Analysis Overview
SHA256
aa8ca4e5cd049edce4fa86fcfd4883419b01cb52914fcf7b253e39dfd6871bac
Threat Level: Known bad
The file JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711 was found to be: Known bad.
Malicious Activity Summary
Gootloader family
GootLoader
Drops file in Drivers directory
Adds Run key to start application
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Command and Scripting Interpreter: JavaScript
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-18 03:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1072 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1072 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1072 wrote to memory of 1564 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADVPACK.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADVPACK.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1564 -ip 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 628
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
105s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF16.dll,#1
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 2984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2804 wrote to memory of 2984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2804 wrote to memory of 2984 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fngrprnt.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fngrprnt.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2984 -ip 2984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1\CLSID\ = "{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\ = "MsnPubSend Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}\ = "PIOrganize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CLSID\ = "{6AA36298-AF5F-42fc-9957-417E01141D52}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend.1\ = "MsnPubSend Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\TypeLib\ = "{729BB3D4-7ECB-4A21-BCAC-BB0A52B44838}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piorg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piorg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\ProgID\ = "PIOrganize.MsnPubSend.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\ = "HIPPhotoExplorer Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PIOrganize.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piorg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\ProgID\ = "PIOrganize.HIPPhotoExplorer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\VersionIndependentProgID\ = "PIOrganize.MsnPubSend" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\TypeLib\ = "{729BB3D4-7ECB-4A21-BCAC-BB0A52B44838}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CurVer\ = "PIOrganize.CHIPEmptyVolumeCache.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\ProgID\ = "PIOrganize.CHIPEmptyVolumeCache.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend\CLSID\ = "{D1E5FD88-3953-4780-8F30-3FA2EC573425}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\ = "CHIPEmptyVolumeCache Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\ = "CHIPEmptyVolumeCache Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PIOrganize.DLL\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\VersionIndependentProgID\ = "PIOrganize.CHIPEmptyVolumeCache" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1\ = "HIPPhotoExplorer Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\VersionIndependentProgID\ = "PIOrganize.HIPPhotoExplorer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5752 wrote to memory of 1292 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5752 wrote to memory of 1292 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5752 wrote to memory of 1292 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\piorg.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\piorg.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
135s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pisynctw.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\pisynctw.exe
"C:\Users\Admin\AppData\Local\Temp\pisynctw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
105s
Max time network
137s
Command Line
Signatures
GootLoader
Gootloader family
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\slides~1.js
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
138s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\startup.js
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
105s
Max time network
136s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\ = "Groups Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album.1\ = "Album Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6BDF752-9B6B-4573-B002-DCDB7109310E}\ProgID\ = "DavClient.Group.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFile.1\ = "DavFile Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A7B5E7-96C9-4AC1-A95A-AA62C842D290} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group\CLSID\ = "{C6BDF752-9B6B-4573-B002-DCDB7109310E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\ProgID\ = "DavClient.Album.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums\ = "Albums Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\AppID = "{41C4463C-DE46-43BE-8958-BE4AAD04FD5B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5603F3E2-FF51-4877-899E-78F1FD1848E3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5603F3E2-FF51-4877-899E-78F1FD1848E3}\VersionIndependentProgID\ = "DavClient.DavUserObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups.1\ = "Groups Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\VersionIndependentProgID\ = "DavClient.Album" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\ProgID\ = "DavClient.DavFiles.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6BDF752-9B6B-4573-B002-DCDB7109310E}\VersionIndependentProgID\ = "DavClient.Group" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\ProgID\ = "DavClient.DavFile.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavUserObject.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\CLSID\ = "{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\TypeLib\ = "{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidav.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\VersionIndependentProgID\ = "DavClient.Groups" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\ = "DavFile Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5603F3E2-FF51-4877-899E-78F1FD1848E3}\TypeLib\ = "{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFile\CurVer\ = "DavClient.DavFile.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\VersionIndependentProgID\ = "DavClient.DavFile" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavUserObject\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\VersionIndependentProgID\ = "DavClient.DavFiles" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\ProgID\ = "DavClient.Groups.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088}\TypeLib\ = "{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DavClient.DLL\AppID = "{41C4463C-DE46-43BE-8958-BE4AAD04FD5B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups\ = "Groups Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFile.1\CLSID\ = "{6978E816-524F-4533-923B-AAC2B37FAE98}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088}\ = "Albums Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\ = "DavFiles Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2344 wrote to memory of 5432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2344 wrote to memory of 5432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2344 wrote to memory of 5432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\pidav.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\pidav.dll
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
105s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\piorgres.dll,#1
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
101s
Max time network
141s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9CCC0206-10E9-4DA7-8533-9DB7FA0369E6}\9.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piview.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\ProgID\ = "PIView.PIViewer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ = "IPISimpleViewerControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\TypeLib\ = "{9CCC0206-10E9-4da7-8533-9DB7FA0369E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ProgID\ = "PIView.PISimpleViewer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer\CLSID\ = "{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1\ = "PISimpleViewerControl Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1\CLSID\ = "{C7C08420-CCC6-4092-A75C-9E55D5176B26}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl\CurVer\ = "PIView.PISimpleViewerControl.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIPlaylist.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer\CLSID\ = "{8CBCE923-870F-4f00-8097-4E61687B4469}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer\CurVer\ = "PIView.PISimpleViewer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\ProgID\ = "PIView.PISimpleViewerControl.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\AppID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piview.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer\CurVer\ = "PIView.PIThumbnailer.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer.1\ = "PISimpleViewer Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIViewer\ = "PIViewer Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piview.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer.1\CLSID\ = "{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer.1\CLSID\ = "{8CBCE923-870F-4f00-8097-4E61687B4469}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ = "PISimpleViewer Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl\CLSID\ = "{C7C08420-CCC6-4092-A75C-9E55D5176B26}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIPlaylist\CLSID\ = "{8F25C9CD-F862-4354-8650-5051209EB26F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ = "IPISimpleViewerControl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIPlaylist\ = "PIPlaylist Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\ = "PIViewer Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 716 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 716 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 716 wrote to memory of 2172 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\piview.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\piview.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3140 wrote to memory of 5472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3140 wrote to memory of 5472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3140 wrote to memory of 5472 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\unicows.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\unicows.dll,#1
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\es-ES\mircmirc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\SystemWFPLWFS10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\SystemWFPLWFS.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\mircmirc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\it-IT\SystemWFPLWFS10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\es-ES\OperatingWindows10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\OperatingWindows10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\de-DE\SystemWFPLWFS.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\F12\de-DE\F12ScriptInternet.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Systmeconnect10.0.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\fr\resourcesMicrosoft10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\MUI\0407\mscoreesmirc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\nvm62x64Networking.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbushdaudbus10.0.19041.1081.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\AppVOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Speech\Common\de-DE\sapisapi.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\OperatingWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Speech\SpeechUX\en-US\SapiWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\ru-RU\WindowsSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\sr-Latn-RS\OperatingMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\memory.inf_amd64_9af3a8a63d4cb5f9\Windowspnpmem10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp.inf_amd64_9effd93a75bc489e\WindowsOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\el-GR\XamlWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\LinkNETwsw0017642.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\setup\MSDTCSTPCMMIGR.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsOperating10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\oobe\SetupCleanupTaskWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\ja\resourcesresources.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RCX3E80.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\Ethernetlan7500x64n650f.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\oobe\it-IT\SetupCleanupTaskMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\migration\es-ES\mircmIRC.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\OperatingWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Speech\Common\en-US\Windowssapi.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sr-Latn-RS\mircmIRC.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_5dbe5e81fafe4636\Operatingvdrvroot13291.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_6cf8ea2249844b50\OperatingWindows10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\WindowsPowerShell.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\pspluginwkrdefaulthelp.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\resourcesSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Dism\fr-FR\dexploitationSystme10.0.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ro-RO\SystemQuickAssist.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\NetworkAdapter.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MUI\0407\FrameworkMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\IME\IMEKR\DICTS\WindowsSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\WindowsSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\it\PowerShellWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\cht4vx64.inf_amd64_b03448ba0b72ec47\Controllercht4vbd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\it\MicrosoftWindows10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\resourcesAppVClientPowerShell.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Speech\SpeechUX\it-IT\SistemaMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oobe\de-DE\WindowsBetriebssystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\sv-SE\XamlSyncRes.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\fr\SystmeWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\InstallShield\mIRCmirc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\Systemresources.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dism\en-US\mircmirc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\virtdisk.inf_amd64_9a7f42b85c7def50\bttfltOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\operativoSistema.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\MUI\0409\mscoreesWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\MicrosoftWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dism\en-US\SetupPlatformProviderOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21\SerialDriver.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\volmgr.inf_amd64_b98e2b928f71a2b1\SystemWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_789f35bee584a939\SystemWindows10.0.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\es\WindowsSistema.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Speech\Common\sapiWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_683fd853c8b8a4db\OperatingWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\WindowsPS5UI.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dism\fr-FR\dexploitationSystme10.0.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\de\MicrosoftMicrosoft10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\SysWOW64\Dism\en-US\SetupPlatformProviderOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\en-US\OperatingWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderManager.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\qrcodepmpdatamatrixpmp.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\SystemSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\ja-JP\SystemOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\RCX6052.tmp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewerPhotoAcq.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipResTipTsf.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\de-DE\BetriebssystemWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\uk-UA\Internetieinstal.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\Systemmsadce.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\MicrosoftOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x86\ClientEmbedded.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15Operating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\de-DE\iexploreInternet.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateAdobe.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\DynamicStudio.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\en-US\WindowsWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateUpdate.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ja-JP\Internetiexplore.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterComponents.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\IEToEdgeietoedgestub132.0.2957.140.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\it-IT\operativompasdesc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\EBWebView\x86\WebViewMicrosoft132.0.2957.140.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\uk-UA\Internetieinstal.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\WindowsWindows10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\LinkLibrary.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\libGLESv2wnspushclient.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledbWindows10.0.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\PowerShellMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\WindowsTabTip32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipResTipTsf.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ietoedgebhoietoedgebho64.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\Microsoftvstoee.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\mpasdescSystme.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\en-US\wmplayerWMPNSSUI.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\es-ES\mpasdescoperativo4.18.1907.16384.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\mpasdescoperativo4.18.1907.16384.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\uk-UA\WindowsMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\Microsoftmpasdesc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\fr-FR\InternetIEXPLORE.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\es-ES\Internetieinstal.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Installer\InstallerMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Installer\InstallerMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\ja-JP\setupwmOperating12.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\DesignEngine.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremrWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\TableTextService\WindowsWindows10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\en-US\OperatingWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\uk-UA\EppManifestmpasdesc4.18.1907.16384.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TabTip32System.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\msedgeproxymsedgeproxy.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\resourcesUIAutomationClientsideProviders.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\uk-UA\WindowsWAB32res.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\BHO\ietoedgestubietoedgebho.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\es-ES\Systemmsdaprsr10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\resourcesresources10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagementMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\MicrosoftmshwLatin.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\VisualStudio7.10.2346.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\ja-JP\setupwmOperating12.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\it-IT\Sistemaoperativo.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_76fa6c1a5ef15070\operativomemdiag10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..ngc-tasks.resources_31bf3856ad364e35_10.0.19041.1_de-de_7bba1588ca7cc4c9\NgcTasksMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\msil_microsoft.powershell.commands.management_31bf3856ad364e35_10.0.19041.1_none_fcfa075fee21fc1f\WindowsSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.264_none_9ae1cb705a5b8b5e\OLEAUT32Windows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.19041.1_es-es_2f63b728e887d212\STORAGEWMISystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_wwf-system.workflow.componentmodel_31bf3856ad364e35_10.0.19041.1_none_41d526fcad732f45\SystemSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..ngerprintcredential_31bf3856ad364e35_10.0.19041.1_none_518abbfab883365f\WindowsOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-naturallanguage6-mls6_31bf3856ad364e35_10.0.19041.1_none_0b90bf36f1da43c7\MicrosoftMLS6.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\apppatch\fr-FR\dexploitationdexploitation.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00010444_31bf3856ad364e35_10.0.19041.1_none_4bfa5a9429ac9352\kbdtt102Microsoft10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..mentation.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_a4b6064456d99eae\wininetInternet.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\SystemOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-themeui_31bf3856ad364e35_10.0.19041.1_none_45444e48ef3f71b1\MicrosoftOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_presentationbuildtasks_31bf3856ad364e35_4.0.15805.0_none_d34a6f7ba236f5b1\FrameworkPresentationBuildTasks.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-rasplap_31bf3856ad364e35_10.0.19041.867_none_f01b2255d690daa4\WindowsMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_3598413c5a348b00\InformationServices.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-m..tenanceui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b25ad5b5e308bb79\WindowsOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\WindowsSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-dpapi-keys_31bf3856ad364e35_10.0.19041.1_none_33c3e07f6cce5a52\dpapimigMicrosoft10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\Speechresources.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_dd930683cd93912c\Internetinseng.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\msil_srpuxsnapin.resources_31bf3856ad364e35_10.0.19041.1_de-de_aa10d96c525615f4\SrpUxSnapInresources.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_10.0.19041.1_es-es_b6152b81960ebc0b\SystemOLEACCRC.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_de_b77a5c561934e089\Frameworkresources.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-d..show-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_33ba3aa19a7751f6\MicrosoftSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_system.componentmod..mposition.resources_b77a5c561934e089_4.0.15805.0_es-es_15cec99082ddb40a\SystemMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-m..ice-winrt.resources_31bf3856ad364e35_10.0.19041.1_en-us_c7adf605f08d0f3a\ManagementMicrosoft10.0.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_usbcciddriver.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_14683ba967cda790\MicrosoftSystme.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\7710ed46e965bbb56a0558fbff9916f3\EsentWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-oleprn.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_97a642635d1f8594\oleprnoleprn.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\v4.0_4.0.0.0_de_b77a5c561934e089\SystemSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_ccaeaf8ba3acc8d6\SistemaMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-wer-sdktools_31bf3856ad364e35_10.0.19041.1_none_0067ac1cb4a6c8bc\DbgModelSystem10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_10.0.19041.1_es-es_55a09501fcb42814\WindowsSistema.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-msf-providers_31bf3856ad364e35_10.0.19041.1_none_56318e5c7ea2ae30\SynchronizationSynchronization.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\Systemimecfmps10.0.19041.844.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..icsclient-scheduled_31bf3856ad364e35_10.0.19041.1_none_baa4e03a66bc0eae\Microsoftsdiagschd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\msil_uiautomationclients..providers.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5e0415d3956ba66c\FrameworkUIAutomationClientsideProviders.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_17c4f3dd4fef22c6\WindowsQuickAssist10.0.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-charmap_31bf3856ad364e35_10.0.19041.1_none_a84acae243b8ad63\Microsoftcharmap.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\msil_multipoint-wms.dash..addintabs.resources_31bf3856ad364e35_10.0.19041.1_es-es_f6932ba2fb323f2a\resourcesWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\diagnostics\system\Power\fr-FR\WindowsMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft.powershel..er.events.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_95e58db0b0215011\PSDSCFileDownloadManagerEventsdexploitation.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_system.net.websockets_b03f5f7f11d50a3a_4.0.15805.0_none_d53ac54f87ada30d\FrameworkMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\MicrosoftPresentationFramework.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-t..ctiveuser.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5636904c996fb1a0\WindowsSystem10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AddInUtil.resources\v4.0_4.0.0.0_es_b77a5c561934e089\resourcesresources.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-onecoreuap-deviceaccess_31bf3856ad364e35_10.0.19041.746_none_d665b070f8fb6cac\WindowsDeviceAccess.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-usbperf.resources_31bf3856ad364e35_10.0.19041.1_it-it_1c566b3d8a3314b4\operativoWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.0.19041.1_de-de_921f5da7ebbc7d60\ExplorerInternet11.00.19041.1.160101.0800.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a8776209b1045f20\CtTuneSvrOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_system.servicemodel.activities.resources_31bf3856ad364e35_4.0.15805.0_fr-fr_8eeaaaa95649ea19\ServiceModelActivities.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\FrameworkDurableInstancing.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-directx-ddisplay_31bf3856ad364e35_10.0.19041.1_none_f0f00523b877918c\DDisplayWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_bc9b72f5f08b2431\WindowsMicrosoft.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_networking-mpssvc-admin.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_25b17136f36d1d7e\SystemAuthFWWizFwk.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-wlangpclient.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c658feb5f06faa9f\wlgpclntSystem.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..xperience.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8415e2f2102f59fc\WindowsWindows.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\dexploitationresources10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_afb9e74560b9f815\winlogonOperating.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_dual_amdsata.inf_31bf3856ad364e35_10.0.19041.1_none_e0b7b1076af0e5b4\Storageamdxata.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-riched32_31bf3856ad364e35_10.0.19041.1_none_52f1c15a21f92b4b\WindowsSystem5.31.23.1231.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-mystify_31bf3856ad364e35_10.0.19041.1_none_a602a895febacb78\SystemOperating10.0.19041.1.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-telephony-phoneom_31bf3856ad364e35_10.0.19041.746_none_c751b51b9cfc017c\SystemPhoneOm10.0.19041.746.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4200 wrote to memory of 6008 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe |
| PID 4200 wrote to memory of 6008 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe |
| PID 4200 wrote to memory of 6008 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 20.72.235.82:80 | windowsupdate.microsoft.com | tcp |
| US | 8.8.8.8:53 | fe2.update.microsoft.com | udp |
| US | 4.154.131.224:80 | fe2.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
| US | 8.8.8.8:53 | counterslocal.com | udp |
Files
C:\Program Files (x86)\Windows Photo Viewer\es-ES\WindowsSistema10.0.19041.1.exe
| MD5 | 067352f5a9f5905b21b82b18e9fa2711 |
| SHA1 | e416dba2a5f752caa42a572ef847271d700debd9 |
| SHA256 | aa8ca4e5cd049edce4fa86fcfd4883419b01cb52914fcf7b253e39dfd6871bac |
| SHA512 | 7026c615950fd8ea9a68d4fe7ac78529f5a18e9ac54c93a199b355526447e6186ba0c2d7eb8f6f7bd78d3e8eb49003854fc2d6b724b6aaddf5029bd4ebf5cfc5 |
Analysis: behavioral6
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
136s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\msnphoto.scr | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\msnphoto.scr
"C:\Users\Admin\AppData\Local\Temp\msnphoto.scr" /S
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5856 wrote to memory of 2908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5856 wrote to memory of 2908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5856 wrote to memory of 2908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pisync.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pisync.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2908 -ip 2908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 756
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 5844 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1192 wrote to memory of 5844 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1192 wrote to memory of 5844 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF32.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
102s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4644 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4644 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4644 wrote to memory of 4384 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr71.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr71.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 600
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-05-18 03:21
Reported
2025-05-18 03:24
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
128s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5112 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5112 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5112 wrote to memory of 2580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pibase.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\pibase.dll,#1
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |