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2808 wrote to memory of 2852 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1712 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1712 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 1712 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2852 wrote to memory of 2304 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2852 wrote to memory of 2304 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2852 wrote to memory of 2304 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 4164 wrote to memory of 2644 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4164 wrote to memory of 2644 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b42d768f225763c211ca24f06ce4c1f0_JaffaCakes118.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.185.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/1496-0-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/1496-1-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/1496-17-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1496-19-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/1496-20-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2972-21-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2972-22-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1496-26-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 f23e002645aea714d4a5f661c43eda7f
SHA1 087f2de258d56bf13f077932cf6b9a3dd6a998c4
SHA256 a41a84c11e6f0b28eb5eefcb9fea45b09d4e86956793ae2b0067d4bb4c18e9c0
SHA512 491227cc3603ff558a0e78e66ae515b3ebd85fdb53076f8afaa3f431a07c8c2bdfbde1b897a5084f39fb5a753783c49d8d0514da65bc0deb785d4c0a4526ad10

memory/2972-59-0x0000000000440000-0x0000000000509000-memory.dmp

memory/2972-60-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2328-61-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2920-67-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2328-68-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c2420bfdac9afffb80dcc18611cd6a33
SHA1 04188b3612218e480dec3f3cbade537a9cf62d5d
SHA256 312cff3863efc3e42a264301b72a1902ad514309e06b4711576a9ece476abef4
SHA512 da54279fce7f5eae5abdad2d7b776e6057cf1250932c8958ba54acb319f8c57ff5cda89068f1ebbb887793202bd70faf9a2ccc6750530b94d97dc4efae7f3f25

memory/2920-195-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2808-265-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4164-404-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4628-475-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4508-536-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4488-596-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3300-667-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2988-737-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2808-865-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4692-884-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1064-885-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2852-886-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2644-970-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4164-973-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2644-972-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1920-961-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2852-1044-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4628-1128-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4120-1249-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-1262-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1484-1259-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4508-1264-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4488-1360-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4472-1363-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2200-1364-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-1391-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4908-1501-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4908-1670-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2736-1736-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2736-1849-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2456-1932-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2456-2087-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2592-2167-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3452-2178-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3452-2182-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2772-2319-0x0000000000400000-0x000000000043E000-memory.dmp

memory/336-2328-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4976-2391-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1236-2508-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2772-2502-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1236-2511-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2208-2521-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1096-2530-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4372-2545-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4904-2553-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4892-2559-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4892-2563-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4644-2571-0x0000000000400000-0x000000000043E000-memory.dmp