Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-v5j37awyfw
Target JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052
SHA256 4dae9f99e0707d4e175ea846b23f32ef5cb63d055fc8ee30b35099783f0cc869
Tags
discovery upx spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4dae9f99e0707d4e175ea846b23f32ef5cb63d055fc8ee30b35099783f0cc869

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery upx spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Checks installed software on the system

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 17:34

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250502-en

Max time kernel

100s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 5988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3292 wrote to memory of 5988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3292 wrote to memory of 5988 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5988 -ip 5988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

101s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3936 wrote to memory of 4432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3936 wrote to memory of 4432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3936 wrote to memory of 4432 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 468

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1996 wrote to memory of 780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1996 wrote to memory of 780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 780 -ip 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/780-0-0x0000000074DC0000-0x0000000074DCA000-memory.dmp

memory/780-1-0x0000000074DC0000-0x0000000074DCA000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250610-en

Max time kernel

40s

Max time network

42s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 5148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 5148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 5148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5148 -ip 5148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 448

Network

Files

memory/5148-0-0x0000000074B10000-0x0000000074B1A000-memory.dmp

memory/5148-1-0x0000000074B10000-0x0000000074B1A000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250502-en

Max time kernel

106s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\

Network

Country Destination Domain Proto
US 8.8.8.8:53 service.jzip.com udp
US 13.248.169.48:80 service.jzip.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 a7c8756c56e5a841b91da9d02e769f36
SHA1 2ac01ffff9f107f67c701c11a3c89506765689ce
SHA256 63aca71fc4d483663571e7fd733747a9c7afc527aba7cf3b7ccbbe8292aafb69
SHA512 45e224f1c64aa70af39e59f8e2a5ad500d4bf1f9fa9156b0a6626b7737a43237c84562519a5694fe6db3b9696457ab2774fe9bc8bde5fba85fa9612eede969fd

C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\UAC.dll

MD5 a88baad3461d2e9928a15753b1d93fd7
SHA1 bb826e35264968bbc3b981d8430ac55df1e6d4a6
SHA256 c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af
SHA512 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\registry.dll

MD5 2b7007ed0262ca02ef69d8990815cbeb
SHA1 2eabe4f755213666dbbbde024a5235ddde02b47f
SHA256 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512 aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

memory/5252-15-0x0000000002F90000-0x0000000002FE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\apphelp.dll

MD5 fe83bf8c380b208bd7738ac0d5645962
SHA1 fd83745c0f286d9b2b43316ac9ee1d14459b47f9
SHA256 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6
SHA512 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3

C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Analysis: behavioral27

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250610-en

Max time kernel

104s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5512 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5512 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5512 wrote to memory of 2992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2992 -ip 2992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 612

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250610-en

Max time kernel

102s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6040 wrote to memory of 5244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6040 wrote to memory of 5244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6040 wrote to memory of 5244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5244 -ip 5244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 624

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250619-en

Max time kernel

101s

Max time network

129s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask_eula.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask_eula.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.19.248.219:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2156-0-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-1-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-2-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-3-0x00007FFFD5A6D000-0x00007FFFD5A6E000-memory.dmp

memory/2156-4-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-5-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-10-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-11-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-12-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-8-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-13-0x00007FFF93600000-0x00007FFF93610000-memory.dmp

memory/2156-9-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-15-0x00007FFF93600000-0x00007FFF93610000-memory.dmp

memory/2156-14-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-7-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-6-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

memory/2156-27-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 29c5c6caf7da06dddae15e8c23328cb0
SHA1 d6ac7f7ddc065b75f2de1d4f5f4c493517b385c6
SHA256 843c4ca46240008e68ade5549ae2bcd27318106fafed9bb08c400c0e37a4f40c
SHA512 db3a8346437aa7f876063bbf784fd4a60ab496c1b1863ca216d64a3460f94831f1d3096818ffe75bde016570e3fe4858260b0da0d27d401b737534db59259107

C:\Users\Admin\AppData\Local\Temp\TCDB2D4.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

memory/2156-464-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-467-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-466-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-465-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp

memory/2156-468-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

100s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 3112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1784 wrote to memory of 3112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1784 wrote to memory of 3112 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 484

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 4292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 4292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 4292 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4292 -ip 4292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 612

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250619-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\jZip\log.log C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1545489470\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\protocols.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\nav_config.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1545489470\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\office_endpoints_list.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\smart_switch_list.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133961240759783336" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3008489981-1977616533-741913813-1000\{4BE35DB8-7136-4B75-9055-2D27D42E35F1} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3008489981-1977616533-741913813-1000\{A4090A59-FFFB-4D99-8BCB-FBEE3FBEDDC4} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe\IsHostApp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1560 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1560 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1560 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 4232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 4664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 4664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 2520 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4372 wrote to memory of 1768 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2ec,0x7ffb5704f208,0x7ffb5704f214,0x7ffb5704f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2220,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2592,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=2744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3492,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4136,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4296,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4576,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5652,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5672,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4268,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3568,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5512,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5512,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6408,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6440,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6436,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6788,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6708,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7156,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7464,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7556,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7544 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7700,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5488,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8048,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=8072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8040,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=8036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4532,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4520,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5576,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7652,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6184,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2912,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.secondofferdelivery.com udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 76.223.54.146:80 www.jzip.com tcp
US 76.223.54.146:80 www.jzip.com tcp
US 150.171.28.11:80 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
GB 2.18.27.92:443 copilot.microsoft.com tcp
US 13.248.169.48:443 www.jzip.com tcp
US 13.248.169.48:443 www.jzip.com tcp
GB 2.18.27.92:443 copilot.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 13.248.169.48:443 www.jzip.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
GB 2.18.27.92:443 copilot.microsoft.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com udp
GB 2.20.12.82:443 msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com tcp
US 13.248.169.48:443 www.jzip.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 13.248.169.48:443 www.jzip.com tcp
US 8.8.8.8:53 www.godaddy.com udp
US 8.8.8.8:53 www.godaddy.com udp
GB 184.26.44.14:443 www.godaddy.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 13.107.246.64:443 edgeassetservice.azureedge.net tcp
US 8.8.8.8:53 img6.wsimg.com udp
US 8.8.8.8:53 img6.wsimg.com udp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 184.26.44.14:443 www.godaddy.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
US 8.8.8.8:53 img1.wsimg.com udp
US 8.8.8.8:53 gui.godaddy.com udp
US 8.8.8.8:53 gui.godaddy.com udp
US 150.171.27.11:443 edge.microsoft.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 csp.godaddy.com udp
US 8.8.8.8:53 csp.godaddy.com udp
GB 23.200.208.14:443 csp.godaddy.com tcp
GB 23.200.208.14:443 csp.godaddy.com tcp
GB 2.18.27.82:443 img1.wsimg.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 2.20.12.74:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
GB 2.18.27.76:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\registry.dll

MD5 2b7007ed0262ca02ef69d8990815cbeb
SHA1 2eabe4f755213666dbbbde024a5235ddde02b47f
SHA256 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512 aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\UAC.dll

MD5 a88baad3461d2e9928a15753b1d93fd7
SHA1 bb826e35264968bbc3b981d8430ac55df1e6d4a6
SHA256 c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af
SHA512 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\apphelp.dll

MD5 fe83bf8c380b208bd7738ac0d5645962
SHA1 fd83745c0f286d9b2b43316ac9ee1d14459b47f9
SHA256 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6
SHA512 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\soffer.dll

MD5 0d1d780cd2d8445c4718d23e8f2551cd
SHA1 348618b28381aa43b1696ae26325a02e27c51c60
SHA256 3c4307e83e3264571a5e5e80e01da4d7bce98f0c9e36564b10ff21edbc613330
SHA512 02776fbbd10556d4152660440059eb29358103e1ae71df289ef0ef11f66d9bef4053813553a4fea71af427ae866e5c6222693b3e5295be9592827b073f592e34

memory/1560-43-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

memory/1560-57-0x0000000070710000-0x000000007071A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\nsArray.dll

MD5 7fc4723bb0a4118e5f91047021d1aacd
SHA1 092a321a21d802045105ecc8cd3c9d7d2c6da923
SHA256 8f9bfeebfa3b070b116de61a63271b6c25af0dbb4bbfb4ae73e334d1f8517efd
SHA512 1fe86533987ff1c4d446b231dc1ff2c3bbce224ae91b73ffead539f08740bfb06d2f40f1aedf0571106dc4e12eec27aa32018c2bf5361b7488c07b4d90800f02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2c331f389c779c8c38854c792db3bdaf
SHA1 9dbc270547d3316ff08f06d22b30251faf040341
SHA256 521142680d67ffc710d6dc921740415e840768dc0fcdb1a72b80e6d55b6355db
SHA512 8a590ee501dc40bfb757de9c314be7d65d3117c8245094bf7d92bd469b11f9fb34261d5f9c3a96001fdb79a673467dfd79db3b07b3f52187d58b352dd3a21576

memory/1560-77-0x0000000074B74000-0x0000000074B75000-memory.dmp

memory/1560-76-0x0000000006510000-0x0000000006511000-memory.dmp

memory/1560-75-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 62ab7df48d65aac643c8dabc18f8b69f
SHA1 c0ed260877d646f9a64ef26c1122e606166f40f6
SHA256 b87c8c27cd8fbb4e11088eed3d335d3f65282991fdae3c70eb78cd02a0470bf2
SHA512 418a00a918b187c6cf9e2840f3e4460f162342848122d604dbea638d430781e5e675d68cc1b26c66f79cb3cb4f065bddd06ee94ed35eeebc4b0b827678c1c719

\??\pipe\crashpad_4372_ISVAFUFBFXUQIQGW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5fb054048f628a551c1adcaef6ec5d93
SHA1 bdf84a4416f46ed81e1a4d31cc9917b4c21af69c
SHA256 5156895eeda79398fe85b04a67fda39f91ce62ca01ba4c19c1ed3a8fabaeff1d
SHA512 b0c330f2901c119355f73d608da14b3f1281204f4c4b34a164e4ec1a3013fe2d019eae87ca01f0a8311b6a95a1b3b12d9371f26bb504b2071235153ff8a2a9fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d1568f489cbb1428c8aeed605dad7405
SHA1 5d847bbbb87c7569b89673e1c389b512f1e948d1
SHA256 158d2342005ff1f3899cb5b55a034923f148de3a55f2d83170f21d3078ca8f9e
SHA512 4749e72e7c3b6e47191e01985eecd61ba7aad90b4c3be30a4b057707eb58f5401aa53394995b8bd55d01639ef04a7241a4a478a25ab29cbda3dcd750164d4a74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f65eb9d3800883a184057024da35ce70
SHA1 c8f62f9de9a00c010df72535c0be1ee1cbc963bc
SHA256 eb7f025c3dac330dab8f1723093b26c63a8e700c362583cca75420b3d0f3ca77
SHA512 3b6b77bd5f7b20f076f7450b3bb8a6e523778e079ce791c7106c6a970eeae6c22423dc5f38087dfa992cc054a85087c910c41e0aad0f85a6e48160345b2afe42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 164a788f50529fc93a6077e50675c617
SHA1 c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256 b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512 ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

memory/1560-136-0x0000000070710000-0x000000007071A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 62f10b05737a20a980bd9be1d6d199b3
SHA1 186d6b4bab65f9a8a9dfecb88a96a26edc6ea80c
SHA256 435682481663e5e2790b1287f3400fd106b3bb26fd9c9aa86ae282bfc53197b6
SHA512 9835a8f8039ff270303166ef56dc718812fdfead8c226239cce7e3e3a2ee739aee65f4c7e7c28a4a2545793beadccfc432b0d95cf1c41b2c88ad2bbb29d63fa9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 6386f623de3759a5f6073b3dedac4d78
SHA1 a26d4ccc7a32c1c5350abdaaf50f11fb57f74262
SHA256 9a1470e2247d23ed519612cc4d09a7dc46fda8f557a9686eeb62d4892fc52642
SHA512 98ac4eda36e160ab4b13906b62671b5a677136e3be4321e2ad5b04d911a408f2086b62e8742a8fa91eeaf114d715157b9072300a6a84f2605ff2d4928e9a61bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Temp\scoped_dir4372_506894646\d510010e-43b2-4d30-b1c1-39b5270944b9.tmp

MD5 b384b2c8acf11d0ca778ea05a710bc01
SHA1 4d3e01b65ed401b19e9d05e2218eeb01a0a65972
SHA256 0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b
SHA512 272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be

C:\Users\Admin\AppData\Local\Temp\63837f6d-c2b0-4841-85bc-01626ed3ab27.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\e3707c48-d3cc-47ff-93a5-e21c390cef30.tmp

MD5 78e47dda17341bed7be45dccfd89ac87
SHA1 1afde30e46997452d11e4a2adbbf35cce7a1404f
SHA256 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA512 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist

MD5 2ca8d39c3bc99de17bed5a0fe47679b6
SHA1 a9d29377d4d7f316746f898e3cae2c6fd2d1bdc2
SHA256 1553a198ae11d60e77f8fff26d5ea7cdc1c266d81b11186fd06e0ed4e975ec90
SHA512 490d655f3c1f39cc318e83b5a296a043fdbe8718a364b84cb7a8ed9bdccf2f49023e378f1b02ea50f4cd8e5ed7efc50222b5a8393f9842a592ab0de4e69599aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

MD5 3d20584f7f6c8eac79e17cca4207fb79
SHA1 3c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA256 0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512 315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\banner.bmp

MD5 6b2026ed4da8d06fc782c5df14bcf4b6
SHA1 a9d4cc4b5cd36e756a30f07d61c6674d453c8bdc
SHA256 d25f7dd93e67f584a1757a72c975b19fedf7542035ad9afb8cb3c5b9f72f2284
SHA512 89d13e0bf6dd5a933194e7fa195f79e6e5d1f8256fde88588ca888dfe62371a89bbd06a20a9fd5f1cd5caad5f39c08b1d99642a91134163037972459c24412f3

C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\ask_eula.rtf

MD5 7bd45e3280288dda6fd602031e2066e8
SHA1 db4d49155de06f6a10ae50c01c612e4d998547bf
SHA256 4346de72fee6dbe8b74218d8d9550395bf7f26634eb026ff6359fa0f855e9a4d
SHA512 a3a40b878d46531127a55550c807e6a17374d5d52bd645ba6b61fc0ae551d348247c4d4969c32e60b7bdad7ce1b3167f3d87b4eab2746ae305f182d4084c09d3

memory/1560-776-0x0000000070710000-0x000000007071A000-memory.dmp

memory/1560-777-0x0000000074B74000-0x0000000074B75000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec1c63da528c9f59034de145861f95ae
SHA1 1c1d8c9892ad306e0abff24cef033d6011d27a49
SHA256 dfd97b111093333bead46689c65bbaeebabf5446e7e656663c3908edc9f2d200
SHA512 57eef5be14f244dd15eb9dc9918eb681260260282a52f072b5d5a6d5d508e077f2769e8385471d7463a67ba8cc01478d6c1c395c13838c3e9c813656557fe33d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 15c2da45b7e98251eda021af2c45299f
SHA1 1cf53a6e7ac8a36676dc7aee5d4b4d67f25ac583
SHA256 17710187f9bc2731909a200e5d858b8cb3ca3e14b8f3b229f6fc6548fa134b45
SHA512 9b66718364ed9ff240a6063adf3f0bff9d057689650244f8fc5a76c5ed5ceaa6b06665c2f820ce958d7b264265fa940c7b771c738a20afbfdd9b2866f40b0009

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5553ff3adde48492e741458f87f97ece
SHA1 e5a7ace7fb3c77b5841aee755eb17d4893de5996
SHA256 0da7041dbf4cab1efcd4c17ce79b225b66662cd9d6a3e082265677e3294a93ce
SHA512 ec160a496cd07beaa3b7a577dd366e34d11d25fe0c143bebf4a0ade099e0aa2c8fd01b0a2a38b6d6ce66a393434e3cd32ed84627446bf123c6ae0462b2e2dd39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/1560-842-0x0000000070710000-0x000000007071A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e54f.TMP

MD5 df94a43e0f5302e1dadf63b127ca3d74
SHA1 15bca9ae219cb7e881b19138b37aa5cad8b95443
SHA256 26f4a212ed3aceb886c64b5550410279d9e2207c9da0deae88451e53817f045b
SHA512 35864145dcb88fff051d44cf5bd27cbf5d4c4846b086f8e7159023e0ad1bf09dc2aebe53abe6706647db4ecb9287937761cdea194a126f1a2a1826a38107f720

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 8c966d91e1e9ad7c5fde3720ce079e10
SHA1 95adc2f1842a414087fa945fab264546e17452ff
SHA256 04f79dbd15a6583cf6855630c73de81c604c520be5d8e720e7b80c5d56901336
SHA512 2e9f8a9948bcf1483445df87ad4ccb92afd105f867affa043e41dfaaf1e70b94570f7eca9f8ec3b21fcbe0c60aad52a0961f836cb3c668eb9b84f09d487166ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5806f0.TMP

MD5 41ca082fe76118f58ea34ad24925dd13
SHA1 36c35405fcbb4899c902d63cbc4cac04f64e0115
SHA256 d3ea29756c5fdfe08ac3a00be1c31217a8cdb7357fe3125eef6e4942519b0a4e
SHA512 a7dc8abedfa215669ecb89466f934beacdfb057e4bcbcbddc3ee46e55baf8f04249690a4f107d5d373e01a0b39549da5eec1c25aaf332820611deaec78e8f053

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2f994c8b37742ed978221eb33d201ec0
SHA1 bd87bae0e56912b07e1cb23f4307fe88d75b1bef
SHA256 4422a1c0df10f515a4929f336cb1998ec4e0dfa87b75a0cac2d9fdf6286b8ff0
SHA512 d842d64566cd38aa92602b379c356477781062344107db14d75ebc49c30b046044dab32e870e74f0d619ef93a22e27da3c2444dfccfdbdb858b64e0de7fabba4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe586a7d.TMP

MD5 4bc775ac9a0ed46fddcf4b00ccc58114
SHA1 1b5dd1a28f9e5f2565f8ba4343f956234053cc7a
SHA256 101459744c9eb3e5319b983223be34286560fa2c453313b7ab3b69405ae2b2bf
SHA512 57eb4d081cdaa624de938aaba0c6e3b3b9e961d4e2bc9bd5a0c7fc05ed7ea5d2f5e6a48a79fb60b38a64ac93cda8b0307bdfbc839824a99776ad032e273f83db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 b81d1f4353d08f9d315e315b673d3afd
SHA1 df87e28821cb0d88325e33e37628c64a22eecfbd
SHA256 b39d6d052c607feef5e95518460837c326391175d72dd0cd6ca28b786a9f8280
SHA512 20ab3a05530a5b6739dc900b8326570866a2caa64feb540bf346c4fe4af1fbadfede58ef690f2206b8e2d39f516ae18b2991eb7a1bb47825bc70c86a1faeeca9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 f768bcb451a187c18099961c484eef8b
SHA1 99472c2d1918ea56c632734bc5c8a89ae6d2551c
SHA256 d988156066b7fd22de278fbc96759d2caea6552094ffeb2ddd9307806059c5e4
SHA512 a4d78de6bcc1e940c466c41c31ee100235b32fef4cb3e7815a9c62dfae1eb3e4588d2c9e8597152ad7754527643c59ea8b811277ac58e4134a3dbf1507fe97bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe586b77.TMP

MD5 904e6e94a1d46374c8630cfd86cc729f
SHA1 e1d9c3f7813878acc6510d48d95b2bf48b2e1a0d
SHA256 8b2e057387e9714efef3580a36459acf56aab53c806cd7d7dbb6e17cef977ef9
SHA512 081e2a26252860ff8d8f7a9d0378ae56f0cc50574d13d2a121afdf74284963747ef874a4d73b1df7774cd8570972f4f513eefe0a0325fd088556d5b1ba946712

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 209129472dfdd1172a7418b94aa09e29
SHA1 29c1eca9dba0fc8d42319e46b0032f4ce5dc4729
SHA256 55e36e1deb2413c5ea96fe9fe650aafc9e92e152cdd8ab80495273c5506d496a
SHA512 e413c20f7ce852db1e457c79c0ac5005ae59c6aad6791d65f85c4bc187371cb1ccf9c5e9319af92730daafc266c293dad5af965bb1d46376533b2cd217cd418b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5c790c5bc4d7f06fd5a2baaf5fcdb7b6
SHA1 252b3bb518803d6a7f0e80e5d6f327b10ad15d92
SHA256 fc6c8f8448dde36b5c9542ad353c894b13448314bd90bc6ce0a51b6d7b8bff59
SHA512 419b35ad7e80c0df6c8a53164b033599b1b22b1094cae52179d271a2a7b3c1e27733189a262489b23200f1a7fe443c0b5d0282d2bf32603f98c3c99d7a99d573

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 9983aee7e579d5fcabb2c93894c6270d
SHA1 915330c7c14f64bd8e6cb24d3da4749670391c55
SHA256 de3a004d274d535766e78aa7b59306c71321dc4c2546cd23a8edde14cd843a2a
SHA512 81918c6be4cc15bdb57d18a787df74940a7a319366f4b736379959aa9876213d60d17554c03305360ee4d00de660fdb5da10d4410a6d348f0288ab7c73395ac4

C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1545489470\manifest.json

MD5 af3a9104ca46f35bb5f6123d89c25966
SHA1 1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA256 81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA512 6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\manifest.json

MD5 049c307f30407da557545d34db8ced16
SHA1 f10b86ebfe8d30d0dc36210939ca7fa7a819d494
SHA256 c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54
SHA512 14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

MD5 f9fd82b572ef4ce41a3d1075acc52d22
SHA1 fdded5eef95391be440cc15f84ded0480c0141e3
SHA256 5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6
SHA512 17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\manifest.json

MD5 c3911ceb35539db42e5654bdd60ac956
SHA1 71be0751e5fc583b119730dbceb2c723f2389f6c
SHA256 31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d
SHA512 d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

MD5 499d9e568b96e759959dc69635470211
SHA1 2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6
SHA256 98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d
SHA512 3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3adfe78d0da050474d1f0000481220a3
SHA1 3d5111ce22446c4fe96e99f8b1cd8a82845cf299
SHA256 d186ed1cf6e5f8d05c36c46808e4581c48182b5b7734ab9e761631edbd227185
SHA512 70eee6d0f39bda1521842d60f38ecbb1490d9605d4a35dd12a02e480b5c73606c5b904dcbc5ca29715580b6b33b1d44717ddc7f3c852cb66600f6d6894f97ad0

C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\manifest.json

MD5 a24a1941bbb8d90784f5ef76712002f5
SHA1 5c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA256 2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512 fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

MD5 94406cdd51b55c0f006cfea05745effb
SHA1 a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA256 8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512 d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250610-en

Max time kernel

102s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 5740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3624 wrote to memory of 5740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3624 wrote to memory of 5740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3784 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3784 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3784 wrote to memory of 1832 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 612

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250610-en

Max time kernel

101s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3696 wrote to memory of 5488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3696 wrote to memory of 5488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3696 wrote to memory of 5488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5488 -ip 5488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 548

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

101s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1408 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1408 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2964 -ip 2964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 468

Network

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250610-en

Max time kernel

30s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1504 wrote to memory of 1588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 532

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250610-en

Max time kernel

101s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4496 wrote to memory of 5424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4496 wrote to memory of 5424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4496 wrote to memory of 5424 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5424 -ip 5424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 636

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250610-en

Max time kernel

101s

Max time network

109s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 5568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3768 wrote to memory of 5568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3768 wrote to memory of 5568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5568 -ip 5568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 460

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

107s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5500 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5500 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5500 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 468

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

101s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\

Network

Country Destination Domain Proto
US 8.8.8.8:53 service.jzip.com udp
US 13.248.169.48:80 service.jzip.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 a7c8756c56e5a841b91da9d02e769f36
SHA1 2ac01ffff9f107f67c701c11a3c89506765689ce
SHA256 63aca71fc4d483663571e7fd733747a9c7afc527aba7cf3b7ccbbe8292aafb69
SHA512 45e224f1c64aa70af39e59f8e2a5ad500d4bf1f9fa9156b0a6626b7737a43237c84562519a5694fe6db3b9696457ab2774fe9bc8bde5fba85fa9612eede969fd

C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\UAC.dll

MD5 a88baad3461d2e9928a15753b1d93fd7
SHA1 bb826e35264968bbc3b981d8430ac55df1e6d4a6
SHA256 c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af
SHA512 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\registry.dll

MD5 2b7007ed0262ca02ef69d8990815cbeb
SHA1 2eabe4f755213666dbbbde024a5235ddde02b47f
SHA256 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512 aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

memory/236-15-0x0000000003160000-0x00000000031B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\apphelp.dll

MD5 fe83bf8c380b208bd7738ac0d5645962
SHA1 fd83745c0f286d9b2b43316ac9ee1d14459b47f9
SHA256 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6
SHA512 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3

C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

101s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3944 wrote to memory of 3268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3944 wrote to memory of 3268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3944 wrote to memory of 3268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3268 -ip 3268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 460

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 3864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4120 wrote to memory of 3864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4120 wrote to memory of 3864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4792 wrote to memory of 5488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4792 wrote to memory of 5488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4792 wrote to memory of 5488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5488 -ip 5488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 480

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

102s

Max time network

129s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask_eula.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask_eula.rtf" /o ""

Network

Country Destination Domain Proto
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
GB 2.19.248.199:443 metadata.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3856-0-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-2-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-1-0x00007FFE9F964000-0x00007FFE9F965000-memory.dmp

memory/3856-3-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-4-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-5-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-6-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-7-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-9-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-10-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-8-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-11-0x00007FFE5D730000-0x00007FFE5D740000-memory.dmp

memory/3856-12-0x00007FFE5D730000-0x00007FFE5D740000-memory.dmp

memory/3856-27-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-28-0x00007FFE9F964000-0x00007FFE9F965000-memory.dmp

memory/3856-29-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-30-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-31-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDA089.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/3856-529-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-533-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-532-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp

memory/3856-531-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-530-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

memory/3856-528-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 4444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 4444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2612 wrote to memory of 4444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250610-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\jZip\log.log C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\128.png C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zh_TW\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1520333538\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\edge_autofill_global_block_list.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\offscreendocument_main.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\lo\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\gl\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\nl\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ca\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zh_CN\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\cy\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ta\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\sv\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zu\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\service_worker_bin_prod.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ko\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\lt\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\tr\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\id\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\pl\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ro\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\km\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\page_embed_script.js C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\sl\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\th\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ar\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\en_CA\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1520333538\deny_etld1_domains.list C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\autofill_bypass_cache_forms.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\offscreendocument.html C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\fr_CA\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\pa\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\da\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ur\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zh_HK\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\es\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\bn\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\kk\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\en_GB\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\kn\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\v1FieldTypes.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ms\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\gu\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\hr\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\be\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\fr\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\te\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\en\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\msedge_url_fetcher_684_1428626375\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_93_1_0.crx C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\hi\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\mn\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\regex_patterns.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_606528645\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_615991802\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\uk\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\fi\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\az\messages.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133961240805321819" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe\IsHostApp C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2340264150-4060318110-2688614100-1000\{E1E76B72-44D1-4D3E-B530-B35F2F18D3F5} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2340264150-4060318110-2688614100-1000\{D5A0CF24-8597-44F9-9FB1-A1F204383393} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5728 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5728 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 1076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 5220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 5220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 4820 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 684 wrote to memory of 5608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffd5845f208,0x7ffd5845f214,0x7ffd5845f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:11

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2484,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:13

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3392,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3400,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4172,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5036,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4680,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5204,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5140,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5560,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:12

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6180,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6188,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6976,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6992 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7208,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe

cookie_exporter.exe --cookie-json=1140

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7204,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7472 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7484,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7036,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7064,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7108,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7468 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6260,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7184,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7188 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6968,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7640 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7644,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:14

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7256,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7468 /prefetch:10

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:14

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.secondofferdelivery.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 13.248.169.48:80 www.jzip.com tcp
US 150.171.27.11:80 edge.microsoft.com tcp
US 13.248.169.48:80 www.jzip.com tcp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 www.jzip.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.27.68:443 copilot.microsoft.com tcp
US 13.248.169.48:443 www.jzip.com tcp
US 13.248.169.48:443 www.jzip.com tcp
US 13.107.246.64:443 api.edgeoffer.microsoft.com tcp
GB 2.18.27.68:443 copilot.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 13.248.169.48:443 www.jzip.com tcp
US 13.248.169.48:443 www.jzip.com tcp
US 8.8.8.8:53 www.godaddy.com udp
US 8.8.8.8:53 www.godaddy.com udp
GB 184.26.44.14:443 www.godaddy.com tcp
US 8.8.8.8:53 img6.wsimg.com udp
US 8.8.8.8:53 img6.wsimg.com udp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 2.18.27.70:443 img6.wsimg.com tcp
GB 184.26.44.14:443 www.godaddy.com tcp
US 8.8.8.8:53 gui.godaddy.com udp
US 8.8.8.8:53 gui.godaddy.com udp
US 8.8.8.8:53 img1.wsimg.com udp
US 8.8.8.8:53 img1.wsimg.com udp
US 8.8.8.8:53 csp.godaddy.com udp
US 8.8.8.8:53 csp.godaddy.com udp
GB 23.200.208.14:443 csp.godaddy.com tcp
GB 23.200.208.14:443 csp.godaddy.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
GB 216.58.201.99:443 update.googleapis.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.201.97:443 clients2.googleusercontent.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 13.107.246.64:443 edgeassetservice.azureedge.net tcp
GB 184.26.44.14:443 gui.godaddy.com tcp
GB 23.200.208.14:443 csp.godaddy.com tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 2.20.12.95:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
GB 2.18.27.82:443 www.bing.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
GB 2.18.27.76:443 www.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\registry.dll

MD5 2b7007ed0262ca02ef69d8990815cbeb
SHA1 2eabe4f755213666dbbbde024a5235ddde02b47f
SHA256 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512 aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\UserInfo.dll

MD5 c7ce0e47c83525983fd2c4c9566b4aad
SHA1 38b7ad7bb32ffae35540fce373b8a671878dc54e
SHA256 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
SHA512 ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\UAC.dll

MD5 a88baad3461d2e9928a15753b1d93fd7
SHA1 bb826e35264968bbc3b981d8430ac55df1e6d4a6
SHA256 c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af
SHA512 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\apphelp.dll

MD5 fe83bf8c380b208bd7738ac0d5645962
SHA1 fd83745c0f286d9b2b43316ac9ee1d14459b47f9
SHA256 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6
SHA512 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\soffer.dll

MD5 0d1d780cd2d8445c4718d23e8f2551cd
SHA1 348618b28381aa43b1696ae26325a02e27c51c60
SHA256 3c4307e83e3264571a5e5e80e01da4d7bce98f0c9e36564b10ff21edbc613330
SHA512 02776fbbd10556d4152660440059eb29358103e1ae71df289ef0ef11f66d9bef4053813553a4fea71af427ae866e5c6222693b3e5295be9592827b073f592e34

memory/5728-40-0x00000000033B0000-0x00000000033B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\nsDialogs.dll

MD5 4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\nsArray.dll

MD5 7fc4723bb0a4118e5f91047021d1aacd
SHA1 092a321a21d802045105ecc8cd3c9d7d2c6da923
SHA256 8f9bfeebfa3b070b116de61a63271b6c25af0dbb4bbfb4ae73e334d1f8517efd
SHA512 1fe86533987ff1c4d446b231dc1ff2c3bbce224ae91b73ffead539f08740bfb06d2f40f1aedf0571106dc4e12eec27aa32018c2bf5361b7488c07b4d90800f02

memory/5728-57-0x000000006FFB0000-0x000000006FFBA000-memory.dmp

memory/5728-71-0x0000000074124000-0x0000000074125000-memory.dmp

memory/5728-70-0x0000000006140000-0x0000000006141000-memory.dmp

memory/5728-69-0x00000000033B0000-0x00000000033B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ca4ddba46b5afeff8344675515c9f343
SHA1 f52cd12cb0b80c47d2208355151364b451e10478
SHA256 eac2b723fe0a123ab0560772cdb1d16d7410a8312b6f8a9257f2564e372e9039
SHA512 58efe5c67bc7bbe1f4d6d1669149b37a6c792cc77ea6db8632785ba97dc74a550cb90017c1e4947742e844f981e47e1f6e3c35b12215d64119af1890a912c7db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a40cba33c068849a0319b807a59601c
SHA1 1997a675e36dc63380eff92e71b5639847b1da5e
SHA256 ea865b10b30786c6016a7efc41df7302e6154f46b90d68fb661cf3223daffedc
SHA512 9b28750aab20cff89c29df07f37f47430708be9fda1d02d23898d53959c86a836b2cf8d6325c2e42a89f68cd48bcd946f8beac2fa46aa95c2fa115907b7ebdff

\??\pipe\crashpad_684_OQXAHPZMNYZMARTJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d9907e3cff5ea47c2b9c7ab5bf0031c2
SHA1 840fe0665da66dc44e8244c25fc7151ea9192e9e
SHA256 4f8b505f8522eb29921f8abd0bc71631623c24d25c7570d444ecb7bdb2a0195d
SHA512 88d27898ab9c643c76366cd8989bfd5e6524bc5e6993dca519a6dd9dd4dfbddc95e53e38ee8dbed3fb6f72191389209cbe97a27033a4a5979f8f7ce9d164a2d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 06d55006c2dec078a94558b85ae01aef
SHA1 6a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512 ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 8388c1db41613ef6b8258d4da459f0c0
SHA1 1b2fa184151b23f3df436033ff0dcb8e73b75773
SHA256 61e60c450be8e29a9cebc6b209b841b461685369e622786f560584efff489145
SHA512 ca8d040cdce94d5935bb4c083968b21a7213aa2cf60775830ebd149d5ca1772df47bf2fadbf98c12a214ca0cd3aa94fd3c4d0963dd2d7e0230714cf19d345df9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 13d6188cf2a79e6f4bb95a56520ab6a1
SHA1 2121af3508e95b398cb8ace7999be965ce7f308c
SHA256 64a343ff7135b1ed4a1697eabd134dcb0fa6ea3c4cc860525a24252698f1eb1e
SHA512 51275703c0151ee53f7623c1b8b28792ab241568a141db90a3415f0b372b8454addc0266d23e03e6e1a29b7bf33001ddffe2487789a9718977934ef641a0a298

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b

MD5 b384b2c8acf11d0ca778ea05a710bc01
SHA1 4d3e01b65ed401b19e9d05e2218eeb01a0a65972
SHA256 0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b
SHA512 272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be

memory/5728-671-0x0000000074124000-0x0000000074125000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c6c14deeeaabb818d1b924df6e8b3b13
SHA1 b32aebb1c49ccfcc08ec6bf9c513007fe6f47850
SHA256 aaef9e432b058bceaa21ef2c7f9a7c55752d8ec79e551b7f18a1266b8faf520e
SHA512 4492027dd9339b6dd73f453c7cdc895b94910e725d8bca68a787599a914a0e8c10ddb63c95fd4a00fda18899995a650738d86c9522029b9ab761c2d061490de6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 f46d1312c4dfd2c5c9cbaa39d3f528fd
SHA1 39bb0b85700a0b747e65768b16deb9d994d132db
SHA256 340ac72d6ef6f56304bbb5330bc046835c972cde40aa879f82b6fdf4730de30e
SHA512 9bfde123862fa700a0e33a8d462abe9fd4e5aef3c153714e3171f870cc278de4e867a1ce953d3960d77427b01e6a6fd3d43074062600ab69cff7974f5cc0a9d7

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\banner.bmp

MD5 6b2026ed4da8d06fc782c5df14bcf4b6
SHA1 a9d4cc4b5cd36e756a30f07d61c6674d453c8bdc
SHA256 d25f7dd93e67f584a1757a72c975b19fedf7542035ad9afb8cb3c5b9f72f2284
SHA512 89d13e0bf6dd5a933194e7fa195f79e6e5d1f8256fde88588ca888dfe62371a89bbd06a20a9fd5f1cd5caad5f39c08b1d99642a91134163037972459c24412f3

C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\ask_eula.rtf

MD5 7bd45e3280288dda6fd602031e2066e8
SHA1 db4d49155de06f6a10ae50c01c612e4d998547bf
SHA256 4346de72fee6dbe8b74218d8d9550395bf7f26634eb026ff6359fa0f855e9a4d
SHA512 a3a40b878d46531127a55550c807e6a17374d5d52bd645ba6b61fc0ae551d348247c4d4969c32e60b7bdad7ce1b3167f3d87b4eab2746ae305f182d4084c09d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9da5a69cdadaba9068377221165a5ca9
SHA1 f9a7544d85c1ce425cbb8d7ca42574d52f5af424
SHA256 995ffa89c73950649648d793fec84aea01ec5929b17727f42b4b1a45e4c5c72b
SHA512 b29748ac880a3c6fe9c4ce0551e3b7baadf28a435aa3bf7af56e7b57f4338a46c3e615c270f69a5c2c18feba604fcd407f7c3e1297063a8544cae8157fce36b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581690.TMP

MD5 5ad8e9e12ba2f5d1d4f9e3335afde846
SHA1 e90f3f71a5cc317e8ac15206e9998174482ade5a
SHA256 05d50f4f79290b3991b2e18ac8e7b82fbb0af340e68f21654450e349722aa52f
SHA512 1c88e02905188cec919fdca8b3415f5b97e0fdaa29a52c3d5d433f7266fd7e1efb6063291da013680af80fd09f983a6340272afc461c3dc60e231d616972f1ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 fb0dda38f2d78f2722dcd4db2cf8a3ff
SHA1 356c5dbd84eab204009a4d892789282e09a5ba26
SHA256 4ce692113c7d00d4ae0838c557c6f85cecd1654681b1cf716e1a0a78424382c2
SHA512 91013d5e2afa69c8a92a241334272c2b5bcd9c6ccf4503fa37cebc073731dea1c542c7ae046e3f38e67be9ffe864618f3b6999893dde580d8c795f5687c28697

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe581cca.TMP

MD5 8de69417a670c9f49e99196835ca71d0
SHA1 943cce2b2d0c892f9568a40b7e03a26c89bf4d46
SHA256 e070f591dc808142a46d093974060a09754a29e918c64abe9ab084cc9c2ca314
SHA512 c3fa2c0092a898e0de878879056ad016bf9949f938d388cd0c1bcddfadae8cdd8350f4e18c4bae1268324637028126ff89e831255513552516dd53803b7841e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b7188055e02d141f9c45a086eac7bb7d
SHA1 27444122edf9ef642ef5bdcf0c8890aecc0566c3
SHA256 a563edff52075fef6d972b90c1e1c2518df667508f03079bdba3aa0e21a8cc58
SHA512 9873035d2e55cc60247f11d377f6c83e65298cd9d088fa731009f1927282efb61630c6f035ddc495d143409d557a32106d2dfd564ca7b271550971a8291cb900

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 eb87ca16416c4a54c4338c079eca6aa5
SHA1 518fdb11a9bfbff0fc0f7cf121b9b5a8e989bbea
SHA256 d6239e1b4656ec7b31c8a014e8b32a04536e655566b088a1bc58cb1e330870e9
SHA512 876609b0c973de7f7074b2047981466443a43daea2924b8641e9eeb9aa4cd1fb054c333a89eccf092b9b4275d74369c69d402871136ee62fbf5a2a4f887d0263

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\manifest.json

MD5 e0909520982fc48e47a6451443b11741
SHA1 0e46425274933c153ebf5a03f25e693267a8cea2
SHA256 2e9e6138305d702f3c9b89d6e9dc4931b548c69bb86db64e585fa2e37b8ef654
SHA512 3fdf504cb0bf39a807fa15a8ec31a6efd8083888692935ec31d70b4ef6eef89b8527c6a75a46bf7ae3efeeaa507ac3c7cccda5246a2f073ac603a7ffa10d20a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f9874ea24271c2c87dd1e8207c2e7179
SHA1 9df3033aa31e90b50f89761a51a32a86146bcf80
SHA256 fc09c71515fb9d78f18270ab1764a56dbd10ef0929a70e60d3798ee556a38806
SHA512 889c0da31066bb24dcf7ad1486f4bde85222efce599013843e803f0410dc3e4dd211273bfded13c6f1feb139f7efeabb6e47dc54dbeb223a147fa33670cec1b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 6cfad45ef108b53395e869f72a7e2638
SHA1 2bf5ebcf1bf8fc754656c94dad96fdbba2ce75a8
SHA256 f244950786d5e9c5816e4cc291be8a1e47b9a9689600e54aa5b998b6ea28547d
SHA512 69f81961e66fb7d48fe3bca397d9d3483823d36282fc09b1770aa885c0c21e7095fa28b64fd57d4d2cdc55ba3d0b81a2518ef343717bb6a672e46930f6ea4489

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1520333538\manifest.json

MD5 8177721150435a9b333475e2b8a6e691
SHA1 8aa8981617e8f3d8967a0a4a2d20315317eba293
SHA256 8a4800ed5f63b9371a024c501ee2b031af94539e32e6753214e6d99c625c018c
SHA512 540c4c52030c6a4e1efcfab5eb59760c696bb3e3f1b8f93c97a6368639a911ba3d395190fc0798d99f3c63e25b6dcf2ded482bbda34d36ddd874dd20c2cfdf74

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\manifest.json

MD5 390af74c5ae643320cad0cef4fa8fee1
SHA1 22ce727f9bcff9a914eb1d58ba8384de6fbda7e1
SHA256 1148c28e540b9b96237b35170a547a13165d6c7c039b8fff9e4b2cd774b92f5a
SHA512 deaeeeffdddea1a9047e97d82e3bb701fb865adcd77ef9e985bb0ec5e4057155e7b83cad4f9f3dd256edf89f19d1075349cea5005dffff8420da4d0646be413a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\edge_autofill_global_block_list.json

MD5 adb5f6058f82680a26d6ed02b44e5a21
SHA1 6197ee74e40c742e184357dcb6dfcc7e32818cae
SHA256 7655c9afb5f2ea39b18e302498b34009ca02b72451f82a6d4e7fb4d8d954f050
SHA512 742dd8f6eaf1bd5f24b37e90d7a3dce7bd0a8edf399c2dec25cd92d2bd6e1d663ebab3c68234812f0144061d4f22f0c2c43de890f60e24d93133bbfe23a6d1c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\autofill_bypass_cache_forms.json

MD5 9357a694006d8bec3d0f8c9607b76ff8
SHA1 6335ce691999ec10de742cd07d074eb648631259
SHA256 b6c37df977f149c5a444c72ea4469ce666c7975d34c6e2e0d9d8ec416f57dd44
SHA512 87c2d0192f3a78b13a691cda14da507f260d13331b792eb973869bd6dbd0f207faa48f68882be691641b46c06ed12ee8b9728a3b596df67a1f9a4831b4369a44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\v1FieldTypes.json

MD5 c1a0d30e5eebef19db1b7e68fc79d2be
SHA1 de4ccb9e7ea5850363d0e7124c01da766425039c
SHA256 f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1
SHA512 f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a

C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_606528645\manifest.json

MD5 b4d869dd7052d78d29b3e439565f1600
SHA1 caa2cfa31729f4348a02514eba0235e72b88ce5a
SHA256 0f8ee89c4a420bda691d058cdd96c874c2edeec84145c81c957e98d05e351d3c
SHA512 1fda3488df8c43ad413b2e69a5e2292322fe837f7b27b88302b4e591e7e13fdceacb0af9b8bb92ca7c0d2b39abffc776c6cc35d18abb86ce91f55c719b43480e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.11\data.txt

MD5 1bee2c36cebf096d8a559d5c4eeacff7
SHA1 c695eda67f31d729dfc336b8a471ad6346a39031
SHA256 5e4014e267eec120e673cfbc407e4340c234a7898319b35a304ed6ea343a7999
SHA512 ba520d383be95d8b15140b7e38e4e7ac03077bbbb8ee5326ac4162be9403bc9f0576e53840fc22cd9c4038f19f60bdeb7b4e8e0125da6ed80670238de812b4b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 438d8abc00e24955beeae5c4888df413
SHA1 d7a768d9906ccba9f3ad5ac3696c408bdb3a3093
SHA256 59cedf6d3c9a8723be0b2809db5199bf92c540be0b6bee43f5b704d70d11805f
SHA512 be9e7e4546402e0c1779a519d5f67231adac4c3903634383e209d5ebcbe00203d7d60dece8206c2ef4903f4025fda07cacbc73c030432bb76262ab8d0f8b0aa9

Analysis: behavioral6

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250610-en

Max time kernel

40s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3596 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3596 wrote to memory of 2748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 452

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250610-en

Max time kernel

102s

Max time network

114s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3652 -ip 3652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 532

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5568 wrote to memory of 4236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5568 wrote to memory of 4236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5568 wrote to memory of 4236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4236 -ip 4236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250610-en

Max time kernel

103s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5732 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5732 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5732 wrote to memory of 3012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3012 -ip 3012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win10v2004-20250610-en

Max time kernel

105s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6020 wrote to memory of 6120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6020 wrote to memory of 6120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 6020 wrote to memory of 6120 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6120 -ip 6120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 624

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2025-07-04 17:34

Reported

2025-07-04 17:36

Platform

win11-20250619-en

Max time kernel

103s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5768 wrote to memory of 5948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5768 wrote to memory of 5948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5768 wrote to memory of 5948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5948 -ip 5948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 544

Network

Files

N/A