Analysis Overview
SHA256
3f7987960e18db7d87c0f4b6fdbb2a097de3d27db72dfa9413a312d13b74b44e
Threat Level: Known bad
The file JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades family
Blackshades payload
Blackshades
Downloads MZ/PE file
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Loads dropped DLL
Drops startup file
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Checks installed software on the system
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System policy modification
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-11 16:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-11 16:28
Reported
2025-02-11 16:30
Platform
win7-20241023-en
Max time kernel
148s
Max time network
133s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JService.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\csrss.exe = "C:\\Program Files (x86)\\csrss.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Program Files (x86)\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\JService = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4} | C:\Program Files (x86)\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4} | C:\Program Files (x86)\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\csrss.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JService = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\JService = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2372 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | C:\Program Files (x86)\csrss.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\csrss.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| File opened for modification | C:\Program Files (x86)\csrss.exe | C:\Program Files (x86)\csrss.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| Token: 1 | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: 31 | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: 32 | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: 33 | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: 34 | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: 35 | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\csrss.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe"
C:\Program Files (x86)\csrss.exe
"C:\Program Files (x86)\csrss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\csrss.exe" /t REG_SZ /d "C:\Program Files (x86)\csrss.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JService.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JService.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\csrss.exe" /t REG_SZ /d "C:\Program Files (x86)\csrss.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JService.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JService.exe:*:Enabled:Windows Messanger" /f
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1160
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vulnerable.no-ip.org | udp |
| US | 8.8.8.8:53 | spark.ws | udp |
| DE | 91.195.240.12:80 | spark.ws | tcp |
| US | 8.8.8.8:53 | croxxy.no-ip.biz | udp |
| US | 8.8.8.8:53 | rat.spark.ws | udp |
| DE | 91.195.240.12:1027 | rat.spark.ws | tcp |
| DE | 91.195.240.12:1027 | rat.spark.ws | tcp |
| DE | 91.195.240.12:1027 | rat.spark.ws | tcp |
Files
memory/2372-0-0x0000000074531000-0x0000000074532000-memory.dmp
memory/2372-1-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2372-2-0x0000000074530000-0x0000000074ADB000-memory.dmp
\Users\Admin\AppData\Local\Temp\Driver.dll
| MD5 | fe88dec034be793a63e4ea33897b04b0 |
| SHA1 | becda875d9176eff61d944afe54419ce7fd44b12 |
| SHA256 | 1ae5160ee114ca02b663cede327d53198ff569ebb39e98a7bec4f82018b5596c |
| SHA512 | f8b2becf48f9de83a98ca2dbba7c19a09235930e7108b96d9a1d2c144301fafec130473f30b9d88bc594f3103537d4c473c6d4ca3e12b5bb09f24dd59a99bd77 |
C:\Program Files (x86)\csrss.exe
| MD5 | 3fe1b20df8c327735516389105e75d78 |
| SHA1 | 66c5cb0dad53cc0adf1ecd102af79436e5a0d498 |
| SHA256 | 380f52de0a79fc5dc88cdf4c5de3aee2ecd340d20e8a58971661753b52544923 |
| SHA512 | 18eb8bf53acbe8b44ca50819ec5fa13368f8a7f44e57329e5e8569949df575db22c13dfcae4c2c84173af1ceba1eab9c11a25e26f37d1d2e0b55ad756c01c32c |
memory/1272-25-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-21-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-19-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1272-40-0x00000000754A8000-0x00000000754A9000-memory.dmp
memory/1272-43-0x0000000075490000-0x00000000755A0000-memory.dmp
memory/1272-42-0x0000000075490000-0x00000000755A0000-memory.dmp
memory/1272-41-0x0000000075490000-0x00000000755A0000-memory.dmp
memory/2372-44-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/2372-45-0x0000000074530000-0x0000000074ADB000-memory.dmp
memory/1272-46-0x0000000075490000-0x00000000755A0000-memory.dmp
memory/1272-47-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-48-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-50-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-51-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-52-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-53-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-55-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-56-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-58-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-59-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-60-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-62-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-63-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1272-64-0x0000000000400000-0x0000000000470000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-11 16:28
Reported
2025-02-11 16:30
Platform
win10v2004-20250207-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\JService.exe = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\csrss.exe = "C:\\Program Files (x86)\\csrss.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\JService = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Program Files (x86)\csrss.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4} | C:\Program Files (x86)\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{C7BCBE08-4BBD-BCDE-A8D3-413FDB6BEDB4} | C:\Program Files (x86)\csrss.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JService = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JService = "C:\\Users\\Admin\\AppData\\Roaming\\JService.exe" | C:\Program Files (x86)\csrss.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4384 set thread context of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | C:\Program Files (x86)\csrss.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\132.0.2957.140.manifest | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\LogoDev.png | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Content | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\icudtl.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\as.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_game_assist\EdgeGameAssist.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3672_13383765003399223_3672.pma | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EdgeWebView.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ar.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ga.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho_64.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Fingerprinting | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ka.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bfbb137d-47fa-4061-b3a3-f6baad07b509.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\elevation_service.exe | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Extensions\external_extensions.json | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sr.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files\MsEdgeCrashpad\settings.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\de.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Edge.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\ffmpeg.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.exe | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msvcp140.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogo.png | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Social | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\SmallLogoCanary.png | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\bs.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Dev.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files\MsEdgeCrashpad\throttle_store.dat | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\eventlog_provider.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ca.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ne.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x64\EmbeddedBrowserWebView.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\vi.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\oneds.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\el.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ta.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Advertising | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ca.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Dev.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\MEIPreload\preloaded_data.pb | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\stable.identity_helper.exe.manifest | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x86\EmbeddedBrowserWebView.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\mspdf.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Other | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\is.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_stub.exe | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8fc58ff7-913d-4959-a824-aa3e1c9f15ac.tmp | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.dll.sig | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\PdfPreview\PdfPreviewHandler.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\lv.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\mt.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\icudtl.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\notification_helper.exe | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\TransparentAdvertisers | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\km.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Fingerprinting | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\it.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sr-Latn-RS.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.html | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\TypeLib | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xht | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.htm | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.svg | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_helper.exe\"" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe\"" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_helper.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\ProgrammaticAccessOnly | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.pdf | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1" | C:\Windows\system32\wwahost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content | C:\Windows\system32\wwahost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open\command | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\wwahost.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\csrss.exe | N/A |
| N/A | N/A | C:\Windows\system32\wwahost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8338610a7c11e612b6c87a6f6f6e7e3.exe"
C:\Program Files (x86)\csrss.exe
"C:\Program Files (x86)\csrss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\csrss.exe" /t REG_SZ /d "C:\Program Files (x86)\csrss.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JService.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JService.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Program Files (x86)\csrss.exe" /t REG_SZ /d "C:\Program Files (x86)\csrss.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\JService.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\JService.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1824
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0I2RDJDRDMtOTY3Mi00Q0MzLUFEODQtRkEyNDI2MEYzREJEfSIgdXNlcmlkPSJ7MEUzREY0NjMtNkQ0My00MzI4LTg4MDYtRDNFOUQxRjM3NERCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjE4N0E4Q0MtOUE2Qy00M0NCLTkyQzYtM0Q1NURDNDQ1QzhBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQ1NzMzOTMwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\MicrosoftEdge_X64_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff61edda818,0x7ff61edda824,0x7ff61edda830
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff61edda818,0x7ff61edda824,0x7ff61edda830
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a6fa818,0x7ff75a6fa824,0x7ff75a6fa830
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a6fa818,0x7ff75a6fa824,0x7ff75a6fa830
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75a6fa818,0x7ff75a6fa824,0x7ff75a6fa830
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vulnerable.no-ip.org | udp |
| US | 8.8.8.8:53 | spark.ws | udp |
| DE | 91.195.240.12:80 | spark.ws | tcp |
| US | 8.8.8.8:53 | croxxy.no-ip.biz | udp |
| US | 8.8.8.8:53 | rat.spark.ws | udp |
| DE | 91.195.240.12:1027 | rat.spark.ws | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | vulnerable.no-ip.org | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 2.20.12.74:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | croxxy.no-ip.biz | udp |
| DE | 91.195.240.12:1027 | rat.spark.ws | tcp |
| US | 8.8.8.8:53 | vulnerable.no-ip.org | udp |
| US | 8.8.8.8:53 | croxxy.no-ip.biz | udp |
| DE | 91.195.240.12:1027 | rat.spark.ws | tcp |
| US | 8.8.8.8:53 | www.office.com | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| US | 13.107.6.156:443 | www.office.com | tcp |
| US | 8.8.8.8:53 | res.cdn.office.net | udp |
| GB | 2.20.12.91:443 | res.cdn.office.net | tcp |
| GB | 2.20.12.91:443 | res.cdn.office.net | tcp |
| GB | 2.20.12.91:443 | res.cdn.office.net | tcp |
| GB | 2.20.12.91:443 | res.cdn.office.net | tcp |
| GB | 2.20.12.91:443 | res.cdn.office.net | tcp |
| GB | 2.20.12.91:443 | res.cdn.office.net | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | vulnerable.no-ip.org | udp |
Files
memory/4384-0-0x0000000074262000-0x0000000074263000-memory.dmp
memory/4384-1-0x0000000074260000-0x0000000074811000-memory.dmp
memory/4384-2-0x0000000074260000-0x0000000074811000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Driver.dll
| MD5 | fe88dec034be793a63e4ea33897b04b0 |
| SHA1 | becda875d9176eff61d944afe54419ce7fd44b12 |
| SHA256 | 1ae5160ee114ca02b663cede327d53198ff569ebb39e98a7bec4f82018b5596c |
| SHA512 | f8b2becf48f9de83a98ca2dbba7c19a09235930e7108b96d9a1d2c144301fafec130473f30b9d88bc594f3103537d4c473c6d4ca3e12b5bb09f24dd59a99bd77 |
C:\Program Files (x86)\csrss.exe
| MD5 | 3fe1b20df8c327735516389105e75d78 |
| SHA1 | 66c5cb0dad53cc0adf1ecd102af79436e5a0d498 |
| SHA256 | 380f52de0a79fc5dc88cdf4c5de3aee2ecd340d20e8a58971661753b52544923 |
| SHA512 | 18eb8bf53acbe8b44ca50819ec5fa13368f8a7f44e57329e5e8569949df575db22c13dfcae4c2c84173af1ceba1eab9c11a25e26f37d1d2e0b55ad756c01c32c |
memory/2396-16-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-27-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4384-32-0x0000000074262000-0x0000000074263000-memory.dmp
memory/4384-33-0x0000000074260000-0x0000000074811000-memory.dmp
memory/4384-40-0x0000000074260000-0x0000000074811000-memory.dmp
memory/2396-41-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-45-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-49-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-52-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-56-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-60-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-63-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-66-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-70-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-73-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-76-0x0000000000400000-0x0000000000470000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7EFBB83C-455C-4A52-8289-8B7C0E626843}\EDGEMITMP_61270.tmp\setup.exe
| MD5 | b4c8ad75087b8634d4f04dc6f92da9aa |
| SHA1 | 7efaa2472521c79d58c4ef18a258cc573704fb5d |
| SHA256 | 522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf |
| SHA512 | 5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3 |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
| MD5 | 3646786aea064c0845f5bb1b8e976985 |
| SHA1 | a31ba2d2192898d4c0a01511395bdf87b0e53873 |
| SHA256 | a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f |
| SHA512 | 145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files\msedge_installer.log
| MD5 | 227edfc7dbbcc0757ca51072bd4976e4 |
| SHA1 | cbef8144fd19f74b5d2e22cfe32852adbfcb657a |
| SHA256 | 1e005e8e643d8f08ae6521881f3dbbf29f5ac96ca414ce06dde8e509ddceb11e |
| SHA512 | 4e034dda752e49f4818e9719d3e0460a89a1cbb3959adca25bf6502ea4680dbaacea66af013ce170131927312582bdb89c1d15fb733fc3c9bd36322ae59efe61 |
C:\Program Files\msedge_installer.log
| MD5 | c907133ede56a587837b5396fd0dafdd |
| SHA1 | ea33e46b2ea4c8808c19303f3c1d78b4d52bc8c8 |
| SHA256 | 6856bf14c696e450a701b3ec9ed34efe7d2b82c90a1d0c1ffbd9cdc37862ad0b |
| SHA512 | 3241816460e7836157f51c652a6253f572bcab8a444eb01a779360ae7daab631836b1971bd53e71b4ef75c7645d270a250eda6bec8f5c1a305914d2e62246188 |
C:\Program Files\msedge_installer.log
| MD5 | 1f4c8aca447dc608e80f936c6b4f7058 |
| SHA1 | 9b4c72b5bd5dc2bbc219326072526ce257342f94 |
| SHA256 | acce90ed5691638d631c9072aab1b85cd9c13a06c501db90ebb112e57ccb088c |
| SHA512 | 6d9487ad28bf50124cb7101e0275a8f4a13a83fd173666fcfae45bd3a02f9420e6152ed44f9d7cbc998ade763931d8c440371ee654c105a43f70b9d712d35600 |
memory/2396-138-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1312-141-0x0000021552350000-0x000002155235E000-memory.dmp
memory/1312-142-0x000002156C860000-0x000002156C86A000-memory.dmp
memory/1312-143-0x000002156C870000-0x000002156C878000-memory.dmp
memory/1312-144-0x000002156CC00000-0x000002156CE49000-memory.dmp
memory/2396-177-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2396-316-0x0000000000400000-0x0000000000470000-memory.dmp