Malware Analysis Report

2025-04-03 10:12

Sample ID 250212-b8ywzawphl
Target JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c
SHA256 37d94e9e2532ecd0d7eee0e485a26d75b1f4b91c1e84ab574dbf28dbd504a5df
Tags
blackshades collection defense_evasion discovery persistence rat spyware stealer upx adware privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37d94e9e2532ecd0d7eee0e485a26d75b1f4b91c1e84ab574dbf28dbd504a5df

Threat Level: Known bad

The file JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c was found to be: Known bad.

Malicious Activity Summary

blackshades collection defense_evasion discovery persistence rat spyware stealer upx adware privilege_escalation

Modifies firewall policy service

Blackshades payload

Blackshades

Blackshades family

NirSoft MailPassView

Detected Nirsoft tools

Adds policy Run key to start application

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Checks installed software on the system

Accesses Microsoft Outlook accounts

Installs/modifies Browser Helper Object

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-12 01:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-12 01:49

Reported

2025-02-12 01:52

Platform

win7-20240903-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Javattack.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Javattack.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Java.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2324 set thread context of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2548 set thread context of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2768 set thread context of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 set thread context of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2736 set thread context of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2768 set thread context of 1728 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1952 set thread context of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2768 set thread context of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 set thread context of 1388 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 set thread context of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 set thread context of 956 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
PID 2120 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
PID 2120 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
PID 2120 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
PID 2120 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2120 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2120 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2120 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2120 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2120 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2120 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2120 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2324 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2548 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2736 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 2120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 2768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 2768 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe"

C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe

"C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe"

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\offc.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\mess.dat"

C:\Users\Admin\AppData\Local\Temp\Javattack.exe

"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\mail.dat"

C:\Users\Admin\AppData\Local\Temp\Javattack.exe

"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\dial.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\chro.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\iexp.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\ptsg.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\ffox.dat"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 revprox.org udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 x5ms1.no-ip.biz udp
US 8.8.8.8:53 1x5ms1.no-ip.biz udp
US 8.8.8.8:53 2x5ms1.no-ip.biz udp
US 8.8.8.8:53 3x5ms1.no-ip.biz udp
PS 94.73.22.65:7000 3x5ms1.no-ip.biz tcp
US 8.8.8.8:53 4x5ms1.no-ip.biz udp
US 8.8.8.8:53 5x5ms1.no-ip.biz udp
US 8.8.8.8:53 6x5ms1.no-ip.biz udp
US 8.8.8.8:53 7x5ms1.no-ip.biz udp
US 8.8.8.8:53 8x5ms1.no-ip.biz udp

Files

memory/2120-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

memory/2120-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/2120-3-0x00000000748D0000-0x0000000074E7B000-memory.dmp

\Users\Admin\AppData\Local\Temp\FileUploader5.exe

MD5 6818dca401a75f2475716c5842089b94
SHA1 60ab37155ffdf1c4dff1103476532675ebef235d
SHA256 537f258e0d4762f33e888bd489e56b2aa66a2c7aea4090fcfa72277a4733f969
SHA512 237b561d03b4dca4316d7b78b61110befd3ba54e708babd45d23952d543ee86549093428c362786bab803f2026c502fdbaeff9f7e05ab1df1f5322b35f3f5c22

memory/2120-9-0x0000000005AF0000-0x000000000601A000-memory.dmp

memory/1932-11-0x0000000000400000-0x000000000092A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

MD5 2dd67b885c8801da5de5c9d7dd8afab2
SHA1 83547308e73bdb6b8150d8d674e958ad162cbba5
SHA256 52628d5ba76a083d8b66b5be912e674a57622bbfe86d14c312b345c64f979bd6
SHA512 b9b1352c742bc5569c3e2d067ac5af903d81f43e7e89c90f433fe774af4902a808b2ecb8f61081965369336bc96af4040c345be5943b8e14a29a149729fe1cb1

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

MD5 ae928ca2d319e978ff622bf182661ec3
SHA1 c44b7357ccb976888f8c0eee35801df937244fe0
SHA256 ff14f40b3a425321e79620927c39bbbde0d82f0ac62baa50e6b18ba031f3b5fa
SHA512 9ac057ed7fbb298b43abde42d943c186888f7fd3b52ef16ea0821a118ab27ce466bf1ed26ea1329f5f5c102e3f2f4e75763eb1452bcd4666ec09a815892d8dc0

memory/2768-46-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2768-43-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2768-41-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2768-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2768-38-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2768-36-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2768-34-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2616-83-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2120-117-0x00000000748D0000-0x0000000074E7B000-memory.dmp

memory/1788-116-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Javattack.exe

MD5 d40a6992c48e8e3ccea50da48ca57282
SHA1 7c4a5c7342ab634793eb1cc8bf045c9735db8441
SHA256 7e1ca96f56f411cdd0eb78fdf06990d57f7b6fdbadb466a32e9dbe6329ebd5d8
SHA512 5a71eb4ce0036305688b5377bc0f83190754e571a1ff4e3f0711c942600cc6fc2ff40ccc6b535d7b9eb6b72f902e062abae7b40804f3d3c0345498ab2b95ec62

memory/1692-156-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1952-155-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1728-153-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1692-151-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1952-148-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-147-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-146-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-145-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1692-143-0x0000000000400000-0x0000000000590000-memory.dmp

memory/1952-142-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-141-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-140-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-139-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-136-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1952-135-0x0000000000090000-0x0000000000190000-memory.dmp

memory/1728-129-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1728-128-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1728-126-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2736-108-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2736-107-0x0000000000400000-0x0000000000590000-memory.dmp

memory/2568-106-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2568-103-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2568-101-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2568-99-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1788-98-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1788-96-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1788-95-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1788-93-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\offc.dat

MD5 1354a2cdd6b0508f78437a4f587f8dae
SHA1 c4d02f0c66744a7dae20cc16d41fc93a58754130
SHA256 65f3c4e116da92a0a89e8a6ad9f39592d77d221500ecf15f1ffc3196d373dc9e
SHA512 17b36aac854f2b3abfcc785585684ba1f081ac4b898d5394433889e1ef4d36ab2c6185260933d1515a1f2389a550705785c961c2953e2bcf90f2a75410da20cd

memory/2616-88-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2616-84-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2736-71-0x0000000000400000-0x0000000000590000-memory.dmp

memory/2736-66-0x0000000000400000-0x0000000000590000-memory.dmp

memory/2736-61-0x0000000000400000-0x0000000000590000-memory.dmp

memory/2736-55-0x0000000000400000-0x0000000000590000-memory.dmp

memory/2616-82-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2616-80-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1728-172-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1136-176-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1136-182-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1388-192-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chro.dat

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2172-199-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1932-198-0x0000000000400000-0x000000000092A000-memory.dmp

memory/2172-204-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-201-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/956-214-0x0000000000400000-0x0000000000419000-memory.dmp

memory/956-220-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-12 01:49

Reported

2025-02-12 01:52

Platform

win10v2004-20250211-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Java.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Javattack.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Javattack.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4588 set thread context of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 set thread context of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 3740 set thread context of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 set thread context of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 1376 set thread context of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 set thread context of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 set thread context of 60 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 set thread context of 3384 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 set thread context of 3244 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 3800 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 1376 set thread context of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 set thread context of 2192 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-GB.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\924aa6cf-8fcd-4164-b565-1b4356a2e310.tmp C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dual_engine_adapter_x64.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\ffmpeg.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Fingerprinting C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\am.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\hu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nn.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\canary.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_200_percent.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\onramp.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\LICENSE C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\te.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Dev.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\beta.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\or.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\as.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\cy.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\de.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2674b568-aec1-4ddd-bdab-d841baf9b728.tmp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4844_13383798708901167_4844.pma C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\132.0.2957.140.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sr-Cyrl-BA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\gu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\zh-CN.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_game_assist\VERSION C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sr-Latn-RS.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\d3dcompiler_47.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vccorlib140.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\Logo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\icudtl.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\th.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Dev.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ur.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\as.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\qu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ro.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\delegatedWebFeatures.sccd C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Edge.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.dll.sig C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ms.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\zh-TW.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\EdgeWebView.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\msedge_200_percent.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho_64.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\resources.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedgewebview2.exe.sig C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Reverse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\PdfPreview\\PdfPreviewHandler.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.webp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_click_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationName = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO\\ie_to_edge_bho_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\notification_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO\\ie_to_edge_bho.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\URL Protocol C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\elevation_service.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe N/A
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Javattack.exe N/A
Token: 33 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3980 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
PID 3980 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
PID 3980 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
PID 3980 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3980 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3980 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3980 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 3980 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 3980 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 4588 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 3980 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 3980 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 3980 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe C:\Users\Admin\AppData\Local\Temp\Javattack.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3740 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 3084 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Reverse.exe C:\Users\Admin\AppData\Local\Temp\Reverse.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe
PID 1376 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Istealer.exe C:\Users\Admin\AppData\Local\Temp\Istealer.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe"

C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe

"C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe"

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"

C:\Users\Admin\AppData\Local\Temp\Javattack.exe

"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\offc.dat"

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\mess.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\mail.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\dial.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\chro.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\iexp.dat"

C:\Users\Admin\AppData\Local\Temp\Javattack.exe

"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\ptsg.dat"

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

/stext "C:\Users\Admin\AppData\Local\Temp\ffox.dat"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEU3M0RFMTctNTdEOS00QThCLTgwM0ItNkU0OUQxMkY3NDQ4fSIgdXNlcmlkPSJ7NjBBNzNBRTUtNUQyNi00QTYwLUFGQUItQ0MyQ0MwNDkxN0UxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzVBQjVBNDEtNEIwMS00NTcxLTg2RDMtOUE4MzFENEU1QTMyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTI4OTgyNjc5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\MicrosoftEdge_X64_132.0.2957.140.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff639f5a818,0x7ff639f5a824,0x7ff639f5a830

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff639f5a818,0x7ff639f5a824,0x7ff639f5a830

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79f9ca818,0x7ff79f9ca824,0x7ff79f9ca830

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79f9ca818,0x7ff79f9ca824,0x7ff79f9ca830

C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79f9ca818,0x7ff79f9ca824,0x7ff79f9ca830

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

Network

Country Destination Domain Proto
US 8.8.8.8:53 revprox.org udp
US 150.171.27.10:443 tcp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 x5ms1.no-ip.biz udp
US 8.8.8.8:53 blackshades.ru udp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 x5ms1.no-ip.biz udp
GB 2.16.153.13:80 tcp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 52.252.28.242:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 1x5ms1.no-ip.biz udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
IT 91.81.129.180:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 2x5ms1.no-ip.biz udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 3x5ms1.no-ip.biz udp
PS 94.73.22.65:7000 3x5ms1.no-ip.biz tcp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 4x5ms1.no-ip.biz udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 5x5ms1.no-ip.biz udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 6x5ms1.no-ip.biz udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 7x5ms1.no-ip.biz udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 blackshades.ru udp
US 8.8.8.8:53 8x5ms1.no-ip.biz udp
US 8.8.8.8:53 blackshades.ru udp

Files

memory/3980-0-0x0000000074502000-0x0000000074503000-memory.dmp

memory/3980-1-0x0000000074500000-0x0000000074AB1000-memory.dmp

memory/3980-3-0x0000000074500000-0x0000000074AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe

MD5 6818dca401a75f2475716c5842089b94
SHA1 60ab37155ffdf1c4dff1103476532675ebef235d
SHA256 537f258e0d4762f33e888bd489e56b2aa66a2c7aea4090fcfa72277a4733f969
SHA512 237b561d03b4dca4316d7b78b61110befd3ba54e708babd45d23952d543ee86549093428c362786bab803f2026c502fdbaeff9f7e05ab1df1f5322b35f3f5c22

memory/2172-15-0x0000000000400000-0x000000000092A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Reverse.exe

MD5 2dd67b885c8801da5de5c9d7dd8afab2
SHA1 83547308e73bdb6b8150d8d674e958ad162cbba5
SHA256 52628d5ba76a083d8b66b5be912e674a57622bbfe86d14c312b345c64f979bd6
SHA512 b9b1352c742bc5569c3e2d067ac5af903d81f43e7e89c90f433fe774af4902a808b2ecb8f61081965369336bc96af4040c345be5943b8e14a29a149729fe1cb1

C:\Users\Admin\AppData\Local\Temp\Istealer.exe

MD5 ae928ca2d319e978ff622bf182661ec3
SHA1 c44b7357ccb976888f8c0eee35801df937244fe0
SHA256 ff14f40b3a425321e79620927c39bbbde0d82f0ac62baa50e6b18ba031f3b5fa
SHA512 9ac057ed7fbb298b43abde42d943c186888f7fd3b52ef16ea0821a118ab27ce466bf1ed26ea1329f5f5c102e3f2f4e75763eb1452bcd4666ec09a815892d8dc0

memory/1376-38-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2172-37-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Javattack.exe

MD5 d40a6992c48e8e3ccea50da48ca57282
SHA1 7c4a5c7342ab634793eb1cc8bf045c9735db8441
SHA256 7e1ca96f56f411cdd0eb78fdf06990d57f7b6fdbadb466a32e9dbe6329ebd5d8
SHA512 5a71eb4ce0036305688b5377bc0f83190754e571a1ff4e3f0711c942600cc6fc2ff40ccc6b535d7b9eb6b72f902e062abae7b40804f3d3c0345498ab2b95ec62

memory/1376-50-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/4604-64-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3980-62-0x0000000074500000-0x0000000074AB1000-memory.dmp

memory/2364-73-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\offc.dat

MD5 1ed944056088740e3d8bab9d4af1d096
SHA1 17f685c87d4c78ad22bc8fd1ede18be5e3704694
SHA256 b3da9a116dc32e0a378aac89218919a5088d4b5a79642939ff79b09c69621ba7
SHA512 e5d6e9bc3ede6427c821f4929a1eb3da9b92a1cae7db91ebbe39c670a469b3720dc00dea5081cae912dccc693735b4d31c78210a70e9430fdc18ea0dd796e48a

memory/3084-74-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3084-71-0x0000000000400000-0x00000000005A0000-memory.dmp

memory/2364-70-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3084-67-0x0000000000400000-0x00000000005A0000-memory.dmp

memory/4604-66-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4604-60-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4604-59-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4604-57-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1376-41-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/1196-81-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1196-80-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1048-89-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1048-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1048-90-0x0000000000400000-0x000000000041F000-memory.dmp

memory/60-96-0x0000000000400000-0x0000000000418000-memory.dmp

memory/60-100-0x0000000000400000-0x0000000000418000-memory.dmp

memory/60-97-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dial.dat

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3384-109-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3244-115-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3244-120-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2524-119-0x0000000000400000-0x00000000005A0000-memory.dmp

memory/2524-117-0x0000000000400000-0x00000000005A0000-memory.dmp

memory/3244-116-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3244-114-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3244-112-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3384-106-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3384-105-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3384-103-0x0000000000400000-0x000000000043E000-memory.dmp

memory/60-94-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1048-87-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1196-84-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1196-78-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1568-128-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1568-127-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1568-125-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2192-137-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2172-136-0x0000000000400000-0x000000000092A000-memory.dmp

memory/2192-133-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2192-132-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2192-130-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2172-140-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/1376-141-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2172-144-0x0000000000400000-0x000000000092A000-memory.dmp

memory/1376-145-0x0000000000400000-0x00000000005E7000-memory.dmp

memory/2364-146-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2524-150-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2172-153-0x0000000000400000-0x000000000092A000-memory.dmp

memory/2524-156-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2172-160-0x0000000000400000-0x000000000092A000-memory.dmp

memory/2524-163-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2172-167-0x0000000000400000-0x000000000092A000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe

MD5 b4c8ad75087b8634d4f04dc6f92da9aa
SHA1 7efaa2472521c79d58c4ef18a258cc573704fb5d
SHA256 522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf
SHA512 5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3

C:\Program Files\msedge_installer.log

MD5 1ccd53e1da26a45db05d8efa86f91c38
SHA1 1dca2a3e7fb46c7a759781a920c101794e584ef1
SHA256 264e30c61f0c1dee4b86b30736c3e3da08ffb468bbe7b513f7bbc263b476be23
SHA512 69fef1c332a2ec2e2fa3f0cd004d7229bfa674fd3527b205962beccc9ce6eab9692f1a893f41fa87b6ca5638e59d6000f360d49fce50b1cbf6adf69d7f102848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 3646786aea064c0845f5bb1b8e976985
SHA1 a31ba2d2192898d4c0a01511395bdf87b0e53873
SHA256 a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f
SHA512 145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4

C:\Program Files\msedge_installer.log

MD5 6f47dd01473f3b777301dfb1b1c02d87
SHA1 dcbe464de91a1bbc1384e7232b1c34d87a74d78a
SHA256 9c9a24d1d57990899e770534bd8e997a16800baed37ec291951aaaeb47741e02
SHA512 4f9dcffcddd903b3ddc8c688ace8a8382ae0948d253ac65219b5b6eab7b4778db60c66b1a8d44a2fd78337d40abff39f98b8e7a2a5fe517f74d8f0689ed3bb28

C:\Program Files\msedge_installer.log

MD5 d34b57bc1b94ab7760547ce3b24d8690
SHA1 8fed97e619c8404842ae64851a804cf1198bdc32
SHA256 c05d8708a5998f6bba02379e69e300a108c930e8d4da5e396c286c3a6bc92611
SHA512 a9957f6b7bfc1725a66e91cff02ca00613ba34a01fc74ab2627558df90d0a45cc7c8dc0da4713c63f5607ba1432f38e37cef572ebe71509fc27751a73d9e7d17

C:\Program Files\msedge_installer.log

MD5 6f40b595be15a0e1d44a6c693194e3c0
SHA1 5cb70c4780e2b263ab0350fa6100724cdb8e1401
SHA256 56204a7fdc25c409fcc0bd79147b6b7825f8ddcae907ed1bfd3916d15d2f3791
SHA512 09c0e0534ad3c25916b6480635a01c267a095580388b923600525a588562091e03d2d7645bee28638a9221675dd869d3bc3564c4da69a6afe46f415c09b592de