Malware Analysis Report

2025-08-11 01:16

Sample ID 241021-kmncsayfmp
Target 662d2b626bdb7e5685a7e45781382580_JaffaCakes118
SHA256 3690f778383bf6668e90a3def4fe87a8878ab07b6ff1739d91064fa254424707
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3690f778383bf6668e90a3def4fe87a8878ab07b6ff1739d91064fa254424707

Threat Level: Shows suspicious behavior

The file 662d2b626bdb7e5685a7e45781382580_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops Chrome extension

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer start page

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 08:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 08:43

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435662070" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000da34c2f68d661397a2ed6d96d6f81a5776f68023f5e13f0809daf3d90d86ee6f000000000e8000000002000020000000fdbce1cb12cc84c02941f111074608ef69300c3cbb515e94bbdc893b5a6aa91690000000f4ac5866008e5677eb24f0838ec52e303c77db4fadce4d6897a732675f7922a698c78fbeaea9ce0750a6ed3439fd83ae45ab1650cba21c007648ec88a631043ce31b5e17bd9d160005123ae38104b603890025554ac7ca5b77b0ae020939134cd15272dac1e50eda14af31aeb7c3ea3d8df24f26d2ea29e9311501b84c4888ca2a862121bfca0fb50573c6bed8dbc3b040000000ab9607e41cd00c902306fb9e4da0893fe113fa8d0b176c77f6df3397ac4d2b1ed854c772ccd03741b1ab878ea3a61b4f0d82fef1d318168619d5fa575e83704d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000c85cccddeade010711651b85739a7347f57c88c4cdc21ed8959815f9f42ebbaf000000000e8000000002000020000000228550e9c02f3bd56c708afb759692c5907a8d3b3b9d91edad24a987b9a38d75200000002281ef82ec685566e88b476ae943c76bf43015ed444eaf91ef534a67c4873f60400000008cb976466805e79df0793be3963e6c0a57570da0a0038592c3dff7de116d604076e107ea1dc99637eaf6e0f1daecbbd4c873e923909965ffe82080d307859088 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87DEB351-8F88-11EF-A1E2-7E918DD97D05} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3017945c9523db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp11EC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp11EC.exe
PID 2068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp11EC.exe
PID 2068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp11EC.exe
PID 2068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp11EC.exe
PID 2068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp11EC.exe
PID 2068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp11EC.exe
PID 2068 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp11EC.exe
PID 2068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2068 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2932 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2932 wrote to memory of 1600 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\crp11EC.exe

/S /notray

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

-home -home2 -hie -hff -hgc -spff -et -channel 162341

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.4shared.com/mp3/gjRF4A-N/jose_augusto_-_sentimento.html?ref=downloadhelpererror

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 dc369.4shared.com udp
US 74.117.178.90:80 dc369.4shared.com tcp
US 8.8.8.8:53 search.b1.org udp
US 8.8.8.8:53 www.4shared.com udp
US 199.101.134.235:80 www.4shared.com tcp
US 199.101.134.235:80 www.4shared.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\crp11EC.exe

MD5 14ec55240339c1239a400fbb9bc060a6
SHA1 428982e064e12a4ebc3dbaab1f205aa17ab6b7c3
SHA256 9755e30cf56ab363aa55a4b6a74896ab41011c448aaa6c8d658de97c231ff084
SHA512 56074ff17160fb81aa6e6f0e408c4e91f4e9a8607b0d8a21248cc3b0b632a461f4e2ea4deaa1918cb29c114bb4008f10ce49e32c776a956771b77521bbbbc29c

\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

MD5 a3e93460c26e27a69594dc44eb58e678
SHA1 a615a8a12aa4e01c2197f4f0d78605a75979a048
SHA256 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6
SHA512 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DGE198X7.txt

MD5 08c6aeed2eebb5a2368d374aee1e63d5
SHA1 6b8e7de013f1cea560021dd114f9ace0c1843df8
SHA256 0b94cf055651a87e71a75e26ee72a6d427889e115a0b276d29800c83f0460e0c
SHA512 ca8d3b255aa90c32b6a010942099fe02fdc0847313ca71f077bba7cfddc4dc2f8055e4bba12adea583c54e3958a386c9aecfa5f7e2ee9a364ac114e9788803ea

C:\Users\Admin\AppData\Local\Temp\Cab2F1E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2F7F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85bc1a08d1e2eb672fed75797d57e3a6
SHA1 a3dd00727158e52aa4a1111a0d020f0cf3f22359
SHA256 15826412e101733a66e3764a50ce6612e496116cf7f20b1b9222f9366abc4919
SHA512 358729dd9cbbd04cf4fce737a6063a2a9b920ad6957271e27d663b7de121d4c6b54ce8aee5eecaf563ea1bb582f2c7cfe34745c9a50eff5c8764a8b45de11783

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91337a98850d6e1e8cb7bbd67d006daa
SHA1 fb58533de001eb142bd59462e9d3f8bb3e28c30c
SHA256 c5a24e9c292ffa73f20bfe03f179aa240bb9b5d093327a59842d487032b74d08
SHA512 e095b8c951dc7512e549c6c9f27a05063bbc937fdcffe384ae945da97db258d26cf95cfb8d275f9d908d4a8ccee8bf798ca3d4400cfa21bd731d6d937709cb95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f38082938e769ef0283674200a172d0
SHA1 00f5579241132682ae83df44d8a4acb29f561b66
SHA256 a33eedcb26dbf4ecf7b73887bd9d36296628137b6594b131a2c1d7fd8c5bc48f
SHA512 35cdea94464407b5883b264a48a430ee3f38b9772df07279faeb91296759c3be17c71154767e9d82dc0dc86641e8ff64d776b40b1103ce786b44c9f765eb245f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d673cb65e65f4fa040df2da85ca969bc
SHA1 c7bf3783e0c15a4aab750a3e0334f2bc772f0fd2
SHA256 4ed0e282b9bf272178329f2f568853ce10c44cd4fa8ecaeb2c98398cd57413fa
SHA512 dcc04c12dca6707713fe1c3813eb1a39aed94ebac5dc12d49749e31fff85cfda89d846d5f1e06f20a17f47cd88caeb44640c41d4c020818dc6de1eb4ae77805f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7084e4f8ce479c2f82d683e882ad443c
SHA1 4f20d5fc920eaf40b25797ba6c2f39c98cecc3bc
SHA256 3d0e2dce0f8dca8d712ce8a917670b7d8fb953accf98589548e84d7a086785cf
SHA512 e3364e9eeae818afafa15722b880ad4b52c4751cec8dd4894f9700603b3c112547156c49a64f13b838af19068b72ec78d3a03e6d6b1a8b9ab171def13134511a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0956e00f46868550dbbe8554fa168546
SHA1 baca3004b33289ec0cf28496d2ef620678d07140
SHA256 5cc986f0f0a1b96ef2b8723dbf77df610f3ef3a8f899426b4ea1b34faa929fc3
SHA512 64df89b67ea22c33a09a45c9506cc489080c7ab9a176c37ae27277caa7d292192691837f102dc62e2536ac73c3b57e968f9ee352950fcf6fde5d1242df99c4d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f96b98fdf69e6603b1a720d4db480f1
SHA1 d46737ce86690af041028c35c59e47419634e4b9
SHA256 5ec7093eaf9af72d896f46fa83813ab06a0833554d8295724dad2bb8834e3149
SHA512 9a6d7548d32c2884d8d140df4af8aae75c3ddb62e448dc00294620663e58908f0dfbd353f350a9f624281e1c7d443e87e59ce38a1eba6c559675e523ac330983

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72e80ed6603e42fc24cd98a25c9237d7
SHA1 6066da16c39649bebf7dc2598c8c987a58b1aefd
SHA256 fb6f381d3028be6a776b41b890a8ad52e4d140b2e5c4e0ed49986fb42e833f29
SHA512 6945bdfff98f4de85621435e38fac209201c26abc985caa8f23e8ea33514d6677d67c9433e8206485d1777d9ca4f4a763c11609dc1351ddba961df93f61fecac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 864664c496e94279eac47b67b886f02a
SHA1 2620fb0f7945b4ce10b34f7b1a5797a5919f864a
SHA256 755172fde8fcebc42244ab0a27ef530d3222f337175a221c508ffc73bdb480c8
SHA512 e3008b2bb16e9963793924d32652c3aeea17755a4a70465c10e3a93a10ccd0366f0d09c37e2e6ca913692545a6f3d1f40d50956a27e2aba2ca6bac9710a092f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e92ee141069ff8e33a3bfc01c23b7ace
SHA1 65f25979cba3d913fbb0858350295ecccd3b5319
SHA256 14b582a832a8db83ee33f9f2c379c5a39c16f839ee7cb8854c8f680277f2addc
SHA512 b0ae4022aa9ff3b5b6cf1d36feaee152eaaf308531e7ac638168d339426cb61d63e0ccff833e2d819d66900598d4ce56ee6262afdfc269f5dbe7edb715ba42cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8c19f54501cd1873f23f1c2a5652107
SHA1 46582fc12ead86fec25794ec1e68de28886bcb4b
SHA256 7f26933d9bd0a78f8e7f762dbc3a8333cf1ef79f1b6534721a69a2758b4423ed
SHA512 7e39c4958a9d2c7c09403ecf88a04b4e2452735f5bb74727da25f8c2ff7cd8e33b7e7527779295b18d77d4665bfab5e80a3c8eccb9d5bfbeb2721766664950b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b822e26505eced385003a922e6862a5
SHA1 a3820e1ea54356b4e7890a5a161d810373b2e336
SHA256 42842d6e4b70fe390e9a5bb891fc10b94c91ede94614531ba35098c8181415b8
SHA512 415681e0361ddd753f5a215f4b0aa5691474dc8431887a77f42cfe9c064fb4d0cc7fc4537a660cf9b084871234c17275e2190ebe4202921a8b798d901eafdaa1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fea9e0538ca5f36769bbba1a532e3cbb
SHA1 65d8413f2436c0186ab88b40bf123de54968ba57
SHA256 518bec616d81672bbd6dd7ec2cc5d7dc8ec0c0d270263873594c4f43b4e32590
SHA512 4f30b8c2c10b534a1dd96954f28c7bc908b3df906e7f27c064382a3244da3ca7a30a2e9448413364317790626d4486c5861772d421817609f8199118579823e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 370b000a8377b0194065d9c27b536533
SHA1 94076fa695d2875067c99992d32dc219b1170d99
SHA256 6d15a998916e127bd38deb835885362be3c3282cfd78d70b1d471912127bb16c
SHA512 39342e383eada3c3c85e7df505939ec23e13edb00c073d169136a43c849992d4826ec51ac297944df3afdff23e90d9044b91fe4714eee6b148424ed095d1a421

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 400da61609537d87ce208b5a8b56264d
SHA1 6ecdca9e26c65d12b8681a4700312b5a42e9cee4
SHA256 6e31d66ed50e64345b93134976ee8dec878463da29e5f3b8f77609ca93bb43c5
SHA512 a02c39bc6944c52b34be31d29a59fdbda37ba10a1cfc77e7ec6e537c21aaf1fcdae17c2802dbee8e9bf5a1cc23fcdc1a21469ba36531af6012facf54df6ade72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b56bc20bf73f33c1518f333bca5cf89
SHA1 409cbae5f9d95443a6b8d3c69b24db15f39df81c
SHA256 3510cd4526e2866c6f0864fb78ea4c41029531cc014a6d45d07945fce66a0fa9
SHA512 3424d5c2114d61922b4f6beda8cc8c2cf181a922f27c4235d4e1abea8dcd5ea81d05c127802800d6ac14908269c867829dc82f2ff608794311622c093f1d15d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af70987dcb1c560a77c0921c0906daff
SHA1 388a59fa17e051950def32e9d63f38c50b6510a3
SHA256 67bbbca4e7dfba318b815baef17c890d4ec1aa4419090baa581ee482a035a28b
SHA512 5eaf0f9775a3cd438a0b200f7b3942529958a20c0b1fa8ffd4a6571905ab7b3073e34c65e3344481ea6c48d9f1649b8f774c129c37a09b9a88335e2438d24642

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31153a558bdb3532aecf590bfbb721e2
SHA1 68e7118621085d43c5e04b699ea152f955628095
SHA256 4e485789a1286f51ae2fb2308ddc6f38b637291545c0aa153af95affb1af2765
SHA512 a2397c7ba44bee704a58840802dd2d659ab8db4a272b9a43c9455590eea0b8925e0046afebcfce6d6edfeda0a1c0c9e392ef82bdc7267777cadd0684ce36d793

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bae333157f09a57ff08cfa7ff48f7f88
SHA1 b2a51250a01b2a1244efe3e3b78863452dfbda5f
SHA256 70d0c922914c4dd591b2c7f7f02df0c0b0c68ef8fa3da336e9988af5634f0865
SHA512 4f9e3cc5ba11aa3d53b2c15f6110539c2d1bc5d58c5c7f3d28d317ca2e11b6200eb7c05ab656c4d3c7c584046c780b80126c488d44966f6897230aee31cc799f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 08:43

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe
PID 3648 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe
PID 3648 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe
PID 3648 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 3648 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 3648 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 3648 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3648 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 2944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 2944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 4492 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2516 wrote to memory of 1692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\662d2b626bdb7e5685a7e45781382580_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe

/S /notray

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

-home -home2 -hie -hff -hgc -spff -et -channel 162341

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/mp3/gjRF4A-N/jose_augusto_-_sentimento.html?ref=downloadhelpererror

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd314d46f8,0x7ffd314d4708,0x7ffd314d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,923422943171323756,2891797880527496914,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.30.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.30.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 dc369.4shared.com udp
US 74.117.178.58:80 dc369.4shared.com tcp
US 8.8.8.8:53 www.4shared.com udp
US 8.8.8.8:53 58.178.117.74.in-addr.arpa udp
US 74.117.178.58:80 www.4shared.com tcp
US 74.117.178.58:80 www.4shared.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp

Files

C:\Users\Admin\AppData\Local\Temp\crpCFB5.exe

MD5 14ec55240339c1239a400fbb9bc060a6
SHA1 428982e064e12a4ebc3dbaab1f205aa17ab6b7c3
SHA256 9755e30cf56ab363aa55a4b6a74896ab41011c448aaa6c8d658de97c231ff084
SHA512 56074ff17160fb81aa6e6f0e408c4e91f4e9a8607b0d8a21248cc3b0b632a461f4e2ea4deaa1918cb29c114bb4008f10ce49e32c776a956771b77521bbbbc29c

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

MD5 a3e93460c26e27a69594dc44eb58e678
SHA1 a615a8a12aa4e01c2197f4f0d78605a75979a048
SHA256 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6
SHA512 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e443ee4336fcf13c698b8ab5f3c173d0
SHA1 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA256 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512 cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

\??\pipe\LOCAL\crashpad_2516_SMFSEVCQVFFSJPZJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56a4f78e21616a6e19da57228569489b
SHA1 21bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256 d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512 c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 511a3f6862e3d5a9ef4982ae126c772e
SHA1 e595de85bcfc5b89e728bde6781ad28f79e7dfc7
SHA256 e2be1286151464dc98cceb0611826f9d6e7206f602b09836a3688ed8406bdbaa
SHA512 a9d392e196e17fd3201756ddbf882efca36deebfc8d5e4ec069b5086bee8a13593956b5b1ad55126404f418f5ff37d68f0404d40c2e3296c37b31c63050f512b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b5db1dde7a51f7bb219d036acfb890ec
SHA1 0a182f2df567eada90a5f6e42aabc91bf46a358a
SHA256 77c3999cdcb50fbc8dd3bd466fa91310e728c21a2c15955aa3fed27000380054
SHA512 9d3b1df4a80b379f2e9e9f9db482817d15cf8a081f0a0e639751b5fd1abcb56763360d818caacb68e434cf1e32897f7cb9b9924d85107558757a3e420431ade0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4a21b752301b56bec363845c59c62e07
SHA1 3b7af305d54991b215a0f2af29c35c69bf8e87a8
SHA256 f97f568ff78d4cbf2fb009e2d40d9e39e9671d65c38789830d606f21355b7a55
SHA512 be0f0007bb7f5b136d14fc9a644e688fd030bdb6d5fe5e1d549dfbee0791a8be7a52022ef87d1af5c0155bdef3724bdb2a7e0e8c3edebf714995b0a328effc07