Analysis Overview
SHA256
76c838fd441934a2adc953d69d5e8415b0384e3cd3b2576fdeb0aa4d07148786
Threat Level: Shows suspicious behavior
The file JaffaCakes118_1c767504f104ee50e4b36d570ad425e6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Checks whether UAC is enabled
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 18:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250610-en
Max time kernel
100s
Max time network
102s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5752 wrote to memory of 4812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5752 wrote to memory of 4812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5752 wrote to memory of 4812 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4812 -ip 4812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 448
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
101s
Max time network
102s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | user.webedit.co.kr | udp |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250502-en
Max time kernel
101s
Max time network
137s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3712 wrote to memory of 5204 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3712 wrote to memory of 5204 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3712 wrote to memory of 5204 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5204-0-0x00000000012B0000-0x000000000135D000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250610-en
Max time kernel
103s
Max time network
133s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.application | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1148 wrote to memory of 5308 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1148 wrote to memory of 5308 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1148 wrote to memory of 5308 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5308-0-0x00000000028E0000-0x000000000298D000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
136s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 728 wrote to memory of 1528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 728 wrote to memory of 1528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 728 wrote to memory of 1528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
101s
Max time network
103s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 4600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250610-en
Max time kernel
103s
Max time network
141s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5736 wrote to memory of 4028 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5736 wrote to memory of 4028 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5736 wrote to memory of 4028 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/4028-0-0x0000000000790000-0x000000000083D000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250610-en
Max time kernel
106s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1836 wrote to memory of 2392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1836 wrote to memory of 2392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1836 wrote to memory of 2392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
134s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe
"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250619-en
Max time kernel
104s
Max time network
137s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
| US | 8.8.8.8:53 | user.webedit.co.kr | udp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250502-en
Max time kernel
103s
Max time network
104s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
98s
Max time network
101s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
103s
Max time network
104s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5704 wrote to memory of 5608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5704 wrote to memory of 5608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5704 wrote to memory of 5608 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
102s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 5168 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 5168 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1340 wrote to memory of 5168 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5168 -ip 5168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 460
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
103s
Max time network
105s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
| US | 8.8.8.8:53 | user.webedit.co.kr | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250619-en
Max time kernel
100s
Max time network
139s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250502-en
Max time kernel
106s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250610-en
Max time kernel
39s
Max time network
153s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.application | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 3432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2020 wrote to memory of 3432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2020 wrote to memory of 3432 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
Network
Files
memory/3432-0-0x00000000027B0000-0x000000000285D000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250610-en
Max time kernel
104s
Max time network
136s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.application | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1184 wrote to memory of 5200 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1184 wrote to memory of 5200 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1184 wrote to memory of 5200 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5200-0-0x0000000000D90000-0x0000000000E3D000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250610-en
Max time kernel
104s
Max time network
105s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.application | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4804 wrote to memory of 4908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4804 wrote to memory of 4908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4804 wrote to memory of 4908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll
Network
Files
memory/4908-0-0x0000000000C60000-0x0000000000D0D000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250619-en
Max time kernel
103s
Max time network
136s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1952 wrote to memory of 1220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 1220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1952 wrote to memory of 1220 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
101s
Max time network
102s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 5240 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2768 wrote to memory of 5240 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2768 wrote to memory of 5240 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
Network
Files
memory/5240-1-0x0000000002180000-0x000000000222D000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
101s
Max time network
103s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5940 wrote to memory of 3764 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5940 wrote to memory of 3764 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5940 wrote to memory of 3764 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll
Network
Files
memory/3764-1-0x0000000002BD0000-0x0000000002C7D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250610-en
Max time kernel
121s
Max time network
135s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wediasvc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,202" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,201" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "0" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WebEdit\\" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Program Files (x86)\\WebEdit\\webeditas.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Program Files (x86)\\WebEdit\\webeditas.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe"
C:\Windows\SysWOW64\wediasvc.exe
"C:\Windows\System32\wediasvc.exe" /i
C:\Windows\SysWOW64\wediasvc.exe
"C:\Windows\System32\wediasvc.exe" /start
C:\Windows\SysWOW64\wediasvc.exe
C:\Windows\SysWOW64\wediasvc.exe
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /stop
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /u
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /i
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /start
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
| US | 8.8.8.8:53 | default.webedit.co.kr | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
| US | 8.8.8.8:53 | default.webedit.co.kr | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsw8917.tmp\nsProcess.dll
| MD5 | 8f4ac52cb2f7143f29f114add12452ad |
| SHA1 | 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3 |
| SHA256 | b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04 |
| SHA512 | 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c |
C:\Windows\SysWOW64\wediasvc.exe
| MD5 | 3b028967fc6640218a6aae5849e78750 |
| SHA1 | 304de482ece28e6cf9a2766af335646942e67995 |
| SHA256 | 42c98ad3c8c30a3553444d35e03f1911b1d0e3719ad642a26733d47ab6f031d5 |
| SHA512 | 87084aa97cc74dd883d401bcf43b2a260edfe19cb5950b2e0b04bb6091d277b5fa76abbd50961cffb2f96c2ac929fd3658afeff29f30a16cd06356a9c30bfc9a |
C:\Users\Admin\AppData\Local\Temp\nsw8917.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\~nsis\webeditasnad.dll
| MD5 | 4be0eaa3af20fb4df00ee2d3b2aa23be |
| SHA1 | a9ebc381554d5f8ea259222490c39de185722045 |
| SHA256 | d7c4ebe96ba07d9497522d6cc0458fd2fdb9d818f77218ede1522a2bc2e06613 |
| SHA512 | 53bbfede46fb15c50e72af8c59cc9af4f3cd1910a28a802fb0cba0f8d4cbddf6520e08cef35d15734712da46951987fe69964b9a3b95424fc7158cd981eab5c4 |
memory/2660-22-0x0000000002960000-0x0000000002A0D000-memory.dmp
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
| MD5 | d28bfd9699316ce06bfacbcfe2e3a070 |
| SHA1 | eab8e6d4cfa3206e8f6ff4d952b40f892cf61857 |
| SHA256 | b8ee282cb4f46b9e488c9453e068717b6a1fa563cfc311dedfa46de6eee8114b |
| SHA512 | 5a6157e3894a05bc8b9d2499edea82722ec0efc91dcb4f936a81d30c315f719bb1d05f1ea7759b3df4583fede523fa4d38669acbed3506846f5fb8f9e5b15a35 |
C:\Program Files (x86)\WebEdit\webeditas.dll
| MD5 | dbdea5c4344bdf803f9c729b50d34784 |
| SHA1 | ee5d296eb6253e7111ed730130d367ee27b484a3 |
| SHA256 | 57bf22f2b9090f76a290d25fc9f50b348fc164967f780609137f5eb8e32e81d2 |
| SHA512 | a97f4818b28278ec952876ec9aa78d98920d56c44b6d9be5d0f5802fccd6f65f64bf99606f65b9123d1d69a37ba96d3282fad71e38fbb9a499e78e90c5999c36 |
memory/2660-42-0x0000000002CA0000-0x0000000002CBF000-memory.dmp
C:\Program Files (x86)\WebEdit\webeditastb.dll
| MD5 | 01b2ebdce1620b25c427dd6baf53cfcf |
| SHA1 | c2338455badf1334504a18e8d9656b3e8081568f |
| SHA256 | f37eb1a447265cf1ceb3a0ca4a222d882ecef7dc47823a402089964ec59a5a03 |
| SHA512 | c969200594e8333e634805b74bf1ba0e3e87f27967891bf1c71e4703a377f7aed94a24e28806aab3c7dbf771a1bd7e122b160e13da766f76253e3e527e60f9ee |
memory/2660-49-0x0000000002CA0000-0x0000000002CC0000-memory.dmp
C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt
| MD5 | 7c900881083a5c4939178e2a8d3bde0d |
| SHA1 | 33cf6b98a93363d37826fe306d7de612e007eb0b |
| SHA256 | 91c15821b7b82ca02a0b04f9dd9dab53d7a0129171f2d7bd70377e5ac8b1b99c |
| SHA512 | 5ebe6eaa174cd1261b4378ee74d1e35cd0779d4a6cb5bf13de8430fe4c8b37032cd685701986378c5976ad9fb7c1dfa743404dda46c6220b5ab851bbd2b0c69c |
C:\Program Files (x86)\WebEdit\webedit_run.exe
| MD5 | 3ecd8cf00f91b91c963976b9bc63cf76 |
| SHA1 | ab6c0c285f2ed0d58e3528b995bef710af2cd6ca |
| SHA256 | 8f685def2789528b90dcc4d6f011f471df237f5729db1b771f8c04a579824dcb |
| SHA512 | d731e26fa30cc9b6e96746baca19d916db4e589dfc5f10435cd6f10051623e2e39f1e37ea8de193e4ab9e749e83079f9f7927653668a4e28f0bf64dc5a1c0d57 |
memory/2660-55-0x0000000002CE0000-0x0000000002D8D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250619-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\wediasvc.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wediasvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "0" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,202" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,201" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\WOW6432Node\CLSID\tst_key = "test_ok" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.application | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WebEdit\\" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WebEdit\\" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" | C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe"
C:\Windows\SysWOW64\wediasvc.exe
"C:\Windows\System32\wediasvc.exe" /i
C:\Windows\SysWOW64\wediasvc.exe
"C:\Windows\System32\wediasvc.exe" /start
C:\Windows\SysWOW64\wediasvc.exe
C:\Windows\SysWOW64\wediasvc.exe
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /stop
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /u
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /i
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /start
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf86E4.tmp\nsProcess.dll
| MD5 | 8f4ac52cb2f7143f29f114add12452ad |
| SHA1 | 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3 |
| SHA256 | b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04 |
| SHA512 | 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c |
C:\Windows\SysWOW64\wediasvc.exe
| MD5 | 3b028967fc6640218a6aae5849e78750 |
| SHA1 | 304de482ece28e6cf9a2766af335646942e67995 |
| SHA256 | 42c98ad3c8c30a3553444d35e03f1911b1d0e3719ad642a26733d47ab6f031d5 |
| SHA512 | 87084aa97cc74dd883d401bcf43b2a260edfe19cb5950b2e0b04bb6091d277b5fa76abbd50961cffb2f96c2ac929fd3658afeff29f30a16cd06356a9c30bfc9a |
C:\Users\Admin\AppData\Local\Temp\nsf86E4.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\~nsis\webeditasnad.dll
| MD5 | 4be0eaa3af20fb4df00ee2d3b2aa23be |
| SHA1 | a9ebc381554d5f8ea259222490c39de185722045 |
| SHA256 | d7c4ebe96ba07d9497522d6cc0458fd2fdb9d818f77218ede1522a2bc2e06613 |
| SHA512 | 53bbfede46fb15c50e72af8c59cc9af4f3cd1910a28a802fb0cba0f8d4cbddf6520e08cef35d15734712da46951987fe69964b9a3b95424fc7158cd981eab5c4 |
memory/3016-22-0x0000000002A10000-0x0000000002ABD000-memory.dmp
C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
| MD5 | d28bfd9699316ce06bfacbcfe2e3a070 |
| SHA1 | eab8e6d4cfa3206e8f6ff4d952b40f892cf61857 |
| SHA256 | b8ee282cb4f46b9e488c9453e068717b6a1fa563cfc311dedfa46de6eee8114b |
| SHA512 | 5a6157e3894a05bc8b9d2499edea82722ec0efc91dcb4f936a81d30c315f719bb1d05f1ea7759b3df4583fede523fa4d38669acbed3506846f5fb8f9e5b15a35 |
C:\Program Files (x86)\WebEdit\webeditas.dll
| MD5 | dbdea5c4344bdf803f9c729b50d34784 |
| SHA1 | ee5d296eb6253e7111ed730130d367ee27b484a3 |
| SHA256 | 57bf22f2b9090f76a290d25fc9f50b348fc164967f780609137f5eb8e32e81d2 |
| SHA512 | a97f4818b28278ec952876ec9aa78d98920d56c44b6d9be5d0f5802fccd6f65f64bf99606f65b9123d1d69a37ba96d3282fad71e38fbb9a499e78e90c5999c36 |
memory/3016-42-0x0000000002D90000-0x0000000002DAF000-memory.dmp
C:\Program Files (x86)\WebEdit\webeditastb.dll
| MD5 | 01b2ebdce1620b25c427dd6baf53cfcf |
| SHA1 | c2338455badf1334504a18e8d9656b3e8081568f |
| SHA256 | f37eb1a447265cf1ceb3a0ca4a222d882ecef7dc47823a402089964ec59a5a03 |
| SHA512 | c969200594e8333e634805b74bf1ba0e3e87f27967891bf1c71e4703a377f7aed94a24e28806aab3c7dbf771a1bd7e122b160e13da766f76253e3e527e60f9ee |
memory/3016-49-0x0000000002D90000-0x0000000002DB0000-memory.dmp
memory/3016-55-0x0000000002DD0000-0x0000000002E7D000-memory.dmp
C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt
| MD5 | 27a428ef3fcd33267392baf89d329f29 |
| SHA1 | 753d6e79c85a4aa463eb4bdda169d86cd5767e12 |
| SHA256 | 51c2a66910c20f29639bf8b3974fcbed6d02f755ea0b3c21b9d247e5905d647a |
| SHA512 | 68805e1d2934856bcbcaa68ac7026ce71f32cf50d9b467d279c2c6b27075acf90666da6be58774a265b50931d7ee64da72788048f1e1ff38fd4d172f968bbb91 |
C:\Program Files (x86)\WebEdit\webedit_run.exe
| MD5 | 3ecd8cf00f91b91c963976b9bc63cf76 |
| SHA1 | ab6c0c285f2ed0d58e3528b995bef710af2cd6ca |
| SHA256 | 8f685def2789528b90dcc4d6f011f471df237f5729db1b771f8c04a579824dcb |
| SHA512 | d731e26fa30cc9b6e96746baca19d916db4e589dfc5f10435cd6f10051623e2e39f1e37ea8de193e4ab9e749e83079f9f7927653668a4e28f0bf64dc5a1c0d57 |
Analysis: behavioral7
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250502-en
Max time kernel
103s
Max time network
145s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | log.webedit.co.kr | udp |
| US | 8.8.8.8:53 | user.webedit.co.kr | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250610-en
Max time kernel
103s
Max time network
106s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5552 wrote to memory of 3728 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5552 wrote to memory of 3728 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5552 wrote to memory of 3728 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win11-20250610-en
Max time kernel
101s
Max time network
104s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe
"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250610-en
Max time kernel
102s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2120 wrote to memory of 3480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 3480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2120 wrote to memory of 3480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3480 -ip 3480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 612
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2025-07-04 18:04
Reported
2025-07-04 18:07
Platform
win10v2004-20250610-en
Max time kernel
103s
Max time network
140s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1132 wrote to memory of 928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1132 wrote to memory of 928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1132 wrote to memory of 928 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 928 -ip 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 600
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |