Malware Analysis Report

2025-06-16 05:39

Sample ID 250523-sy7jssxmx9
Target JaffaCakes118_080d2a293751e6d785a73a11664845d0
SHA256 eb83ad2266873e7f557a2b3d521a1593ec21a59bb05e8f3bcc240901a6a5f8db
Tags
pony mofksys defense_evasion discovery persistence rat spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb83ad2266873e7f557a2b3d521a1593ec21a59bb05e8f3bcc240901a6a5f8db

Threat Level: Known bad

The file JaffaCakes118_080d2a293751e6d785a73a11664845d0 was found to be: Known bad.

Malicious Activity Summary

pony mofksys defense_evasion discovery persistence rat spyware stealer worm

Pony family

Mofksys

Modifies visiblity of hidden/system files in Explorer

Pony,Fareit

Mofksys family

Detects Mofksys worm

Modifies WinLogon for persistence

Boot or Logon Autostart Execution: Active Setup

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-23 15:33

Signatures

Pony family

pony

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-23 15:33

Reported

2025-05-23 15:35

Platform

win10v2004-20250502-en

Max time kernel

87s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Windows\splwow64.exe
PID 428 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Windows\splwow64.exe
PID 428 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 428 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 428 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 428 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 428 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 2928 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe \??\c:\windows\system\explorer.exe
PID 2164 wrote to memory of 5624 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2164 wrote to memory of 5624 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2164 wrote to memory of 5624 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2164 wrote to memory of 5624 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2164 wrote to memory of 5624 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5624 wrote to memory of 4716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 3576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 3576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 3576 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3220 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3220 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3220 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 5624 wrote to memory of 1652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 1652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 1652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2324 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2324 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2324 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5688 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5688 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5688 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4144 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4144 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4144 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 6044 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 6044 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 6044 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5792 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 3584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 3584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 3584 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5084 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 4940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 2136 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5624 wrote to memory of 5940 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.16.153.211:443 www.bing.com tcp
GB 2.16.153.211:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.213.67:80 c.pki.goog tcp

Files

memory/428-0-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/428-37-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/428-36-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2928-39-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2928-40-0x0000000000400000-0x000000000043E000-memory.dmp

memory/428-43-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 fa8ebae8ceb1a2ab30f1b826732eb66b
SHA1 70414648df62af74f7fc55bb766c0f8d671bca92
SHA256 9323dd5e71850e80081990ca56768e510243f604427b786b0d4c6b028dabab06
SHA512 edf44a902872f3e8e327ed44707b6f8046a41f29e3583e19acbdb2f2304845fba057690738f13fc585ed0d6bba070a244681f3fa96075e9163a9ba4fdb0151e4

memory/2928-89-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2928-87-0x0000000000440000-0x0000000000509000-memory.dmp

memory/2164-90-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5624-95-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2164-96-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 01dc5f7f450b51623bd3d1b69ed534fb
SHA1 ed5cbb838c4a27a97ec8c3b3a245a3a1f0b63ff8
SHA256 cddbf44049c95c3ee56494569285565d4edf2684f8e15e0b5f36cc57b6c30742
SHA512 af566cfe74b54db36756a5cf6040c8621e6d5e7e4e0a626ebabd79d02d00ebff2998578ca61f1e6f0321164efd521d4f0b1971aab9c6471d73b724ab2f617fec

memory/5624-455-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4716-505-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3576-673-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1876-674-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1652-750-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2324-950-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5688-951-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2208-1012-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4144-1075-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/6044-1131-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/804-1132-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5792-1201-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3584-1202-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5084-1283-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4940-1335-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2136-1468-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5776-1485-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4716-1486-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5756-1488-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4736-1555-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3576-1562-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1876-1586-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5104-1588-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5940-1581-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1652-1597-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5412-1594-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5776-1646-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4752-1658-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2324-1719-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4924-1742-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4924-1738-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5156-1810-0x0000000000400000-0x000000000043E000-memory.dmp

memory/636-1831-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2472-1900-0x0000000000400000-0x000000000043E000-memory.dmp

memory/636-1971-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3424-2054-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3160-2066-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1720-2163-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5068-2179-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5068-2189-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3424-2217-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3236-2406-0x0000000000400000-0x000000000043E000-memory.dmp

memory/932-2545-0x0000000000400000-0x000000000043E000-memory.dmp

memory/932-2619-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1688-2645-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1688-2758-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2496-2911-0x0000000000400000-0x000000000043E000-memory.dmp

memory/896-3144-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5888-3155-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5888-3295-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4540-3312-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4052-3324-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4540-3371-0x0000000000400000-0x000000000043E000-memory.dmp

memory/464-3362-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4640-3725-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3356-3908-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4720-3981-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4872-3992-0x0000000000400000-0x000000000043E000-memory.dmp

memory/544-4069-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5624-4068-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5476-4083-0x0000000000400000-0x000000000043E000-memory.dmp

memory/116-4092-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3612-4155-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-4330-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2232-4345-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4360-4438-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5884-4503-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5008-4520-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5564-4545-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1824-4547-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2624-4561-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3624-4579-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6124-4571-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1084-4598-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5460-4600-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1856-4617-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4548-4644-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4268-4646-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-4749-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3100-4758-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2436-4765-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1756-4777-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1756-4773-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2696-4834-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-23 15:33

Reported

2025-05-23 15:35

Platform

win11-20250502-en

Max time kernel

80s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"

Signatures

Detects Mofksys worm

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Mofksys

worm mofksys

Mofksys family

mofksys

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\Parameters.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\explorer.exe N/A
File opened for modification C:\Windows\Parameters.ini \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\system\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Windows\splwow64.exe
PID 1664 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Windows\splwow64.exe
PID 1664 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 1664 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 1664 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 1664 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 1664 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe
PID 4764 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe \??\c:\windows\system\explorer.exe
PID 4764 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe \??\c:\windows\system\explorer.exe
PID 4764 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe \??\c:\windows\system\explorer.exe
PID 3132 wrote to memory of 3508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3132 wrote to memory of 3508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3132 wrote to memory of 3508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3132 wrote to memory of 3508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3132 wrote to memory of 3508 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3508 wrote to memory of 3100 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3100 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3100 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4292 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4292 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 4292 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe \??\c:\windows\system\explorer.exe
PID 3508 wrote to memory of 3748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 964 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 964 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 964 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 5748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 5748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 5748 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4988 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4988 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4988 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1204 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1204 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1204 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4860 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 4976 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 5756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 5756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 5756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 2560 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 2560 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 2560 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1016 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1016 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1016 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1480 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 3920 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3508 wrote to memory of 1364 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_080d2a293751e6d785a73a11664845d0.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe RO

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

"c:\windows\system\explorer.exe"

\??\c:\windows\system\spoolsv.exe

"c:\windows\system\spoolsv.exe"

Network

Files

memory/1664-0-0x00000000008B0000-0x00000000008B1000-memory.dmp

C:\Windows\Parameters.ini

MD5 6687785d6a31cdf9a5f80acb3abc459b
SHA1 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA256 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA512 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

memory/1664-37-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/1664-36-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4764-39-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4764-40-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1664-45-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\explorer.exe

MD5 102fbdf641a72cc626b916f73a127ab3
SHA1 dea883fa3f1f70f0eee9cd00b95db68a155b3b2b
SHA256 d63cd4a77b5e2b4e1a31be59b95ea97fc005d053f25029ea05c7bf8f109e2558
SHA512 21915a419f06f1f90412cefed270a14cdb16d42448c43385844368f5d8e3267ce60d043aeda30703f8fdec3168785a73fe0fec147be99b3677176803e4ab1fce

memory/4764-58-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3132-89-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3508-94-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3132-95-0x0000000000400000-0x00000000005D3000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 04b1a8a4de5d0015236fb38845e8fc54
SHA1 62b73632a827773ce08b6bb12212dab5f92b1d65
SHA256 01f89236e2eb49c644941b941ca4ed32f3b8a6c352a46a4b169be686d6b1d9c7
SHA512 65a65eb611dc62fe9f698afa35517209bb8c88b996481c487617ebf49178ccb37226548d51c9f0f762ef0fe5cbc038abb528196dcf63acb82248ef84181c97d1

C:\Windows\Parameters.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3508-460-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3100-461-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1208-535-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1404-536-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3748-572-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/964-608-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5748-644-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4988-679-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1204-726-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4860-746-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4976-781-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5756-819-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3060-855-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2560-893-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1016-895-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1480-942-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3920-959-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1364-976-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2492-1023-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5304-1035-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4052-1042-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/3100-1044-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5780-1043-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3340-1047-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1404-1056-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1208-1061-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/1392-1060-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1392-1055-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3592-1067-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3176-1069-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/4584-1077-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/5416-1078-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3748-1076-0x0000000000400000-0x00000000005D3000-memory.dmp

memory/2508-1107-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5504-1119-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2008-1144-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5780-1174-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5056-1181-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5624-1199-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2440-1209-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4576-1219-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3252-1277-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3252-1273-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5056-1295-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5448-1314-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4452-1331-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5448-1372-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1332-1438-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1760-1460-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1332-1511-0x0000000000400000-0x000000000043E000-memory.dmp

memory/124-1528-0x0000000000400000-0x000000000043E000-memory.dmp

memory/124-1557-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5924-1615-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1200-1622-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2428-1765-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4884-1793-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4884-1847-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4612-1957-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2424-2031-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4100-2047-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-2619-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-2673-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3492-2762-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3464-2992-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3508-3069-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1852-3076-0x0000000000400000-0x000000000043E000-memory.dmp

memory/808-3126-0x0000000000400000-0x000000000043E000-memory.dmp

memory/968-3133-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4208-3154-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1816-3166-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5764-3182-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5368-3189-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5764-3175-0x0000000000400000-0x000000000043E000-memory.dmp

memory/808-3236-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5364-3270-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4724-3267-0x0000000000400000-0x000000000043E000-memory.dmp

memory/912-3281-0x0000000000400000-0x000000000043E000-memory.dmp

memory/240-3297-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4068-3307-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4548-3320-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5676-3338-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2016-3391-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2096-3405-0x0000000000400000-0x000000000043E000-memory.dmp