Malware Analysis Report

2025-05-28 17:23

Sample ID 250518-dwswascr4t
Target JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711
SHA256 aa8ca4e5cd049edce4fa86fcfd4883419b01cb52914fcf7b253e39dfd6871bac
Tags
discovery gootloader execution loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa8ca4e5cd049edce4fa86fcfd4883419b01cb52914fcf7b253e39dfd6871bac

Threat Level: Known bad

The file JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711 was found to be: Known bad.

Malicious Activity Summary

discovery gootloader execution loader persistence

Gootloader family

GootLoader

Drops file in Drivers directory

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Command and Scripting Interpreter: JavaScript

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 03:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADVPACK.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1072 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 1564 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADVPACK.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ADVPACK.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1564 -ip 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 628

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

105s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF16.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF16.dll,#1

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fngrprnt.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 2984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fngrprnt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fngrprnt.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2984 -ip 2984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

139s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\piorg.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1\CLSID\ = "{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\ = "MsnPubSend Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}\ = "PIOrganize" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CLSID\ = "{6AA36298-AF5F-42fc-9957-417E01141D52}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend.1\ = "MsnPubSend Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\TypeLib\ = "{729BB3D4-7ECB-4A21-BCAC-BB0A52B44838}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piorg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piorg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\ProgID\ = "PIOrganize.MsnPubSend.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\ = "HIPPhotoExplorer Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PIOrganize.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piorg.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\ProgID\ = "PIOrganize.HIPPhotoExplorer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\VersionIndependentProgID\ = "PIOrganize.MsnPubSend" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\TypeLib\ = "{729BB3D4-7ECB-4A21-BCAC-BB0A52B44838}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CurVer\ = "PIOrganize.CHIPEmptyVolumeCache.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\ProgID\ = "PIOrganize.CHIPEmptyVolumeCache.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend\CLSID\ = "{D1E5FD88-3953-4780-8F30-3FA2EC573425}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\ = "CHIPEmptyVolumeCache Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.CHIPEmptyVolumeCache\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\ = "CHIPEmptyVolumeCache Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.MsnPubSend.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PIOrganize.DLL\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E5FD88-3953-4780-8F30-3FA2EC573425}\AppID = "{A4C28B76-DFB6-4797-8E91-BDA23E8ED7FC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AA36298-AF5F-42fc-9957-417E01141D52}\VersionIndependentProgID\ = "PIOrganize.CHIPEmptyVolumeCache" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIOrganize.HIPPhotoExplorer.1\ = "HIPPhotoExplorer Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\VersionIndependentProgID\ = "PIOrganize.HIPPhotoExplorer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D0A03AD0-F49C-4e01-9C1D-CA3B7B73B08E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5752 wrote to memory of 1292 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5752 wrote to memory of 1292 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5752 wrote to memory of 1292 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\piorg.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\piorg.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pisynctw.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pisynctw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\pisynctw.exe

"C:\Users\Admin\AppData\Local\Temp\pisynctw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

105s

Max time network

137s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\slides~1.js

Signatures

GootLoader

loader gootloader

Gootloader family

gootloader

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\slides~1.js

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

138s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\startup.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\startup.js

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

105s

Max time network

136s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\pidav.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\ = "Groups Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album.1\ = "Album Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6BDF752-9B6B-4573-B002-DCDB7109310E}\ProgID\ = "DavClient.Group.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFile.1\ = "DavFile Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A7B5E7-96C9-4AC1-A95A-AA62C842D290} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group\CLSID\ = "{C6BDF752-9B6B-4573-B002-DCDB7109310E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\ProgID\ = "DavClient.Album.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums\ = "Albums Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\AppID = "{41C4463C-DE46-43BE-8958-BE4AAD04FD5B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5603F3E2-FF51-4877-899E-78F1FD1848E3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5603F3E2-FF51-4877-899E-78F1FD1848E3}\VersionIndependentProgID\ = "DavClient.DavUserObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups.1\ = "Groups Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\VersionIndependentProgID\ = "DavClient.Album" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\ProgID\ = "DavClient.DavFiles.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6BDF752-9B6B-4573-B002-DCDB7109310E}\VersionIndependentProgID\ = "DavClient.Group" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\ProgID\ = "DavClient.DavFile.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Album C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavUserObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\CLSID\ = "{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\TypeLib\ = "{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{177287F4-E250-4FDA-BFDB-699AB6143915}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidav.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\VersionIndependentProgID\ = "DavClient.Groups" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\ = "DavFile Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5603F3E2-FF51-4877-899E-78F1FD1848E3}\TypeLib\ = "{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFile\CurVer\ = "DavClient.DavFile.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\VersionIndependentProgID\ = "DavClient.DavFile" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavUserObject\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1501E8BC-8A59-47BB-B766-4FAFD565EA3C}\VersionIndependentProgID\ = "DavClient.DavFiles" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ECA5543-A97A-40AE-B3BE-ED4B64D16EC2}\ProgID\ = "DavClient.Groups.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6978E816-524F-4533-923B-AAC2B37FAE98}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088}\TypeLib\ = "{11A7B5E7-96C9-4AC1-A95A-AA62C842D290}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DavClient.DLL\AppID = "{41C4463C-DE46-43BE-8958-BE4AAD04FD5B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Groups\ = "Groups Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Group.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFile.1\CLSID\ = "{6978E816-524F-4533-923B-AAC2B37FAE98}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.Albums\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0148B96-026F-471F-AF6B-20A0BA3A1088}\ = "Albums Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DavClient.DavFiles\ = "DavFiles Class" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 5432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2344 wrote to memory of 5432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2344 wrote to memory of 5432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\pidav.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\pidav.dll

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

105s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\piorgres.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\piorgres.dll,#1

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

101s

Max time network

141s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\piview.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9CCC0206-10E9-4DA7-8533-9DB7FA0369E6}\9.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piview.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\ProgID\ = "PIView.PIViewer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ = "IPISimpleViewerControl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\TypeLib\ = "{9CCC0206-10E9-4da7-8533-9DB7FA0369E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ProgID\ = "PIView.PISimpleViewer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer\CLSID\ = "{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1\ = "PISimpleViewerControl Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1\CLSID\ = "{C7C08420-CCC6-4092-A75C-9E55D5176B26}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl\CurVer\ = "PIView.PISimpleViewerControl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIPlaylist.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer\CLSID\ = "{8CBCE923-870F-4f00-8097-4E61687B4469}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer\CurVer\ = "PIView.PISimpleViewer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\ProgID\ = "PIView.PISimpleViewerControl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\AppID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piview.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer\CurVer\ = "PIView.PIThumbnailer.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer.1\ = "PISimpleViewer Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIViewer\ = "PIViewer Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F25C9CD-F862-4354-8650-5051209EB26F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piview.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer.1\CLSID\ = "{36EAB66A-5E45-4f1c-AEFA-AF37F3FF298B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewer.1\CLSID\ = "{8CBCE923-870F-4f00-8097-4E61687B4469}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\ = "PISimpleViewer Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8CBCE923-870F-4f00-8097-4E61687B4469}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl\CLSID\ = "{C7C08420-CCC6-4092-A75C-9E55D5176B26}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIPlaylist\CLSID\ = "{8F25C9CD-F862-4354-8650-5051209EB26F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIThumbnailer.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{779A8AE0-4741-4187-89A3-DB876F25B704}\ = "IPISimpleViewerControl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PISimpleViewerControl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PIView.PIPlaylist\ = "PIPlaylist Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24E8083A-CDD4-49b7-9E6D-CE56B117A55D}\ = "PIViewer Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C7C08420-CCC6-4092-A75C-9E55D5176B26}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 716 wrote to memory of 2172 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 716 wrote to memory of 2172 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 716 wrote to memory of 2172 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\piview.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\piview.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unicows.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3140 wrote to memory of 5472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3140 wrote to memory of 5472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3140 wrote to memory of 5472 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unicows.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\unicows.dll,#1

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\mircmirc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\SystemWFPLWFS10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\SystemWFPLWFS.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\mircmirc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\SystemWFPLWFS10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\OperatingWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\OperatingWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\SystemWFPLWFS.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\F12\de-DE\F12ScriptInternet.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Systmeconnect10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\wbem\fr\resourcesMicrosoft10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\MUI\0407\mscoreesmirc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\nvm62x64Networking.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbushdaudbus10.0.19041.1081.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\AppVOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Speech\Common\de-DE\sapisapi.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\OperatingWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\en-US\SapiWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\ru-RU\WindowsSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\sr-Latn-RS\OperatingMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\memory.inf_amd64_9af3a8a63d4cb5f9\Windowspnpmem10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp.inf_amd64_9effd93a75bc489e\WindowsOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\el-GR\XamlWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\LinkNETwsw0017642.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\setup\MSDTCSTPCMMIGR.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsOperating10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\oobe\SetupCleanupTaskWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\ja\resourcesresources.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\RCX3E80.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\Ethernetlan7500x64n650f.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\oobe\it-IT\SetupCleanupTaskMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\migration\es-ES\mircmIRC.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\OperatingWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Speech\Common\en-US\Windowssapi.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\sr-Latn-RS\mircmIRC.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_5dbe5e81fafe4636\Operatingvdrvroot13291.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_6cf8ea2249844b50\OperatingWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\WindowsPowerShell.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\pspluginwkrdefaulthelp.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\resourcesSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Dism\fr-FR\dexploitationSystme10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\ro-RO\SystemQuickAssist.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\NetworkAdapter.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\MUI\0407\FrameworkMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\IME\IMEKR\DICTS\WindowsSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_c089962740ea1f84\WindowsSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\it\PowerShellWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cht4vx64.inf_amd64_b03448ba0b72ec47\Controllercht4vbd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\it\MicrosoftWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\resourcesAppVClientPowerShell.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\it-IT\SistemaMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\oobe\de-DE\WindowsBetriebssystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\sv-SE\XamlSyncRes.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\fr\SystmeWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\mIRCmirc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\en\Systemresources.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\en-US\mircmirc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\virtdisk.inf_amd64_9a7f42b85c7def50\bttfltOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\operativoSistema.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\MUI\0409\mscoreesWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\MicrosoftWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\en-US\SetupPlatformProviderOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21\SerialDriver.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\volmgr.inf_amd64_b98e2b928f71a2b1\SystemWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_789f35bee584a939\SystemWindows10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\es\WindowsSistema.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Speech\Common\sapiWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_683fd853c8b8a4db\OperatingWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\WindowsPS5UI.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\fr-FR\dexploitationSystme10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\de\MicrosoftMicrosoft10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\SysWOW64\Dism\en-US\SetupPlatformProviderOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\OperatingWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderManager.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\qrcodepmpdatamatrixpmp.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\SystemSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\System\ja-JP\SystemOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\RCX6052.tmp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoViewerPhotoAcq.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipResTipTsf.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\BetriebssystemWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Internet Explorer\uk-UA\Internetieinstal.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\Systemmsadce.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\MicrosoftOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x86\ClientEmbedded.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\System\ado\ja-JP\msader15Operating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\iexploreInternet.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateAdobe.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\DynamicStudio.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\en-US\WindowsWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateUpdate.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\Internetiexplore.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterComponents.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\IEToEdgeietoedgestub132.0.2957.140.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\operativompasdesc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\EBWebView\x86\WebViewMicrosoft132.0.2957.140.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\uk-UA\Internetieinstal.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\WindowsWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\LinkLibrary.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\libGLESv2wnspushclient.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledbWindows10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\PowerShellMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\WindowsTabTip32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipResTipTsf.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\BHO\ietoedgebhoietoedgebho64.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\Microsoftvstoee.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\mpasdescSystme.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\wmplayerWMPNSSUI.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\mpasdescoperativo4.18.1907.16384.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\mpasdescoperativo4.18.1907.16384.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\uk-UA\WindowsMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\Microsoftmpasdesc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\InternetIEXPLORE.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\Internetieinstal.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Installer\InstallerMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Installer\InstallerMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\setupwmOperating12.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\DesignEngine.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremrWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\WindowsWindows10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\OperatingWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\EppManifestmpasdesc4.18.1907.16384.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\TabTip32System.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedgeproxymsedgeproxy.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\resourcesUIAutomationClientsideProviders.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\uk-UA\WindowsWAB32res.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\BHO\ietoedgestubietoedgebho.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\System\msadc\es-ES\Systemmsdaprsr10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\resourcesresources10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagementMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\MicrosoftmshwLatin.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\VisualStudio7.10.2346.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\setupwmOperating12.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Program Files (x86)\Common Files\System\it-IT\Sistemaoperativo.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_76fa6c1a5ef15070\operativomemdiag10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ngc-tasks.resources_31bf3856ad364e35_10.0.19041.1_de-de_7bba1588ca7cc4c9\NgcTasksMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershell.commands.management_31bf3856ad364e35_10.0.19041.1_none_fcfa075fee21fc1f\WindowsSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.264_none_9ae1cb705a5b8b5e\OLEAUT32Windows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.19041.1_es-es_2f63b728e887d212\STORAGEWMISystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_wwf-system.workflow.componentmodel_31bf3856ad364e35_10.0.19041.1_none_41d526fcad732f45\SystemSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ngerprintcredential_31bf3856ad364e35_10.0.19041.1_none_518abbfab883365f\WindowsOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-naturallanguage6-mls6_31bf3856ad364e35_10.0.19041.1_none_0b90bf36f1da43c7\MicrosoftMLS6.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\apppatch\fr-FR\dexploitationdexploitation.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00010444_31bf3856ad364e35_10.0.19041.1_none_4bfa5a9429ac9352\kbdtt102Microsoft10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..mentation.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_a4b6064456d99eae\wininetInternet.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..structureexecutable_31bf3856ad364e35_10.0.19041.1_none_adf98e02f565c8fe\SystemOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-themeui_31bf3856ad364e35_10.0.19041.1_none_45444e48ef3f71b1\MicrosoftOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_presentationbuildtasks_31bf3856ad364e35_4.0.15805.0_none_d34a6f7ba236f5b1\FrameworkPresentationBuildTasks.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rasplap_31bf3856ad364e35_10.0.19041.867_none_f01b2255d690daa4\WindowsMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_3598413c5a348b00\InformationServices.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..tenanceui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b25ad5b5e308bb79\WindowsOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\WindowsSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-dpapi-keys_31bf3856ad364e35_10.0.19041.1_none_33c3e07f6cce5a52\dpapimigMicrosoft10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\Speechresources.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_dd930683cd93912c\Internetinseng.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\msil_srpuxsnapin.resources_31bf3856ad364e35_10.0.19041.1_de-de_aa10d96c525615f4\SrpUxSnapInresources.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_10.0.19041.1_es-es_b6152b81960ebc0b\SystemOLEACCRC.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_de_b77a5c561934e089\Frameworkresources.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..show-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_33ba3aa19a7751f6\MicrosoftSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_system.componentmod..mposition.resources_b77a5c561934e089_4.0.15805.0_es-es_15cec99082ddb40a\SystemMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ice-winrt.resources_31bf3856ad364e35_10.0.19041.1_en-us_c7adf605f08d0f3a\ManagementMicrosoft10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_usbcciddriver.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_14683ba967cda790\MicrosoftSystme.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\7710ed46e965bbb56a0558fbff9916f3\EsentWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-oleprn.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_97a642635d1f8594\oleprnoleprn.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\v4.0_4.0.0.0_de_b77a5c561934e089\SystemSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_ccaeaf8ba3acc8d6\SistemaMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wer-sdktools_31bf3856ad364e35_10.0.19041.1_none_0067ac1cb4a6c8bc\DbgModelSystem10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_10.0.19041.1_es-es_55a09501fcb42814\WindowsSistema.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-msf-providers_31bf3856ad364e35_10.0.19041.1_none_56318e5c7ea2ae30\SynchronizationSynchronization.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\Systemimecfmps10.0.19041.844.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..icsclient-scheduled_31bf3856ad364e35_10.0.19041.1_none_baa4e03a66bc0eae\Microsoftsdiagschd.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\msil_uiautomationclients..providers.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5e0415d3956ba66c\FrameworkUIAutomationClientsideProviders.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_17c4f3dd4fef22c6\WindowsQuickAssist10.0.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-charmap_31bf3856ad364e35_10.0.19041.1_none_a84acae243b8ad63\Microsoftcharmap.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\msil_multipoint-wms.dash..addintabs.resources_31bf3856ad364e35_10.0.19041.1_es-es_f6932ba2fb323f2a\resourcesWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\diagnostics\system\Power\fr-FR\WindowsMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.powershel..er.events.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_95e58db0b0215011\PSDSCFileDownloadManagerEventsdexploitation.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_system.net.websockets_b03f5f7f11d50a3a_4.0.15805.0_none_d53ac54f87ada30d\FrameworkMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\MicrosoftPresentationFramework.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ctiveuser.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5636904c996fb1a0\WindowsSystem10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AddInUtil.resources\v4.0_4.0.0.0_es_b77a5c561934e089\resourcesresources.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecoreuap-deviceaccess_31bf3856ad364e35_10.0.19041.746_none_d665b070f8fb6cac\WindowsDeviceAccess.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-usbperf.resources_31bf3856ad364e35_10.0.19041.1_it-it_1c566b3d8a3314b4\operativoWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.0.19041.1_de-de_921f5da7ebbc7d60\ExplorerInternet11.00.19041.1.160101.0800.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a8776209b1045f20\CtTuneSvrOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_system.servicemodel.activities.resources_31bf3856ad364e35_4.0.15805.0_fr-fr_8eeaaaa95649ea19\ServiceModelActivities.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\FrameworkDurableInstancing.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-directx-ddisplay_31bf3856ad364e35_10.0.19041.1_none_f0f00523b877918c\DDisplayWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_bc9b72f5f08b2431\WindowsMicrosoft.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_networking-mpssvc-admin.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_25b17136f36d1d7e\SystemAuthFWWizFwk.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wlangpclient.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c658feb5f06faa9f\wlgpclntSystem.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..xperience.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8415e2f2102f59fc\WindowsWindows.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\dexploitationresources10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_afb9e74560b9f815\winlogonOperating.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_dual_amdsata.inf_31bf3856ad364e35_10.0.19041.1_none_e0b7b1076af0e5b4\Storageamdxata.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-riched32_31bf3856ad364e35_10.0.19041.1_none_52f1c15a21f92b4b\WindowsSystem5.31.23.1231.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mystify_31bf3856ad364e35_10.0.19041.1_none_a602a895febacb78\SystemOperating10.0.19041.1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-telephony-phoneom_31bf3856ad364e35_10.0.19041.746_none_c751b51b9cfc017c\SystemPhoneOm10.0.19041.746.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_067352f5a9f5905b21b82b18e9fa2711.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowsupdate.microsoft.com udp
US 20.72.235.82:80 windowsupdate.microsoft.com tcp
US 8.8.8.8:53 fe2.update.microsoft.com udp
US 4.154.131.224:80 fe2.update.microsoft.com tcp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp
US 8.8.8.8:53 counterslocal.com udp

Files

C:\Program Files (x86)\Windows Photo Viewer\es-ES\WindowsSistema10.0.19041.1.exe

MD5 067352f5a9f5905b21b82b18e9fa2711
SHA1 e416dba2a5f752caa42a572ef847271d700debd9
SHA256 aa8ca4e5cd049edce4fa86fcfd4883419b01cb52914fcf7b253e39dfd6871bac
SHA512 7026c615950fd8ea9a68d4fe7ac78529f5a18e9ac54c93a199b355526447e6186ba0c2d7eb8f6f7bd78d3e8eb49003854fc2d6b724b6aaddf5029bd4ebf5cfc5

Analysis: behavioral6

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\msnphoto.scr" /S

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\msnphoto.scr N/A

Processes

C:\Users\Admin\AppData\Local\Temp\msnphoto.scr

"C:\Users\Admin\AppData\Local\Temp\msnphoto.scr" /S

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pisync.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5856 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5856 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5856 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pisync.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pisync.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 756

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 5844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1192 wrote to memory of 5844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1192 wrote to memory of 5844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\W95INF32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

102s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr71.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4644 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4644 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4644 wrote to memory of 4384 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr71.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr71.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 600

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-05-18 03:21

Reported

2025-05-18 03:24

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pibase.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 2580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5112 wrote to memory of 2580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5112 wrote to memory of 2580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pibase.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pibase.dll,#1

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

N/A