Malware Analysis Report

2025-08-05 14:55

Sample ID 250704-wn4xpsxny9
Target JaffaCakes118_1c767504f104ee50e4b36d570ad425e6
SHA256 76c838fd441934a2adc953d69d5e8415b0384e3cd3b2576fdeb0aa4d07148786
Tags
discovery defense_evasion trojan adware spyware stealer installer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

76c838fd441934a2adc953d69d5e8415b0384e3cd3b2576fdeb0aa4d07148786

Threat Level: Shows suspicious behavior

The file JaffaCakes118_1c767504f104ee50e4b36d570ad425e6 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery defense_evasion trojan adware spyware stealer installer

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Checks whether UAC is enabled

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 18:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250610-en

Max time kernel

100s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5752 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5752 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5752 wrote to memory of 4812 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4812 -ip 4812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 448

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

101s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Signatures

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 user.webedit.co.kr udp
US 8.8.8.8:53 log.webedit.co.kr udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250502-en

Max time kernel

101s

Max time network

137s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 5204 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3712 wrote to memory of 5204 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3712 wrote to memory of 5204 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5204-0-0x00000000012B0000-0x000000000135D000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250610-en

Max time kernel

103s

Max time network

133s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.application C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 5308 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1148 wrote to memory of 5308 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1148 wrote to memory of 5308 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5308-0-0x00000000028E0000-0x000000000298D000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 728 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 728 wrote to memory of 1528 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

101s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 4600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Network

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250610-en

Max time kernel

103s

Max time network

141s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5736 wrote to memory of 4028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5736 wrote to memory of 4028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5736 wrote to memory of 4028 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4028-0-0x0000000000790000-0x000000000083D000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250610-en

Max time kernel

106s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1836 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1836 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250619-en

Max time kernel

104s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Signatures

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 log.webedit.co.kr udp
US 8.8.8.8:53 user.webedit.co.kr udp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250502-en

Max time kernel

103s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

98s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

103s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5704 wrote to memory of 5608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5704 wrote to memory of 5608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5704 wrote to memory of 5608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\~nsis\$_4_\webeditasnad.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

102s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 5168 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 5168 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1340 wrote to memory of 5168 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5168 -ip 5168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 460

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

103s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Signatures

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 log.webedit.co.kr udp
US 8.8.8.8:53 user.webedit.co.kr udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250619-en

Max time kernel

100s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250502-en

Max time kernel

106s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_svc_10_1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250610-en

Max time kernel

39s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.application C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 3432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2020 wrote to memory of 3432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2020 wrote to memory of 3432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Network

Files

memory/3432-0-0x00000000027B0000-0x000000000285D000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250610-en

Max time kernel

104s

Max time network

136s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.application C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 5200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 5200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1184 wrote to memory of 5200 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5200-0-0x0000000000D90000-0x0000000000E3D000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250610-en

Max time kernel

104s

Max time network

105s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditas.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.application C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 4908 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4804 wrote to memory of 4908 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4804 wrote to memory of 4908 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditas.dll

Network

Files

memory/4908-0-0x0000000000C60000-0x0000000000D0D000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1952 wrote to memory of 1220 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

101s

Max time network

102s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 5240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 5240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 5240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Network

Files

memory/5240-1-0x0000000002180000-0x000000000222D000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

101s

Max time network

103s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,201" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll,202" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PROGRAMFILES\\WebEdit\\webeditastb.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\ = "webedit_tbObject Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5940 wrote to memory of 3764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5940 wrote to memory of 3764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5940 wrote to memory of 3764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditastb.dll

Network

Files

memory/3764-1-0x0000000002BD0000-0x0000000002C7D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250610-en

Max time kernel

121s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe"

Signatures

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wediasvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WebEdit\webedit_run.ex_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditastb.dl_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditas.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webedit_run.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File opened for modification C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
File created C:\Program Files (x86)\WebEdit\uninst.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditas.dl_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditasnad.dl_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File opened for modification C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ N/A
File created C:\Program Files (x86)\WebEdit\webeditasnad.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditastb.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webed_uins.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wediasvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wediasvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wediasvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,202" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,201" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "0" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ = "IWebEdit_API" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WebEdit\\" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ = "C:\\Program Files (x86)\\WebEdit\\webeditas.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\0\win32\ = "C:\\Program Files (x86)\\WebEdit\\webeditas.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\VersionIndependentProgID\ = "WebEdit_BHO.WebEdit_APIClass" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 2660 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 2660 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 2660 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 2660 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 2660 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 2660 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 2660 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 2660 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 2660 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 2660 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 2660 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 2660 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 2660 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 2660 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 2660 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 2660 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 2660 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe"

C:\Windows\SysWOW64\wediasvc.exe

"C:\Windows\System32\wediasvc.exe" /i

C:\Windows\SysWOW64\wediasvc.exe

"C:\Windows\System32\wediasvc.exe" /start

C:\Windows\SysWOW64\wediasvc.exe

C:\Windows\SysWOW64\wediasvc.exe

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /stop

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /u

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /i

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /start

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe"

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 log.webedit.co.kr udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 log.webedit.co.kr udp
US 8.8.8.8:53 default.webedit.co.kr udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 log.webedit.co.kr udp
US 8.8.8.8:53 default.webedit.co.kr udp

Files

C:\Users\Admin\AppData\Local\Temp\nsw8917.tmp\nsProcess.dll

MD5 8f4ac52cb2f7143f29f114add12452ad
SHA1 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3
SHA256 b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04
SHA512 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

C:\Windows\SysWOW64\wediasvc.exe

MD5 3b028967fc6640218a6aae5849e78750
SHA1 304de482ece28e6cf9a2766af335646942e67995
SHA256 42c98ad3c8c30a3553444d35e03f1911b1d0e3719ad642a26733d47ab6f031d5
SHA512 87084aa97cc74dd883d401bcf43b2a260edfe19cb5950b2e0b04bb6091d277b5fa76abbd50961cffb2f96c2ac929fd3658afeff29f30a16cd06356a9c30bfc9a

C:\Users\Admin\AppData\Local\Temp\nsw8917.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\~nsis\webeditasnad.dll

MD5 4be0eaa3af20fb4df00ee2d3b2aa23be
SHA1 a9ebc381554d5f8ea259222490c39de185722045
SHA256 d7c4ebe96ba07d9497522d6cc0458fd2fdb9d818f77218ede1522a2bc2e06613
SHA512 53bbfede46fb15c50e72af8c59cc9af4f3cd1910a28a802fb0cba0f8d4cbddf6520e08cef35d15734712da46951987fe69964b9a3b95424fc7158cd981eab5c4

memory/2660-22-0x0000000002960000-0x0000000002A0D000-memory.dmp

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_

MD5 d28bfd9699316ce06bfacbcfe2e3a070
SHA1 eab8e6d4cfa3206e8f6ff4d952b40f892cf61857
SHA256 b8ee282cb4f46b9e488c9453e068717b6a1fa563cfc311dedfa46de6eee8114b
SHA512 5a6157e3894a05bc8b9d2499edea82722ec0efc91dcb4f936a81d30c315f719bb1d05f1ea7759b3df4583fede523fa4d38669acbed3506846f5fb8f9e5b15a35

C:\Program Files (x86)\WebEdit\webeditas.dll

MD5 dbdea5c4344bdf803f9c729b50d34784
SHA1 ee5d296eb6253e7111ed730130d367ee27b484a3
SHA256 57bf22f2b9090f76a290d25fc9f50b348fc164967f780609137f5eb8e32e81d2
SHA512 a97f4818b28278ec952876ec9aa78d98920d56c44b6d9be5d0f5802fccd6f65f64bf99606f65b9123d1d69a37ba96d3282fad71e38fbb9a499e78e90c5999c36

memory/2660-42-0x0000000002CA0000-0x0000000002CBF000-memory.dmp

C:\Program Files (x86)\WebEdit\webeditastb.dll

MD5 01b2ebdce1620b25c427dd6baf53cfcf
SHA1 c2338455badf1334504a18e8d9656b3e8081568f
SHA256 f37eb1a447265cf1ceb3a0ca4a222d882ecef7dc47823a402089964ec59a5a03
SHA512 c969200594e8333e634805b74bf1ba0e3e87f27967891bf1c71e4703a377f7aed94a24e28806aab3c7dbf771a1bd7e122b160e13da766f76253e3e527e60f9ee

memory/2660-49-0x0000000002CA0000-0x0000000002CC0000-memory.dmp

C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt

MD5 7c900881083a5c4939178e2a8d3bde0d
SHA1 33cf6b98a93363d37826fe306d7de612e007eb0b
SHA256 91c15821b7b82ca02a0b04f9dd9dab53d7a0129171f2d7bd70377e5ac8b1b99c
SHA512 5ebe6eaa174cd1261b4378ee74d1e35cd0779d4a6cb5bf13de8430fe4c8b37032cd685701986378c5976ad9fb7c1dfa743404dda46c6220b5ab851bbd2b0c69c

C:\Program Files (x86)\WebEdit\webedit_run.exe

MD5 3ecd8cf00f91b91c963976b9bc63cf76
SHA1 ab6c0c285f2ed0d58e3528b995bef710af2cd6ca
SHA256 8f685def2789528b90dcc4d6f011f471df237f5729db1b771f8c04a579824dcb
SHA512 d731e26fa30cc9b6e96746baca19d916db4e589dfc5f10435cd6f10051623e2e39f1e37ea8de193e4ab9e749e83079f9f7927653668a4e28f0bf64dc5a1c0d57

memory/2660-55-0x0000000002CE0000-0x0000000002D8D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250619-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe"

Signatures

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit_APIClass Helper" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wediasvc.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
File created C:\Program Files (x86)\WebEdit\uninst.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webed_uins.dat C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditas.dl_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditasnad.dl_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webedit_run.ex_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditastb.dl_ C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File opened for modification C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ N/A
File created C:\Program Files (x86)\WebEdit\webeditas.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditasnad.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webeditastb.dll C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webedit_run.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
File created C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wediasvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wediasvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wediasvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_ N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "0" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "À¥¿¡µðÆ® ¼³Á¤ ½ÇÇà" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,202" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll,201" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\ = "WebEdit_APIClass Class" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\WOW6432Node\CLSID\tst_key = "test_ok" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.application C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer\ = "webedit_tb.webedit_tbObject.1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CurVer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\TypeLib\ = "{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\ = "WebEdit_APIClass Class" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\ = "WebEdit_APIClass 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "webedit_tb.webedit_tbObject" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\InprocServer32\ = "C:\\Program Files (x86)\\WebEdit\\webeditastb.dll" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\ = "Iwebedit_tbObject" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ = "WebEdit Web3.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\ProgID\ = "WebEdit_BHO.WebEdit_APIClass.1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WebEdit\\" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ = "webedit_tbObject Class" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass\CurVer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\ProgID\ = "webedit_tb.webedit_tbObject.1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WebEdit\\" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.application\sid = "QzkxMzNDQTEtNjYyRi00MjM3LTgwRTMtQjYyM0M0RDZFNDYx" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9133CA1-662F-4237-80E3-B623C4D6E461}\Programmable C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\ = "webedit_tb 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A66A7BD4-06B1-4377-ADCD-6A8A2631CA45}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD6A85C5-36CB-44CF-9D3E-37F09E79D51D} C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BB85FDDB-C266-4906-93B8-498B939B07E6}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\ = "{BB85FDDB-C266-4906-93B8-498B939B07E6}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject.1\ = "webedit_tbObject Class" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000_Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebEdit_BHO.WebEdit_APIClass.1\CLSID\ = "{C9133CA1-662F-4237-80E3-B623C4D6E461}" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF8745A4-A31D-4884-9901-515F5919312D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\webedit_tb.webedit_tbObject\CLSID C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 3016 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 3016 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 3016 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 3016 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 3016 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Windows\SysWOW64\wediasvc.exe
PID 3016 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 3016 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 3016 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 3016 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 3016 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 3016 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
PID 3016 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 3016 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 3016 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 3016 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 3016 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
PID 3016 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1" C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe"

C:\Windows\SysWOW64\wediasvc.exe

"C:\Windows\System32\wediasvc.exe" /i

C:\Windows\SysWOW64\wediasvc.exe

"C:\Windows\System32\wediasvc.exe" /start

C:\Windows\SysWOW64\wediasvc.exe

C:\Windows\SysWOW64\wediasvc.exe

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /stop

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /u

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /i

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /start

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe

"C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 log.webedit.co.kr udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf86E4.tmp\nsProcess.dll

MD5 8f4ac52cb2f7143f29f114add12452ad
SHA1 29dc25f5d69bf129d608b83821c8ec8ab8c8edb3
SHA256 b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04
SHA512 2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

C:\Windows\SysWOW64\wediasvc.exe

MD5 3b028967fc6640218a6aae5849e78750
SHA1 304de482ece28e6cf9a2766af335646942e67995
SHA256 42c98ad3c8c30a3553444d35e03f1911b1d0e3719ad642a26733d47ab6f031d5
SHA512 87084aa97cc74dd883d401bcf43b2a260edfe19cb5950b2e0b04bb6091d277b5fa76abbd50961cffb2f96c2ac929fd3658afeff29f30a16cd06356a9c30bfc9a

C:\Users\Admin\AppData\Local\Temp\nsf86E4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\~nsis\webeditasnad.dll

MD5 4be0eaa3af20fb4df00ee2d3b2aa23be
SHA1 a9ebc381554d5f8ea259222490c39de185722045
SHA256 d7c4ebe96ba07d9497522d6cc0458fd2fdb9d818f77218ede1522a2bc2e06613
SHA512 53bbfede46fb15c50e72af8c59cc9af4f3cd1910a28a802fb0cba0f8d4cbddf6520e08cef35d15734712da46951987fe69964b9a3b95424fc7158cd981eab5c4

memory/3016-22-0x0000000002A10000-0x0000000002ABD000-memory.dmp

C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_

MD5 d28bfd9699316ce06bfacbcfe2e3a070
SHA1 eab8e6d4cfa3206e8f6ff4d952b40f892cf61857
SHA256 b8ee282cb4f46b9e488c9453e068717b6a1fa563cfc311dedfa46de6eee8114b
SHA512 5a6157e3894a05bc8b9d2499edea82722ec0efc91dcb4f936a81d30c315f719bb1d05f1ea7759b3df4583fede523fa4d38669acbed3506846f5fb8f9e5b15a35

C:\Program Files (x86)\WebEdit\webeditas.dll

MD5 dbdea5c4344bdf803f9c729b50d34784
SHA1 ee5d296eb6253e7111ed730130d367ee27b484a3
SHA256 57bf22f2b9090f76a290d25fc9f50b348fc164967f780609137f5eb8e32e81d2
SHA512 a97f4818b28278ec952876ec9aa78d98920d56c44b6d9be5d0f5802fccd6f65f64bf99606f65b9123d1d69a37ba96d3282fad71e38fbb9a499e78e90c5999c36

memory/3016-42-0x0000000002D90000-0x0000000002DAF000-memory.dmp

C:\Program Files (x86)\WebEdit\webeditastb.dll

MD5 01b2ebdce1620b25c427dd6baf53cfcf
SHA1 c2338455badf1334504a18e8d9656b3e8081568f
SHA256 f37eb1a447265cf1ceb3a0ca4a222d882ecef7dc47823a402089964ec59a5a03
SHA512 c969200594e8333e634805b74bf1ba0e3e87f27967891bf1c71e4703a377f7aed94a24e28806aab3c7dbf771a1bd7e122b160e13da766f76253e3e527e60f9ee

memory/3016-49-0x0000000002D90000-0x0000000002DB0000-memory.dmp

memory/3016-55-0x0000000002DD0000-0x0000000002E7D000-memory.dmp

C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt

MD5 27a428ef3fcd33267392baf89d329f29
SHA1 753d6e79c85a4aa463eb4bdda169d86cd5767e12
SHA256 51c2a66910c20f29639bf8b3974fcbed6d02f755ea0b3c21b9d247e5905d647a
SHA512 68805e1d2934856bcbcaa68ac7026ce71f32cf50d9b467d279c2c6b27075acf90666da6be58774a265b50931d7ee64da72788048f1e1ff38fd4d172f968bbb91

C:\Program Files (x86)\WebEdit\webedit_run.exe

MD5 3ecd8cf00f91b91c963976b9bc63cf76
SHA1 ab6c0c285f2ed0d58e3528b995bef710af2cd6ca
SHA256 8f685def2789528b90dcc4d6f011f471df237f5729db1b771f8c04a579824dcb
SHA512 d731e26fa30cc9b6e96746baca19d916db4e589dfc5f10435cd6f10051623e2e39f1e37ea8de193e4ab9e749e83079f9f7927653668a4e28f0bf64dc5a1c0d57

Analysis: behavioral7

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250502-en

Max time kernel

103s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Signatures

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe

"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webedit_run.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 log.webedit.co.kr udp
US 8.8.8.8:53 user.webedit.co.kr udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250610-en

Max time kernel

103s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5552 wrote to memory of 3728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5552 wrote to memory of 3728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5552 wrote to memory of 3728 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\WebEdit\webeditasnad.dll,#1

Network

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win11-20250610-en

Max time kernel

101s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe

"C:\Users\Admin\AppData\Local\Temp\$WINDIR\System32\wediasvc.exe"

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250610-en

Max time kernel

102s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 3480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 3480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 3480 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3480 -ip 3480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 612

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-07-04 18:04

Reported

2025-07-04 18:07

Platform

win10v2004-20250610-en

Max time kernel

103s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1132 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1132 wrote to memory of 928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 928 -ip 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 600

Network

Country Destination Domain Proto
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

N/A