Analysis Overview
SHA256
37d94e9e2532ecd0d7eee0e485a26d75b1f4b91c1e84ab574dbf28dbd504a5df
Threat Level: Known bad
The file JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades payload
Blackshades
Blackshades family
NirSoft MailPassView
Detected Nirsoft tools
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Checks installed software on the system
Accesses Microsoft Outlook accounts
Installs/modifies Browser Helper Object
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
UPX packed file
Drops file in Program Files directory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-12 01:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-12 01:49
Reported
2025-02-12 01:52
Platform
win7-20240903-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Javattack.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Javattack.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Java.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe"
C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
"C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe"
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\offc.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\mess.dat"
C:\Users\Admin\AppData\Local\Temp\Javattack.exe
"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\mail.dat"
C:\Users\Admin\AppData\Local\Temp\Javattack.exe
"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\dial.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\chro.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\iexp.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\ptsg.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\ffox.dat"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | revprox.org | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 1x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 2x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 3x5ms1.no-ip.biz | udp |
| PS | 94.73.22.65:7000 | 3x5ms1.no-ip.biz | tcp |
| US | 8.8.8.8:53 | 4x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 5x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 6x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 7x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | 8x5ms1.no-ip.biz | udp |
Files
memory/2120-0-0x00000000748D1000-0x00000000748D2000-memory.dmp
memory/2120-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp
memory/2120-3-0x00000000748D0000-0x0000000074E7B000-memory.dmp
\Users\Admin\AppData\Local\Temp\FileUploader5.exe
| MD5 | 6818dca401a75f2475716c5842089b94 |
| SHA1 | 60ab37155ffdf1c4dff1103476532675ebef235d |
| SHA256 | 537f258e0d4762f33e888bd489e56b2aa66a2c7aea4090fcfa72277a4733f969 |
| SHA512 | 237b561d03b4dca4316d7b78b61110befd3ba54e708babd45d23952d543ee86549093428c362786bab803f2026c502fdbaeff9f7e05ab1df1f5322b35f3f5c22 |
memory/2120-9-0x0000000005AF0000-0x000000000601A000-memory.dmp
memory/1932-11-0x0000000000400000-0x000000000092A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
| MD5 | 2dd67b885c8801da5de5c9d7dd8afab2 |
| SHA1 | 83547308e73bdb6b8150d8d674e958ad162cbba5 |
| SHA256 | 52628d5ba76a083d8b66b5be912e674a57622bbfe86d14c312b345c64f979bd6 |
| SHA512 | b9b1352c742bc5569c3e2d067ac5af903d81f43e7e89c90f433fe774af4902a808b2ecb8f61081965369336bc96af4040c345be5943b8e14a29a149729fe1cb1 |
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
| MD5 | ae928ca2d319e978ff622bf182661ec3 |
| SHA1 | c44b7357ccb976888f8c0eee35801df937244fe0 |
| SHA256 | ff14f40b3a425321e79620927c39bbbde0d82f0ac62baa50e6b18ba031f3b5fa |
| SHA512 | 9ac057ed7fbb298b43abde42d943c186888f7fd3b52ef16ea0821a118ab27ce466bf1ed26ea1329f5f5c102e3f2f4e75763eb1452bcd4666ec09a815892d8dc0 |
memory/2768-46-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2768-43-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2768-41-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2768-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2768-38-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2768-36-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2768-34-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2616-83-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2120-117-0x00000000748D0000-0x0000000074E7B000-memory.dmp
memory/1788-116-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Javattack.exe
| MD5 | d40a6992c48e8e3ccea50da48ca57282 |
| SHA1 | 7c4a5c7342ab634793eb1cc8bf045c9735db8441 |
| SHA256 | 7e1ca96f56f411cdd0eb78fdf06990d57f7b6fdbadb466a32e9dbe6329ebd5d8 |
| SHA512 | 5a71eb4ce0036305688b5377bc0f83190754e571a1ff4e3f0711c942600cc6fc2ff40ccc6b535d7b9eb6b72f902e062abae7b40804f3d3c0345498ab2b95ec62 |
memory/1692-156-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1952-155-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1728-153-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1692-151-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1952-148-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-147-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-146-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-145-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1692-143-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1952-142-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-141-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-140-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-139-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-136-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1952-135-0x0000000000090000-0x0000000000190000-memory.dmp
memory/1728-129-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1728-128-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1728-126-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2736-108-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2736-107-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2568-106-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2568-103-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2568-101-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2568-99-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1788-98-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1788-96-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1788-95-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1788-93-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\offc.dat
| MD5 | 1354a2cdd6b0508f78437a4f587f8dae |
| SHA1 | c4d02f0c66744a7dae20cc16d41fc93a58754130 |
| SHA256 | 65f3c4e116da92a0a89e8a6ad9f39592d77d221500ecf15f1ffc3196d373dc9e |
| SHA512 | 17b36aac854f2b3abfcc785585684ba1f081ac4b898d5394433889e1ef4d36ab2c6185260933d1515a1f2389a550705785c961c2953e2bcf90f2a75410da20cd |
memory/2616-88-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2616-84-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2736-71-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2736-66-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2736-61-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2736-55-0x0000000000400000-0x0000000000590000-memory.dmp
memory/2616-82-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2616-80-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1728-172-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1136-176-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1136-182-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1388-192-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chro.dat
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2172-199-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1932-198-0x0000000000400000-0x000000000092A000-memory.dmp
memory/2172-204-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2768-201-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/956-214-0x0000000000400000-0x0000000000419000-memory.dmp
memory/956-220-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-12 01:49
Reported
2025-02-12 01:52
Platform
win10v2004-20250211-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Java.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Javattack.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Javattack.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8} | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CE7EF5BD-BBED-D7BE-CCFF-CD36A4ADC6A8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows_x32 = "C:\\Users\\Admin\\AppData\\Roaming\\Java.exe" | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-GB.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Canary.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files\MsEdgeCrashpad\settings.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files\MsEdgeCrashpad\metadata | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\924aa6cf-8fcd-4164-b565-1b4356a2e310.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\dual_engine_adapter_x64.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\ffmpeg.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Fingerprinting | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\am.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\hu.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nn.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\canary.identity_helper.exe.manifest | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Canary.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_200_percent.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\onramp.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Advertising | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\LICENSE | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\te.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Dev.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\beta.identity_helper.exe.manifest | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Beta.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\or.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sk.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\as.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\cy.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\de.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pl.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Canary.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2674b568-aec1-4ddd-bdab-d841baf9b728.tmp | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4844_13383798708901167_4844.pma | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\132.0.2957.140.manifest | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sr-Cyrl-BA.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\gu.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\zh-CN.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_game_assist\VERSION | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sr-Latn-RS.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\d3dcompiler_47.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vccorlib140.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\Logo.png | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\icudtl.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoDev.png | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\th.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Dev.msix | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\VisualElements\SmallLogoDev.png | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ur.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\as.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lv.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\qu.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ro.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\delegatedWebFeatures.sccd | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Edge.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.dll.sig | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ms.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\zh-TW.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\EdgeWebView.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\msedge_200_percent.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Advertising | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho_64.dll | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\resources.pak | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedgewebview2.exe.sig | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
Modifies registry class
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Istealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Reverse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Javattack.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec150d3ba88b06bf7ad74d250987e26c.exe"
C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
"C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe"
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
"C:\Users\Admin\AppData\Local\Temp\Istealer.exe"
C:\Users\Admin\AppData\Local\Temp\Javattack.exe
"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\offc.dat"
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
"C:\Users\Admin\AppData\Local\Temp\Reverse.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\mess.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\mail.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\dial.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\chro.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\iexp.dat"
C:\Users\Admin\AppData\Local\Temp\Javattack.exe
"C:\Users\Admin\AppData\Local\Temp\Javattack.exe"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\ptsg.dat"
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
/stext "C:\Users\Admin\AppData\Local\Temp\ffox.dat"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Javattack.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Javattack.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Java.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Java.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEU3M0RFMTctNTdEOS00QThCLTgwM0ItNkU0OUQxMkY3NDQ4fSIgdXNlcmlkPSJ7NjBBNzNBRTUtNUQyNi00QTYwLUFGQUItQ0MyQ0MwNDkxN0UxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzVBQjVBNDEtNEIwMS00NTcxLTg2RDMtOUE4MzFENEU1QTMyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTI4OTgyNjc5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\MicrosoftEdge_X64_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff639f5a818,0x7ff639f5a824,0x7ff639f5a830
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff639f5a818,0x7ff639f5a824,0x7ff639f5a830
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79f9ca818,0x7ff79f9ca824,0x7ff79f9ca830
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79f9ca818,0x7ff79f9ca824,0x7ff79f9ca830
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff79f9ca818,0x7ff79f9ca824,0x7ff79f9ca830
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | revprox.org | udp |
| US | 150.171.27.10:443 | tcp | |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | x5ms1.no-ip.biz | udp |
| GB | 2.16.153.13:80 | tcp | |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 1x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 91.81.129.180:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 2x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 3x5ms1.no-ip.biz | udp |
| PS | 94.73.22.65:7000 | 3x5ms1.no-ip.biz | tcp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 4x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 5x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 6x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 7x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
| US | 8.8.8.8:53 | 8x5ms1.no-ip.biz | udp |
| US | 8.8.8.8:53 | blackshades.ru | udp |
Files
memory/3980-0-0x0000000074502000-0x0000000074503000-memory.dmp
memory/3980-1-0x0000000074500000-0x0000000074AB1000-memory.dmp
memory/3980-3-0x0000000074500000-0x0000000074AB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FileUploader5.exe
| MD5 | 6818dca401a75f2475716c5842089b94 |
| SHA1 | 60ab37155ffdf1c4dff1103476532675ebef235d |
| SHA256 | 537f258e0d4762f33e888bd489e56b2aa66a2c7aea4090fcfa72277a4733f969 |
| SHA512 | 237b561d03b4dca4316d7b78b61110befd3ba54e708babd45d23952d543ee86549093428c362786bab803f2026c502fdbaeff9f7e05ab1df1f5322b35f3f5c22 |
memory/2172-15-0x0000000000400000-0x000000000092A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Reverse.exe
| MD5 | 2dd67b885c8801da5de5c9d7dd8afab2 |
| SHA1 | 83547308e73bdb6b8150d8d674e958ad162cbba5 |
| SHA256 | 52628d5ba76a083d8b66b5be912e674a57622bbfe86d14c312b345c64f979bd6 |
| SHA512 | b9b1352c742bc5569c3e2d067ac5af903d81f43e7e89c90f433fe774af4902a808b2ecb8f61081965369336bc96af4040c345be5943b8e14a29a149729fe1cb1 |
C:\Users\Admin\AppData\Local\Temp\Istealer.exe
| MD5 | ae928ca2d319e978ff622bf182661ec3 |
| SHA1 | c44b7357ccb976888f8c0eee35801df937244fe0 |
| SHA256 | ff14f40b3a425321e79620927c39bbbde0d82f0ac62baa50e6b18ba031f3b5fa |
| SHA512 | 9ac057ed7fbb298b43abde42d943c186888f7fd3b52ef16ea0821a118ab27ce466bf1ed26ea1329f5f5c102e3f2f4e75763eb1452bcd4666ec09a815892d8dc0 |
memory/1376-38-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2172-37-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Javattack.exe
| MD5 | d40a6992c48e8e3ccea50da48ca57282 |
| SHA1 | 7c4a5c7342ab634793eb1cc8bf045c9735db8441 |
| SHA256 | 7e1ca96f56f411cdd0eb78fdf06990d57f7b6fdbadb466a32e9dbe6329ebd5d8 |
| SHA512 | 5a71eb4ce0036305688b5377bc0f83190754e571a1ff4e3f0711c942600cc6fc2ff40ccc6b535d7b9eb6b72f902e062abae7b40804f3d3c0345498ab2b95ec62 |
memory/1376-50-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/4604-64-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3980-62-0x0000000074500000-0x0000000074AB1000-memory.dmp
memory/2364-73-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\offc.dat
| MD5 | 1ed944056088740e3d8bab9d4af1d096 |
| SHA1 | 17f685c87d4c78ad22bc8fd1ede18be5e3704694 |
| SHA256 | b3da9a116dc32e0a378aac89218919a5088d4b5a79642939ff79b09c69621ba7 |
| SHA512 | e5d6e9bc3ede6427c821f4929a1eb3da9b92a1cae7db91ebbe39c670a469b3720dc00dea5081cae912dccc693735b4d31c78210a70e9430fdc18ea0dd796e48a |
memory/3084-74-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3084-71-0x0000000000400000-0x00000000005A0000-memory.dmp
memory/2364-70-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3084-67-0x0000000000400000-0x00000000005A0000-memory.dmp
memory/4604-66-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4604-60-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4604-59-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4604-57-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1376-41-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/1196-81-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1196-80-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1048-89-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1048-92-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1048-90-0x0000000000400000-0x000000000041F000-memory.dmp
memory/60-96-0x0000000000400000-0x0000000000418000-memory.dmp
memory/60-100-0x0000000000400000-0x0000000000418000-memory.dmp
memory/60-97-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dial.dat
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3384-109-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3244-115-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3244-120-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2524-119-0x0000000000400000-0x00000000005A0000-memory.dmp
memory/2524-117-0x0000000000400000-0x00000000005A0000-memory.dmp
memory/3244-116-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3244-114-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3244-112-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3384-106-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3384-105-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3384-103-0x0000000000400000-0x000000000043E000-memory.dmp
memory/60-94-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1048-87-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1196-84-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1196-78-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1568-128-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1568-127-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1568-125-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2192-137-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2172-136-0x0000000000400000-0x000000000092A000-memory.dmp
memory/2192-133-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2192-132-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2192-130-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2172-140-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/1376-141-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2172-144-0x0000000000400000-0x000000000092A000-memory.dmp
memory/1376-145-0x0000000000400000-0x00000000005E7000-memory.dmp
memory/2364-146-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2524-150-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2172-153-0x0000000000400000-0x000000000092A000-memory.dmp
memory/2524-156-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2172-160-0x0000000000400000-0x000000000092A000-memory.dmp
memory/2524-163-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2172-167-0x0000000000400000-0x000000000092A000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9D7B6DC3-B690-454B-A08B-3438B5FE4EB9}\EDGEMITMP_66A72.tmp\setup.exe
| MD5 | b4c8ad75087b8634d4f04dc6f92da9aa |
| SHA1 | 7efaa2472521c79d58c4ef18a258cc573704fb5d |
| SHA256 | 522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf |
| SHA512 | 5094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3 |
C:\Program Files\msedge_installer.log
| MD5 | 1ccd53e1da26a45db05d8efa86f91c38 |
| SHA1 | 1dca2a3e7fb46c7a759781a920c101794e584ef1 |
| SHA256 | 264e30c61f0c1dee4b86b30736c3e3da08ffb468bbe7b513f7bbc263b476be23 |
| SHA512 | 69fef1c332a2ec2e2fa3f0cd004d7229bfa674fd3527b205962beccc9ce6eab9692f1a893f41fa87b6ca5638e59d6000f360d49fce50b1cbf6adf69d7f102848 |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
| MD5 | 3646786aea064c0845f5bb1b8e976985 |
| SHA1 | a31ba2d2192898d4c0a01511395bdf87b0e53873 |
| SHA256 | a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f |
| SHA512 | 145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4 |
C:\Program Files\msedge_installer.log
| MD5 | 6f47dd01473f3b777301dfb1b1c02d87 |
| SHA1 | dcbe464de91a1bbc1384e7232b1c34d87a74d78a |
| SHA256 | 9c9a24d1d57990899e770534bd8e997a16800baed37ec291951aaaeb47741e02 |
| SHA512 | 4f9dcffcddd903b3ddc8c688ace8a8382ae0948d253ac65219b5b6eab7b4778db60c66b1a8d44a2fd78337d40abff39f98b8e7a2a5fe517f74d8f0689ed3bb28 |
C:\Program Files\msedge_installer.log
| MD5 | d34b57bc1b94ab7760547ce3b24d8690 |
| SHA1 | 8fed97e619c8404842ae64851a804cf1198bdc32 |
| SHA256 | c05d8708a5998f6bba02379e69e300a108c930e8d4da5e396c286c3a6bc92611 |
| SHA512 | a9957f6b7bfc1725a66e91cff02ca00613ba34a01fc74ab2627558df90d0a45cc7c8dc0da4713c63f5607ba1432f38e37cef572ebe71509fc27751a73d9e7d17 |
C:\Program Files\msedge_installer.log
| MD5 | 6f40b595be15a0e1d44a6c693194e3c0 |
| SHA1 | 5cb70c4780e2b263ab0350fa6100724cdb8e1401 |
| SHA256 | 56204a7fdc25c409fcc0bd79147b6b7825f8ddcae907ed1bfd3916d15d2f3791 |
| SHA512 | 09c0e0534ad3c25916b6480635a01c267a095580388b923600525a588562091e03d2d7645bee28638a9221675dd869d3bc3564c4da69a6afe46f415c09b592de |