Analysis Overview
SHA256
4dae9f99e0707d4e175ea846b23f32ef5cb63d055fc8ee30b35099783f0cc869
Threat Level: Shows suspicious behavior
The file JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Checks installed software on the system
UPX packed file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 17:34
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250502-en
Max time kernel
100s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3292 wrote to memory of 5988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3292 wrote to memory of 5988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3292 wrote to memory of 5988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5988 -ip 5988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
101s
Max time network
102s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3936 wrote to memory of 4432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3936 wrote to memory of 4432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3936 wrote to memory of 4432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4432 -ip 4432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 468
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
140s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1996 wrote to memory of 780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1996 wrote to memory of 780 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 780 -ip 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/780-0-0x0000000074DC0000-0x0000000074DCA000-memory.dmp
memory/780-1-0x0000000074DC0000-0x0000000074DCA000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250610-en
Max time kernel
40s
Max time network
42s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3540 wrote to memory of 5148 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3540 wrote to memory of 5148 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3540 wrote to memory of 5148 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsArray.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5148 -ip 5148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 448
Network
Files
memory/5148-0-0x0000000074B10000-0x0000000074B1A000-memory.dmp
memory/5148-1-0x0000000074B10000-0x0000000074B1A000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250502-en
Max time kernel
106s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3796 wrote to memory of 5252 | N/A | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3796 wrote to memory of 5252 | N/A | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3796 wrote to memory of 5252 | N/A | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | service.jzip.com | udp |
| US | 13.248.169.48:80 | service.jzip.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | a7c8756c56e5a841b91da9d02e769f36 |
| SHA1 | 2ac01ffff9f107f67c701c11a3c89506765689ce |
| SHA256 | 63aca71fc4d483663571e7fd733747a9c7afc527aba7cf3b7ccbbe8292aafb69 |
| SHA512 | 45e224f1c64aa70af39e59f8e2a5ad500d4bf1f9fa9156b0a6626b7737a43237c84562519a5694fe6db3b9696457ab2774fe9bc8bde5fba85fa9612eede969fd |
C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\UAC.dll
| MD5 | a88baad3461d2e9928a15753b1d93fd7 |
| SHA1 | bb826e35264968bbc3b981d8430ac55df1e6d4a6 |
| SHA256 | c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af |
| SHA512 | 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a |
C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
memory/5252-15-0x0000000002F90000-0x0000000002FE9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\apphelp.dll
| MD5 | fe83bf8c380b208bd7738ac0d5645962 |
| SHA1 | fd83745c0f286d9b2b43316ac9ee1d14459b47f9 |
| SHA256 | 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6 |
| SHA512 | 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3 |
C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
C:\Users\Admin\AppData\Local\Temp\nsa8677.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
Analysis: behavioral27
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250610-en
Max time kernel
104s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5512 wrote to memory of 2992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5512 wrote to memory of 2992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5512 wrote to memory of 2992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2992 -ip 2992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 612
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250610-en
Max time kernel
102s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 6040 wrote to memory of 5244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 6040 wrote to memory of 5244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 6040 wrote to memory of 5244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5244 -ip 5244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 624
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250619-en
Max time kernel
101s
Max time network
129s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask_eula.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 2.19.248.219:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2156-0-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-1-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-2-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-3-0x00007FFFD5A6D000-0x00007FFFD5A6E000-memory.dmp
memory/2156-4-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-5-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-10-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-11-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-12-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-8-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-13-0x00007FFF93600000-0x00007FFF93610000-memory.dmp
memory/2156-9-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-15-0x00007FFF93600000-0x00007FFF93610000-memory.dmp
memory/2156-14-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-7-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-6-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
memory/2156-27-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 29c5c6caf7da06dddae15e8c23328cb0 |
| SHA1 | d6ac7f7ddc065b75f2de1d4f5f4c493517b385c6 |
| SHA256 | 843c4ca46240008e68ade5549ae2bcd27318106fafed9bb08c400c0e37a4f40c |
| SHA512 | db3a8346437aa7f876063bbf784fd4a60ab496c1b1863ca216d64a3460f94831f1d3096818ffe75bde016570e3fe4858260b0da0d27d401b737534db59259107 |
C:\Users\Admin\AppData\Local\Temp\TCDB2D4.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
memory/2156-464-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-467-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-466-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-465-0x00007FFF95A50000-0x00007FFF95A60000-memory.dmp
memory/2156-468-0x00007FFFD59D0000-0x00007FFFD5BC5000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
100s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1784 wrote to memory of 3112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 3112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1784 wrote to memory of 3112 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3112 -ip 3112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 484
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4232 wrote to memory of 4292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4232 wrote to memory of 4292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4232 wrote to memory of 4292 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4292 -ip 4292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 612
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250619-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\jZip\log.log | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1545489470\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\protocols.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\nav_config.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1545489470\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\office_endpoints_list.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\smart_switch_list.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133961240759783336" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3008489981-1977616533-741913813-1000\{4BE35DB8-7136-4B75-9055-2D27D42E35F1} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3008489981-1977616533-741913813-1000\{A4090A59-FFFB-4D99-8BCB-FBEE3FBEDDC4} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe\IsHostApp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2ec,0x7ffb5704f208,0x7ffb5704f214,0x7ffb5704f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2220,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2592,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=2744 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3492,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4136,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4296,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4576,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5652,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5672,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4268,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3568,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5512,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5512,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6260 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6408,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6440,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6436,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6788,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6708,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6596 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7156,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7464,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7452 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7556,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7700,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=7716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5488,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8048,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=8072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8040,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=8036 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4556,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4532,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4520,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5576,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7652,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6184,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2912,i,17920321810247698959,12887799310507602370,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.secondofferdelivery.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 76.223.54.146:80 | www.jzip.com | tcp |
| US | 76.223.54.146:80 | www.jzip.com | tcp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| GB | 2.18.27.92:443 | copilot.microsoft.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| GB | 2.18.27.92:443 | copilot.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| GB | 2.18.27.92:443 | copilot.microsoft.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 2.20.12.82:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| US | 8.8.8.8:53 | www.godaddy.com | udp |
| US | 8.8.8.8:53 | www.godaddy.com | udp |
| GB | 184.26.44.14:443 | www.godaddy.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 13.107.246.64:443 | edgeassetservice.azureedge.net | tcp |
| US | 8.8.8.8:53 | img6.wsimg.com | udp |
| US | 8.8.8.8:53 | img6.wsimg.com | udp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 184.26.44.14:443 | www.godaddy.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| US | 8.8.8.8:53 | gui.godaddy.com | udp |
| US | 8.8.8.8:53 | gui.godaddy.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | csp.godaddy.com | udp |
| US | 8.8.8.8:53 | csp.godaddy.com | udp |
| GB | 23.200.208.14:443 | csp.godaddy.com | tcp |
| GB | 23.200.208.14:443 | csp.godaddy.com | tcp |
| GB | 2.18.27.82:443 | img1.wsimg.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 2.20.12.74:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\UserInfo.dll
| MD5 | c7ce0e47c83525983fd2c4c9566b4aad |
| SHA1 | 38b7ad7bb32ffae35540fce373b8a671878dc54e |
| SHA256 | 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae |
| SHA512 | ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e |
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\UAC.dll
| MD5 | a88baad3461d2e9928a15753b1d93fd7 |
| SHA1 | bb826e35264968bbc3b981d8430ac55df1e6d4a6 |
| SHA256 | c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af |
| SHA512 | 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a |
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\apphelp.dll
| MD5 | fe83bf8c380b208bd7738ac0d5645962 |
| SHA1 | fd83745c0f286d9b2b43316ac9ee1d14459b47f9 |
| SHA256 | 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6 |
| SHA512 | 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3 |
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\soffer.dll
| MD5 | 0d1d780cd2d8445c4718d23e8f2551cd |
| SHA1 | 348618b28381aa43b1696ae26325a02e27c51c60 |
| SHA256 | 3c4307e83e3264571a5e5e80e01da4d7bce98f0c9e36564b10ff21edbc613330 |
| SHA512 | 02776fbbd10556d4152660440059eb29358103e1ae71df289ef0ef11f66d9bef4053813553a4fea71af427ae866e5c6222693b3e5295be9592827b073f592e34 |
memory/1560-43-0x0000000003AA0000-0x0000000003AA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
memory/1560-57-0x0000000070710000-0x000000007071A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\nsArray.dll
| MD5 | 7fc4723bb0a4118e5f91047021d1aacd |
| SHA1 | 092a321a21d802045105ecc8cd3c9d7d2c6da923 |
| SHA256 | 8f9bfeebfa3b070b116de61a63271b6c25af0dbb4bbfb4ae73e334d1f8517efd |
| SHA512 | 1fe86533987ff1c4d446b231dc1ff2c3bbce224ae91b73ffead539f08740bfb06d2f40f1aedf0571106dc4e12eec27aa32018c2bf5361b7488c07b4d90800f02 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2c331f389c779c8c38854c792db3bdaf |
| SHA1 | 9dbc270547d3316ff08f06d22b30251faf040341 |
| SHA256 | 521142680d67ffc710d6dc921740415e840768dc0fcdb1a72b80e6d55b6355db |
| SHA512 | 8a590ee501dc40bfb757de9c314be7d65d3117c8245094bf7d92bd469b11f9fb34261d5f9c3a96001fdb79a673467dfd79db3b07b3f52187d58b352dd3a21576 |
memory/1560-77-0x0000000074B74000-0x0000000074B75000-memory.dmp
memory/1560-76-0x0000000006510000-0x0000000006511000-memory.dmp
memory/1560-75-0x0000000003AA0000-0x0000000003AA1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 62ab7df48d65aac643c8dabc18f8b69f |
| SHA1 | c0ed260877d646f9a64ef26c1122e606166f40f6 |
| SHA256 | b87c8c27cd8fbb4e11088eed3d335d3f65282991fdae3c70eb78cd02a0470bf2 |
| SHA512 | 418a00a918b187c6cf9e2840f3e4460f162342848122d604dbea638d430781e5e675d68cc1b26c66f79cb3cb4f065bddd06ee94ed35eeebc4b0b827678c1c719 |
\??\pipe\crashpad_4372_ISVAFUFBFXUQIQGW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5fb054048f628a551c1adcaef6ec5d93 |
| SHA1 | bdf84a4416f46ed81e1a4d31cc9917b4c21af69c |
| SHA256 | 5156895eeda79398fe85b04a67fda39f91ce62ca01ba4c19c1ed3a8fabaeff1d |
| SHA512 | b0c330f2901c119355f73d608da14b3f1281204f4c4b34a164e4ec1a3013fe2d019eae87ca01f0a8311b6a95a1b3b12d9371f26bb504b2071235153ff8a2a9fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d1568f489cbb1428c8aeed605dad7405 |
| SHA1 | 5d847bbbb87c7569b89673e1c389b512f1e948d1 |
| SHA256 | 158d2342005ff1f3899cb5b55a034923f148de3a55f2d83170f21d3078ca8f9e |
| SHA512 | 4749e72e7c3b6e47191e01985eecd61ba7aad90b4c3be30a4b057707eb58f5401aa53394995b8bd55d01639ef04a7241a4a478a25ab29cbda3dcd750164d4a74 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f65eb9d3800883a184057024da35ce70 |
| SHA1 | c8f62f9de9a00c010df72535c0be1ee1cbc963bc |
| SHA256 | eb7f025c3dac330dab8f1723093b26c63a8e700c362583cca75420b3d0f3ca77 |
| SHA512 | 3b6b77bd5f7b20f076f7450b3bb8a6e523778e079ce791c7106c6a970eeae6c22423dc5f38087dfa992cc054a85087c910c41e0aad0f85a6e48160345b2afe42 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | 164a788f50529fc93a6077e50675c617 |
| SHA1 | c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48 |
| SHA256 | b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17 |
| SHA512 | ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4 |
memory/1560-136-0x0000000070710000-0x000000007071A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 62f10b05737a20a980bd9be1d6d199b3 |
| SHA1 | 186d6b4bab65f9a8a9dfecb88a96a26edc6ea80c |
| SHA256 | 435682481663e5e2790b1287f3400fd106b3bb26fd9c9aa86ae282bfc53197b6 |
| SHA512 | 9835a8f8039ff270303166ef56dc718812fdfead8c226239cce7e3e3a2ee739aee65f4c7e7c28a4a2545793beadccfc432b0d95cf1c41b2c88ad2bbb29d63fa9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | 6386f623de3759a5f6073b3dedac4d78 |
| SHA1 | a26d4ccc7a32c1c5350abdaaf50f11fb57f74262 |
| SHA256 | 9a1470e2247d23ed519612cc4d09a7dc46fda8f557a9686eeb62d4892fc52642 |
| SHA512 | 98ac4eda36e160ab4b13906b62671b5a677136e3be4321e2ad5b04d911a408f2086b62e8742a8fa91eeaf114d715157b9072300a6a84f2605ff2d4928e9a61bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4372_506894646\d510010e-43b2-4d30-b1c1-39b5270944b9.tmp
| MD5 | b384b2c8acf11d0ca778ea05a710bc01 |
| SHA1 | 4d3e01b65ed401b19e9d05e2218eeb01a0a65972 |
| SHA256 | 0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b |
| SHA512 | 272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be |
C:\Users\Admin\AppData\Local\Temp\63837f6d-c2b0-4841-85bc-01626ed3ab27.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Temp\e3707c48-d3cc-47ff-93a5-e21c390cef30.tmp
| MD5 | 78e47dda17341bed7be45dccfd89ac87 |
| SHA1 | 1afde30e46997452d11e4a2adbbf35cce7a1404f |
| SHA256 | 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550 |
| SHA512 | 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 06d55006c2dec078a94558b85ae01aef |
| SHA1 | 6a9b33e794b38153f67d433b30ac2a7cf66761e6 |
| SHA256 | 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd |
| SHA512 | ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist
| MD5 | 2ca8d39c3bc99de17bed5a0fe47679b6 |
| SHA1 | a9d29377d4d7f316746f898e3cae2c6fd2d1bdc2 |
| SHA256 | 1553a198ae11d60e77f8fff26d5ea7cdc1c266d81b11186fd06e0ed4e975ec90 |
| SHA512 | 490d655f3c1f39cc318e83b5a296a043fdbe8718a364b84cb7a8ed9bdccf2f49023e378f1b02ea50f4cd8e5ed7efc50222b5a8393f9842a592ab0de4e69599aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
| MD5 | 3d20584f7f6c8eac79e17cca4207fb79 |
| SHA1 | 3c16dcc27ae52431c8cdd92fbaab0341524d3092 |
| SHA256 | 0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643 |
| SHA512 | 315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59 |
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\banner.bmp
| MD5 | 6b2026ed4da8d06fc782c5df14bcf4b6 |
| SHA1 | a9d4cc4b5cd36e756a30f07d61c6674d453c8bdc |
| SHA256 | d25f7dd93e67f584a1757a72c975b19fedf7542035ad9afb8cb3c5b9f72f2284 |
| SHA512 | 89d13e0bf6dd5a933194e7fa195f79e6e5d1f8256fde88588ca888dfe62371a89bbd06a20a9fd5f1cd5caad5f39c08b1d99642a91134163037972459c24412f3 |
C:\Users\Admin\AppData\Local\Temp\nsi5AD3.tmp\ask_eula.rtf
| MD5 | 7bd45e3280288dda6fd602031e2066e8 |
| SHA1 | db4d49155de06f6a10ae50c01c612e4d998547bf |
| SHA256 | 4346de72fee6dbe8b74218d8d9550395bf7f26634eb026ff6359fa0f855e9a4d |
| SHA512 | a3a40b878d46531127a55550c807e6a17374d5d52bd645ba6b61fc0ae551d348247c4d4969c32e60b7bdad7ce1b3167f3d87b4eab2746ae305f182d4084c09d3 |
memory/1560-776-0x0000000070710000-0x000000007071A000-memory.dmp
memory/1560-777-0x0000000074B74000-0x0000000074B75000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ec1c63da528c9f59034de145861f95ae |
| SHA1 | 1c1d8c9892ad306e0abff24cef033d6011d27a49 |
| SHA256 | dfd97b111093333bead46689c65bbaeebabf5446e7e656663c3908edc9f2d200 |
| SHA512 | 57eef5be14f244dd15eb9dc9918eb681260260282a52f072b5d5a6d5d508e077f2769e8385471d7463a67ba8cc01478d6c1c395c13838c3e9c813656557fe33d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 15c2da45b7e98251eda021af2c45299f |
| SHA1 | 1cf53a6e7ac8a36676dc7aee5d4b4d67f25ac583 |
| SHA256 | 17710187f9bc2731909a200e5d858b8cb3ca3e14b8f3b229f6fc6548fa134b45 |
| SHA512 | 9b66718364ed9ff240a6063adf3f0bff9d057689650244f8fc5a76c5ed5ceaa6b06665c2f820ce958d7b264265fa940c7b771c738a20afbfdd9b2866f40b0009 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5553ff3adde48492e741458f87f97ece |
| SHA1 | e5a7ace7fb3c77b5841aee755eb17d4893de5996 |
| SHA256 | 0da7041dbf4cab1efcd4c17ce79b225b66662cd9d6a3e082265677e3294a93ce |
| SHA512 | ec160a496cd07beaa3b7a577dd366e34d11d25fe0c143bebf4a0ade099e0aa2c8fd01b0a2a38b6d6ce66a393434e3cd32ed84627446bf123c6ae0462b2e2dd39 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/1560-842-0x0000000070710000-0x000000007071A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e54f.TMP
| MD5 | df94a43e0f5302e1dadf63b127ca3d74 |
| SHA1 | 15bca9ae219cb7e881b19138b37aa5cad8b95443 |
| SHA256 | 26f4a212ed3aceb886c64b5550410279d9e2207c9da0deae88451e53817f045b |
| SHA512 | 35864145dcb88fff051d44cf5bd27cbf5d4c4846b086f8e7159023e0ad1bf09dc2aebe53abe6706647db4ecb9287937761cdea194a126f1a2a1826a38107f720 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 8c966d91e1e9ad7c5fde3720ce079e10 |
| SHA1 | 95adc2f1842a414087fa945fab264546e17452ff |
| SHA256 | 04f79dbd15a6583cf6855630c73de81c604c520be5d8e720e7b80c5d56901336 |
| SHA512 | 2e9f8a9948bcf1483445df87ad4ccb92afd105f867affa043e41dfaaf1e70b94570f7eca9f8ec3b21fcbe0c60aad52a0961f836cb3c668eb9b84f09d487166ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5806f0.TMP
| MD5 | 41ca082fe76118f58ea34ad24925dd13 |
| SHA1 | 36c35405fcbb4899c902d63cbc4cac04f64e0115 |
| SHA256 | d3ea29756c5fdfe08ac3a00be1c31217a8cdb7357fe3125eef6e4942519b0a4e |
| SHA512 | a7dc8abedfa215669ecb89466f934beacdfb057e4bcbcbddc3ee46e55baf8f04249690a4f107d5d373e01a0b39549da5eec1c25aaf332820611deaec78e8f053 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2f994c8b37742ed978221eb33d201ec0 |
| SHA1 | bd87bae0e56912b07e1cb23f4307fe88d75b1bef |
| SHA256 | 4422a1c0df10f515a4929f336cb1998ec4e0dfa87b75a0cac2d9fdf6286b8ff0 |
| SHA512 | d842d64566cd38aa92602b379c356477781062344107db14d75ebc49c30b046044dab32e870e74f0d619ef93a22e27da3c2444dfccfdbdb858b64e0de7fabba4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe586a7d.TMP
| MD5 | 4bc775ac9a0ed46fddcf4b00ccc58114 |
| SHA1 | 1b5dd1a28f9e5f2565f8ba4343f956234053cc7a |
| SHA256 | 101459744c9eb3e5319b983223be34286560fa2c453313b7ab3b69405ae2b2bf |
| SHA512 | 57eb4d081cdaa624de938aaba0c6e3b3b9e961d4e2bc9bd5a0c7fc05ed7ea5d2f5e6a48a79fb60b38a64ac93cda8b0307bdfbc839824a99776ad032e273f83db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | b81d1f4353d08f9d315e315b673d3afd |
| SHA1 | df87e28821cb0d88325e33e37628c64a22eecfbd |
| SHA256 | b39d6d052c607feef5e95518460837c326391175d72dd0cd6ca28b786a9f8280 |
| SHA512 | 20ab3a05530a5b6739dc900b8326570866a2caa64feb540bf346c4fe4af1fbadfede58ef690f2206b8e2d39f516ae18b2991eb7a1bb47825bc70c86a1faeeca9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
| MD5 | f768bcb451a187c18099961c484eef8b |
| SHA1 | 99472c2d1918ea56c632734bc5c8a89ae6d2551c |
| SHA256 | d988156066b7fd22de278fbc96759d2caea6552094ffeb2ddd9307806059c5e4 |
| SHA512 | a4d78de6bcc1e940c466c41c31ee100235b32fef4cb3e7815a9c62dfae1eb3e4588d2c9e8597152ad7754527643c59ea8b811277ac58e4134a3dbf1507fe97bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe586b77.TMP
| MD5 | 904e6e94a1d46374c8630cfd86cc729f |
| SHA1 | e1d9c3f7813878acc6510d48d95b2bf48b2e1a0d |
| SHA256 | 8b2e057387e9714efef3580a36459acf56aab53c806cd7d7dbb6e17cef977ef9 |
| SHA512 | 081e2a26252860ff8d8f7a9d0378ae56f0cc50574d13d2a121afdf74284963747ef874a4d73b1df7774cd8570972f4f513eefe0a0325fd088556d5b1ba946712 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 209129472dfdd1172a7418b94aa09e29 |
| SHA1 | 29c1eca9dba0fc8d42319e46b0032f4ce5dc4729 |
| SHA256 | 55e36e1deb2413c5ea96fe9fe650aafc9e92e152cdd8ab80495273c5506d496a |
| SHA512 | e413c20f7ce852db1e457c79c0ac5005ae59c6aad6791d65f85c4bc187371cb1ccf9c5e9319af92730daafc266c293dad5af965bb1d46376533b2cd217cd418b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5c790c5bc4d7f06fd5a2baaf5fcdb7b6 |
| SHA1 | 252b3bb518803d6a7f0e80e5d6f327b10ad15d92 |
| SHA256 | fc6c8f8448dde36b5c9542ad353c894b13448314bd90bc6ce0a51b6d7b8bff59 |
| SHA512 | 419b35ad7e80c0df6c8a53164b033599b1b22b1094cae52179d271a2a7b3c1e27733189a262489b23200f1a7fe443c0b5d0282d2bf32603f98c3c99d7a99d573 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 9983aee7e579d5fcabb2c93894c6270d |
| SHA1 | 915330c7c14f64bd8e6cb24d3da4749670391c55 |
| SHA256 | de3a004d274d535766e78aa7b59306c71321dc4c2546cd23a8edde14cd843a2a |
| SHA512 | 81918c6be4cc15bdb57d18a787df74940a7a319366f4b736379959aa9876213d60d17554c03305360ee4d00de660fdb5da10d4410a6d348f0288ab7c73395ac4 |
C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1545489470\manifest.json
| MD5 | af3a9104ca46f35bb5f6123d89c25966 |
| SHA1 | 1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8 |
| SHA256 | 81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea |
| SHA512 | 6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1 |
C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1899285486\manifest.json
| MD5 | 049c307f30407da557545d34db8ced16 |
| SHA1 | f10b86ebfe8d30d0dc36210939ca7fa7a819d494 |
| SHA256 | c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54 |
| SHA512 | 14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json
| MD5 | f9fd82b572ef4ce41a3d1075acc52d22 |
| SHA1 | fdded5eef95391be440cc15f84ded0480c0141e3 |
| SHA256 | 5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6 |
| SHA512 | 17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339 |
C:\Program Files\chrome_Unpacker_BeginUnzipping4372_714680192\manifest.json
| MD5 | c3911ceb35539db42e5654bdd60ac956 |
| SHA1 | 71be0751e5fc583b119730dbceb2c723f2389f6c |
| SHA256 | 31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d |
| SHA512 | d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json
| MD5 | 499d9e568b96e759959dc69635470211 |
| SHA1 | 2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6 |
| SHA256 | 98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d |
| SHA512 | 3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3adfe78d0da050474d1f0000481220a3 |
| SHA1 | 3d5111ce22446c4fe96e99f8b1cd8a82845cf299 |
| SHA256 | d186ed1cf6e5f8d05c36c46808e4581c48182b5b7734ab9e761631edbd227185 |
| SHA512 | 70eee6d0f39bda1521842d60f38ecbb1490d9605d4a35dd12a02e480b5c73606c5b904dcbc5ca29715580b6b33b1d44717ddc7f3c852cb66600f6d6894f97ad0 |
C:\Program Files\chrome_Unpacker_BeginUnzipping4372_1939796052\manifest.json
| MD5 | a24a1941bbb8d90784f5ef76712002f5 |
| SHA1 | 5c2b6323c7ed8913b5d0d65a4d21062c96df24eb |
| SHA256 | 2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747 |
| SHA512 | fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json
| MD5 | 94406cdd51b55c0f006cfea05745effb |
| SHA1 | a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9 |
| SHA256 | 8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e |
| SHA512 | d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3 |
Analysis: behavioral3
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250610-en
Max time kernel
102s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3624 wrote to memory of 5740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3624 wrote to memory of 5740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3624 wrote to memory of 5740 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3784 wrote to memory of 1832 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3784 wrote to memory of 1832 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3784 wrote to memory of 1832 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 612
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250610-en
Max time kernel
101s
Max time network
103s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3696 wrote to memory of 5488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3696 wrote to memory of 5488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3696 wrote to memory of 5488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5488 -ip 5488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 548
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
101s
Max time network
105s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1408 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1408 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1408 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2964 -ip 2964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 468
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250610-en
Max time kernel
30s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 1588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1504 wrote to memory of 1588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1504 wrote to memory of 1588 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 1588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 532
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250610-en
Max time kernel
101s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4496 wrote to memory of 5424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4496 wrote to memory of 5424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4496 wrote to memory of 5424 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5424 -ip 5424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 636
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250610-en
Max time kernel
101s
Max time network
109s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3768 wrote to memory of 5568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3768 wrote to memory of 5568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3768 wrote to memory of 5568 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5568 -ip 5568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 460
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
107s
Max time network
114s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5500 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5500 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5500 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2156 -ip 2156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 468
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
101s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 6092 wrote to memory of 236 | N/A | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 6092 wrote to memory of 236 | N/A | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 6092 wrote to memory of 236 | N/A | C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe
"C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R1\$_1_\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | service.jzip.com | udp |
| US | 13.248.169.48:80 | service.jzip.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | a7c8756c56e5a841b91da9d02e769f36 |
| SHA1 | 2ac01ffff9f107f67c701c11a3c89506765689ce |
| SHA256 | 63aca71fc4d483663571e7fd733747a9c7afc527aba7cf3b7ccbbe8292aafb69 |
| SHA512 | 45e224f1c64aa70af39e59f8e2a5ad500d4bf1f9fa9156b0a6626b7737a43237c84562519a5694fe6db3b9696457ab2774fe9bc8bde5fba85fa9612eede969fd |
C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\UAC.dll
| MD5 | a88baad3461d2e9928a15753b1d93fd7 |
| SHA1 | bb826e35264968bbc3b981d8430ac55df1e6d4a6 |
| SHA256 | c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af |
| SHA512 | 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a |
C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
memory/236-15-0x0000000003160000-0x00000000031B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\apphelp.dll
| MD5 | fe83bf8c380b208bd7738ac0d5645962 |
| SHA1 | fd83745c0f286d9b2b43316ac9ee1d14459b47f9 |
| SHA256 | 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6 |
| SHA512 | 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3 |
C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
C:\Users\Admin\AppData\Local\Temp\nsn81A4.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
101s
Max time network
106s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3944 wrote to memory of 3268 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3944 wrote to memory of 3268 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3944 wrote to memory of 3268 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InvokeShellVerb.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3268 -ip 3268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 460
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250502-en
Max time kernel
104s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4120 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4120 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4120 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 604
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
101s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4792 wrote to memory of 5488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4792 wrote to memory of 5488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4792 wrote to memory of 5488 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5488 -ip 5488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 480
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
102s
Max time network
129s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ask_eula.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| GB | 2.19.248.199:443 | metadata.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.19.252.143:443 | binaries.templates.cdn.office.net | tcp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3856-0-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-2-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-1-0x00007FFE9F964000-0x00007FFE9F965000-memory.dmp
memory/3856-3-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-4-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-5-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-6-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-7-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-9-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-10-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-8-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-11-0x00007FFE5D730000-0x00007FFE5D740000-memory.dmp
memory/3856-12-0x00007FFE5D730000-0x00007FFE5D740000-memory.dmp
memory/3856-27-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-28-0x00007FFE9F964000-0x00007FFE9F965000-memory.dmp
memory/3856-29-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-30-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-31-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDA089.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
memory/3856-529-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-533-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-532-0x00007FFE9F8C0000-0x00007FFE9FAC9000-memory.dmp
memory/3856-531-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-530-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
memory/3856-528-0x00007FFE5F950000-0x00007FFE5F960000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
136s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2612 wrote to memory of 4444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 4444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2612 wrote to memory of 4444 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250610-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\jZip\log.log | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\128.png | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zh_TW\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1520333538\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\edge_autofill_global_block_list.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\offscreendocument_main.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\lo\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\gl\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\nl\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ca\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zh_CN\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\cy\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ta\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\sv\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zu\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\service_worker_bin_prod.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ko\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\lt\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\tr\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\id\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\pl\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ro\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\km\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\page_embed_script.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\sl\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\th\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ar\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\en_CA\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1520333538\deny_etld1_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\autofill_bypass_cache_forms.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\offscreendocument.html | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\fr_CA\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\pa\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\da\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ur\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\zh_HK\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\es\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\bn\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\kk\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\en_GB\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\kn\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\v1FieldTypes.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\ms\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\gu\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\hr\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\be\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\fr\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\te\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\en\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\msedge_url_fetcher_684_1428626375\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_93_1_0.crx | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\hi\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\mn\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\regex_patterns.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_606528645\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_615991802\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\uk\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\fi\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_764584570\_locales\az\messages.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133961240805321819" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe\IsHostApp | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2340264150-4060318110-2688614100-1000\{E1E76B72-44D1-4D3E-B530-B35F2F18D3F5} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2340264150-4060318110-2688614100-1000\{D5A0CF24-8597-44F9-9FB1-A1F204383393} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c70bab0ffbbf03ae6d4f95c7454a052.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.jzip.com/terms_of_use.php
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffd5845f208,0x7ffd5845f214,0x7ffd5845f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:11
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2484,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:13
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2100,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3392,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3400,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4172,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5036,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4680,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5204,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5140,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5560,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=5704 /prefetch:12
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6180,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6188,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6976,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6992 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7208,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
cookie_exporter.exe --cookie-json=1140
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7204,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7472 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7484,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6128 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7036,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7064,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7108,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7468 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6260,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7184,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7188 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6968,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7640 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7644,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7256,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=7468 /prefetch:10
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,13545320579499916001,1731640873491073682,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.secondofferdelivery.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 13.248.169.48:80 | www.jzip.com | tcp |
| US | 150.171.27.11:80 | edge.microsoft.com | tcp |
| US | 13.248.169.48:80 | www.jzip.com | tcp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | www.jzip.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 2.18.27.68:443 | copilot.microsoft.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| GB | 2.18.27.68:443 | copilot.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| US | 13.248.169.48:443 | www.jzip.com | tcp |
| US | 8.8.8.8:53 | www.godaddy.com | udp |
| US | 8.8.8.8:53 | www.godaddy.com | udp |
| GB | 184.26.44.14:443 | www.godaddy.com | tcp |
| US | 8.8.8.8:53 | img6.wsimg.com | udp |
| US | 8.8.8.8:53 | img6.wsimg.com | udp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 2.18.27.70:443 | img6.wsimg.com | tcp |
| GB | 184.26.44.14:443 | www.godaddy.com | tcp |
| US | 8.8.8.8:53 | gui.godaddy.com | udp |
| US | 8.8.8.8:53 | gui.godaddy.com | udp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| US | 8.8.8.8:53 | csp.godaddy.com | udp |
| US | 8.8.8.8:53 | csp.godaddy.com | udp |
| GB | 23.200.208.14:443 | csp.godaddy.com | tcp |
| GB | 23.200.208.14:443 | csp.godaddy.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| GB | 216.58.201.99:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | clients2.googleusercontent.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 13.107.246.64:443 | edgeassetservice.azureedge.net | tcp |
| GB | 184.26.44.14:443 | gui.godaddy.com | tcp |
| GB | 23.200.208.14:443 | csp.godaddy.com | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 2.20.12.95:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| GB | 2.18.27.76:443 | www.bing.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\UserInfo.dll
| MD5 | c7ce0e47c83525983fd2c4c9566b4aad |
| SHA1 | 38b7ad7bb32ffae35540fce373b8a671878dc54e |
| SHA256 | 6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae |
| SHA512 | ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\UAC.dll
| MD5 | a88baad3461d2e9928a15753b1d93fd7 |
| SHA1 | bb826e35264968bbc3b981d8430ac55df1e6d4a6 |
| SHA256 | c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af |
| SHA512 | 5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\apphelp.dll
| MD5 | fe83bf8c380b208bd7738ac0d5645962 |
| SHA1 | fd83745c0f286d9b2b43316ac9ee1d14459b47f9 |
| SHA256 | 3f6b1e16842b9ac03cf2aa285ce812d1c526f610854b7e110ac1b4625d55ecf6 |
| SHA512 | 217df4fdf9e9e3c4b525d00c7c680fc77c63a52817c53b59e5f786eda68b766a8068e44c04c74dc8e695711051d59097c4c2b35e9f1eace38a5cec4e7530b2d3 |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\soffer.dll
| MD5 | 0d1d780cd2d8445c4718d23e8f2551cd |
| SHA1 | 348618b28381aa43b1696ae26325a02e27c51c60 |
| SHA256 | 3c4307e83e3264571a5e5e80e01da4d7bce98f0c9e36564b10ff21edbc613330 |
| SHA512 | 02776fbbd10556d4152660440059eb29358103e1ae71df289ef0ef11f66d9bef4053813553a4fea71af427ae866e5c6222693b3e5295be9592827b073f592e34 |
memory/5728-40-0x00000000033B0000-0x00000000033B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\nsArray.dll
| MD5 | 7fc4723bb0a4118e5f91047021d1aacd |
| SHA1 | 092a321a21d802045105ecc8cd3c9d7d2c6da923 |
| SHA256 | 8f9bfeebfa3b070b116de61a63271b6c25af0dbb4bbfb4ae73e334d1f8517efd |
| SHA512 | 1fe86533987ff1c4d446b231dc1ff2c3bbce224ae91b73ffead539f08740bfb06d2f40f1aedf0571106dc4e12eec27aa32018c2bf5361b7488c07b4d90800f02 |
memory/5728-57-0x000000006FFB0000-0x000000006FFBA000-memory.dmp
memory/5728-71-0x0000000074124000-0x0000000074125000-memory.dmp
memory/5728-70-0x0000000006140000-0x0000000006141000-memory.dmp
memory/5728-69-0x00000000033B0000-0x00000000033B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ca4ddba46b5afeff8344675515c9f343 |
| SHA1 | f52cd12cb0b80c47d2208355151364b451e10478 |
| SHA256 | eac2b723fe0a123ab0560772cdb1d16d7410a8312b6f8a9257f2564e372e9039 |
| SHA512 | 58efe5c67bc7bbe1f4d6d1669149b37a6c792cc77ea6db8632785ba97dc74a550cb90017c1e4947742e844f981e47e1f6e3c35b12215d64119af1890a912c7db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0a40cba33c068849a0319b807a59601c |
| SHA1 | 1997a675e36dc63380eff92e71b5639847b1da5e |
| SHA256 | ea865b10b30786c6016a7efc41df7302e6154f46b90d68fb661cf3223daffedc |
| SHA512 | 9b28750aab20cff89c29df07f37f47430708be9fda1d02d23898d53959c86a836b2cf8d6325c2e42a89f68cd48bcd946f8beac2fa46aa95c2fa115907b7ebdff |
\??\pipe\crashpad_684_OQXAHPZMNYZMARTJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d9907e3cff5ea47c2b9c7ab5bf0031c2 |
| SHA1 | 840fe0665da66dc44e8244c25fc7151ea9192e9e |
| SHA256 | 4f8b505f8522eb29921f8abd0bc71631623c24d25c7570d444ecb7bdb2a0195d |
| SHA512 | 88d27898ab9c643c76366cd8989bfd5e6524bc5e6993dca519a6dd9dd4dfbddc95e53e38ee8dbed3fb6f72191389209cbe97a27033a4a5979f8f7ce9d164a2d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 06d55006c2dec078a94558b85ae01aef |
| SHA1 | 6a9b33e794b38153f67d433b30ac2a7cf66761e6 |
| SHA256 | 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd |
| SHA512 | ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | 8388c1db41613ef6b8258d4da459f0c0 |
| SHA1 | 1b2fa184151b23f3df436033ff0dcb8e73b75773 |
| SHA256 | 61e60c450be8e29a9cebc6b209b841b461685369e622786f560584efff489145 |
| SHA512 | ca8d040cdce94d5935bb4c083968b21a7213aa2cf60775830ebd149d5ca1772df47bf2fadbf98c12a214ca0cd3aa94fd3c4d0963dd2d7e0230714cf19d345df9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 13d6188cf2a79e6f4bb95a56520ab6a1 |
| SHA1 | 2121af3508e95b398cb8ace7999be965ce7f308c |
| SHA256 | 64a343ff7135b1ed4a1697eabd134dcb0fa6ea3c4cc860525a24252698f1eb1e |
| SHA512 | 51275703c0151ee53f7623c1b8b28792ab241568a141db90a3415f0b372b8454addc0266d23e03e6e1a29b7bf33001ddffe2487789a9718977934ef641a0a298 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b
| MD5 | b384b2c8acf11d0ca778ea05a710bc01 |
| SHA1 | 4d3e01b65ed401b19e9d05e2218eeb01a0a65972 |
| SHA256 | 0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b |
| SHA512 | 272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be |
memory/5728-671-0x0000000074124000-0x0000000074125000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c6c14deeeaabb818d1b924df6e8b3b13 |
| SHA1 | b32aebb1c49ccfcc08ec6bf9c513007fe6f47850 |
| SHA256 | aaef9e432b058bceaa21ef2c7f9a7c55752d8ec79e551b7f18a1266b8faf520e |
| SHA512 | 4492027dd9339b6dd73f453c7cdc895b94910e725d8bca68a787599a914a0e8c10ddb63c95fd4a00fda18899995a650738d86c9522029b9ab761c2d061490de6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | f46d1312c4dfd2c5c9cbaa39d3f528fd |
| SHA1 | 39bb0b85700a0b747e65768b16deb9d994d132db |
| SHA256 | 340ac72d6ef6f56304bbb5330bc046835c972cde40aa879f82b6fdf4730de30e |
| SHA512 | 9bfde123862fa700a0e33a8d462abe9fd4e5aef3c153714e3171f870cc278de4e867a1ce953d3960d77427b01e6a6fd3d43074062600ab69cff7974f5cc0a9d7 |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\banner.bmp
| MD5 | 6b2026ed4da8d06fc782c5df14bcf4b6 |
| SHA1 | a9d4cc4b5cd36e756a30f07d61c6674d453c8bdc |
| SHA256 | d25f7dd93e67f584a1757a72c975b19fedf7542035ad9afb8cb3c5b9f72f2284 |
| SHA512 | 89d13e0bf6dd5a933194e7fa195f79e6e5d1f8256fde88588ca888dfe62371a89bbd06a20a9fd5f1cd5caad5f39c08b1d99642a91134163037972459c24412f3 |
C:\Users\Admin\AppData\Local\Temp\nsf92FA.tmp\ask_eula.rtf
| MD5 | 7bd45e3280288dda6fd602031e2066e8 |
| SHA1 | db4d49155de06f6a10ae50c01c612e4d998547bf |
| SHA256 | 4346de72fee6dbe8b74218d8d9550395bf7f26634eb026ff6359fa0f855e9a4d |
| SHA512 | a3a40b878d46531127a55550c807e6a17374d5d52bd645ba6b61fc0ae551d348247c4d4969c32e60b7bdad7ce1b3167f3d87b4eab2746ae305f182d4084c09d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9da5a69cdadaba9068377221165a5ca9 |
| SHA1 | f9a7544d85c1ce425cbb8d7ca42574d52f5af424 |
| SHA256 | 995ffa89c73950649648d793fec84aea01ec5929b17727f42b4b1a45e4c5c72b |
| SHA512 | b29748ac880a3c6fe9c4ce0551e3b7baadf28a435aa3bf7af56e7b57f4338a46c3e615c270f69a5c2c18feba604fcd407f7c3e1297063a8544cae8157fce36b1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581690.TMP
| MD5 | 5ad8e9e12ba2f5d1d4f9e3335afde846 |
| SHA1 | e90f3f71a5cc317e8ac15206e9998174482ade5a |
| SHA256 | 05d50f4f79290b3991b2e18ac8e7b82fbb0af340e68f21654450e349722aa52f |
| SHA512 | 1c88e02905188cec919fdca8b3415f5b97e0fdaa29a52c3d5d433f7266fd7e1efb6063291da013680af80fd09f983a6340272afc461c3dc60e231d616972f1ae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | fb0dda38f2d78f2722dcd4db2cf8a3ff |
| SHA1 | 356c5dbd84eab204009a4d892789282e09a5ba26 |
| SHA256 | 4ce692113c7d00d4ae0838c557c6f85cecd1654681b1cf716e1a0a78424382c2 |
| SHA512 | 91013d5e2afa69c8a92a241334272c2b5bcd9c6ccf4503fa37cebc073731dea1c542c7ae046e3f38e67be9ffe864618f3b6999893dde580d8c795f5687c28697 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe581cca.TMP
| MD5 | 8de69417a670c9f49e99196835ca71d0 |
| SHA1 | 943cce2b2d0c892f9568a40b7e03a26c89bf4d46 |
| SHA256 | e070f591dc808142a46d093974060a09754a29e918c64abe9ab084cc9c2ca314 |
| SHA512 | c3fa2c0092a898e0de878879056ad016bf9949f938d388cd0c1bcddfadae8cdd8350f4e18c4bae1268324637028126ff89e831255513552516dd53803b7841e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b7188055e02d141f9c45a086eac7bb7d |
| SHA1 | 27444122edf9ef642ef5bdcf0c8890aecc0566c3 |
| SHA256 | a563edff52075fef6d972b90c1e1c2518df667508f03079bdba3aa0e21a8cc58 |
| SHA512 | 9873035d2e55cc60247f11d377f6c83e65298cd9d088fa731009f1927282efb61630c6f035ddc495d143409d557a32106d2dfd564ca7b271550971a8291cb900 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | eb87ca16416c4a54c4338c079eca6aa5 |
| SHA1 | 518fdb11a9bfbff0fc0f7cf121b9b5a8e989bbea |
| SHA256 | d6239e1b4656ec7b31c8a014e8b32a04536e655566b088a1bc58cb1e330870e9 |
| SHA512 | 876609b0c973de7f7074b2047981466443a43daea2924b8641e9eeb9aa4cd1fb054c333a89eccf092b9b4275d74369c69d402871136ee62fbf5a2a4f887d0263 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\LICENSE
| MD5 | ee002cb9e51bb8dfa89640a406a1090a |
| SHA1 | 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2 |
| SHA256 | 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b |
| SHA512 | d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_834322335\manifest.json
| MD5 | e0909520982fc48e47a6451443b11741 |
| SHA1 | 0e46425274933c153ebf5a03f25e693267a8cea2 |
| SHA256 | 2e9e6138305d702f3c9b89d6e9dc4931b548c69bb86db64e585fa2e37b8ef654 |
| SHA512 | 3fdf504cb0bf39a807fa15a8ec31a6efd8083888692935ec31d70b4ef6eef89b8527c6a75a46bf7ae3efeeaa507ac3c7cccda5246a2f073ac603a7ffa10d20a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f9874ea24271c2c87dd1e8207c2e7179 |
| SHA1 | 9df3033aa31e90b50f89761a51a32a86146bcf80 |
| SHA256 | fc09c71515fb9d78f18270ab1764a56dbd10ef0929a70e60d3798ee556a38806 |
| SHA512 | 889c0da31066bb24dcf7ad1486f4bde85222efce599013843e803f0410dc3e4dd211273bfded13c6f1feb139f7efeabb6e47dc54dbeb223a147fa33670cec1b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 6cfad45ef108b53395e869f72a7e2638 |
| SHA1 | 2bf5ebcf1bf8fc754656c94dad96fdbba2ce75a8 |
| SHA256 | f244950786d5e9c5816e4cc291be8a1e47b9a9689600e54aa5b998b6ea28547d |
| SHA512 | 69f81961e66fb7d48fe3bca397d9d3483823d36282fc09b1770aa885c0c21e7095fa28b64fd57d4d2cdc55ba3d0b81a2518ef343717bb6a672e46930f6ea4489 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1520333538\manifest.json
| MD5 | 8177721150435a9b333475e2b8a6e691 |
| SHA1 | 8aa8981617e8f3d8967a0a4a2d20315317eba293 |
| SHA256 | 8a4800ed5f63b9371a024c501ee2b031af94539e32e6753214e6d99c625c018c |
| SHA512 | 540c4c52030c6a4e1efcfab5eb59760c696bb3e3f1b8f93c97a6368639a911ba3d395190fc0798d99f3c63e25b6dcf2ded482bbda34d36ddd874dd20c2cfdf74 |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_1070143267\manifest.json
| MD5 | 390af74c5ae643320cad0cef4fa8fee1 |
| SHA1 | 22ce727f9bcff9a914eb1d58ba8384de6fbda7e1 |
| SHA256 | 1148c28e540b9b96237b35170a547a13165d6c7c039b8fff9e4b2cd774b92f5a |
| SHA512 | deaeeeffdddea1a9047e97d82e3bb701fb865adcd77ef9e985bb0ec5e4057155e7b83cad4f9f3dd256edf89f19d1075349cea5005dffff8420da4d0646be413a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\edge_autofill_global_block_list.json
| MD5 | adb5f6058f82680a26d6ed02b44e5a21 |
| SHA1 | 6197ee74e40c742e184357dcb6dfcc7e32818cae |
| SHA256 | 7655c9afb5f2ea39b18e302498b34009ca02b72451f82a6d4e7fb4d8d954f050 |
| SHA512 | 742dd8f6eaf1bd5f24b37e90d7a3dce7bd0a8edf399c2dec25cd92d2bd6e1d663ebab3c68234812f0144061d4f22f0c2c43de890f60e24d93133bbfe23a6d1c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\autofill_bypass_cache_forms.json
| MD5 | 9357a694006d8bec3d0f8c9607b76ff8 |
| SHA1 | 6335ce691999ec10de742cd07d074eb648631259 |
| SHA256 | b6c37df977f149c5a444c72ea4469ce666c7975d34c6e2e0d9d8ec416f57dd44 |
| SHA512 | 87c2d0192f3a78b13a691cda14da507f260d13331b792eb973869bd6dbd0f207faa48f68882be691641b46c06ed12ee8b9728a3b596df67a1f9a4831b4369a44 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.24\v1FieldTypes.json
| MD5 | c1a0d30e5eebef19db1b7e68fc79d2be |
| SHA1 | de4ccb9e7ea5850363d0e7124c01da766425039c |
| SHA256 | f3232a4e83ffc6ee2447aba5a49b8fd7ba13bcfd82fa09ae744c44996f7fcdd1 |
| SHA512 | f0eafae0260783ea3e85fe34cc0f145db7f402949a2ae809d37578e49baf767ad408bf2e79e2275d04891cd1977e8a018d6eeb5b95e839083f3722a960ccb57a |
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping684_606528645\manifest.json
| MD5 | b4d869dd7052d78d29b3e439565f1600 |
| SHA1 | caa2cfa31729f4348a02514eba0235e72b88ce5a |
| SHA256 | 0f8ee89c4a420bda691d058cdd96c874c2edeec84145c81c957e98d05e351d3c |
| SHA512 | 1fda3488df8c43ad413b2e69a5e2292322fe837f7b27b88302b4e591e7e13fdceacb0af9b8bb92ca7c0d2b39abffc776c6cc35d18abb86ce91f55c719b43480e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.11\data.txt
| MD5 | 1bee2c36cebf096d8a559d5c4eeacff7 |
| SHA1 | c695eda67f31d729dfc336b8a471ad6346a39031 |
| SHA256 | 5e4014e267eec120e673cfbc407e4340c234a7898319b35a304ed6ea343a7999 |
| SHA512 | ba520d383be95d8b15140b7e38e4e7ac03077bbbb8ee5326ac4162be9403bc9f0576e53840fc22cd9c4038f19f60bdeb7b4e8e0125da6ed80670238de812b4b5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 438d8abc00e24955beeae5c4888df413 |
| SHA1 | d7a768d9906ccba9f3ad5ac3696c408bdb3a3093 |
| SHA256 | 59cedf6d3c9a8723be0b2809db5199bf92c540be0b6bee43f5b704d70d11805f |
| SHA512 | be9e7e4546402e0c1779a519d5f67231adac4c3903634383e209d5ebcbe00203d7d60dece8206c2ef4903f4025fda07cacbc73c030432bb76262ab8d0f8b0aa9 |
Analysis: behavioral6
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250610-en
Max time kernel
40s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3596 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3596 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3596 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\MoreInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2748 -ip 2748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 452
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250610-en
Max time kernel
102s
Max time network
114s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2412 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2412 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3652 -ip 3652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 532
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
148s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5568 wrote to memory of 4236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5568 wrote to memory of 4236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5568 wrote to memory of 4236 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4236 -ip 4236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250610-en
Max time kernel
103s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5732 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5732 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5732 wrote to memory of 3012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisXML.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3012 -ip 3012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win10v2004-20250610-en
Max time kernel
105s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 6020 wrote to memory of 6120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 6020 wrote to memory of 6120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 6020 wrote to memory of 6120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UAC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6120 -ip 6120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 624
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2025-07-04 17:34
Reported
2025-07-04 17:36
Platform
win11-20250619-en
Max time kernel
103s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5768 wrote to memory of 5948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5768 wrote to memory of 5948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5768 wrote to memory of 5948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5948 -ip 5948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 544