Malware Analysis Report

2025-03-15 04:36

Sample ID 241027-1853qavbqn
Target 763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118
SHA256 1a25194ee700f06832f6a706b0aed696c602b0fab4d165626bde46e7a8eaff51
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1a25194ee700f06832f6a706b0aed696c602b0fab4d165626bde46e7a8eaff51

Threat Level: Shows suspicious behavior

The file 763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Drops Chrome extension

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:20

Reported

2024-10-27 22:25

Platform

win7-20240903-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000001101e1dacc523898289e18af81165e847ee9e95acd4ab1b8d53f71b68d0316ea000000000e80000000020000200000003dd9bd0914b56a365b4c98346032e4394d80374869d94b761021f789526548d5200000005a229357d4a85c71c226a8d41005b14890ebb32e5254b776b829010c1d9203ed40000000d39411876114e9534e2d392880a0cce6e82cb80366d4a8cf09957398d2b1193cbe2eede2669a9b614ca4235098683502a7a18fee9f0fbac2276f2ef7ebf77385 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{079BE711-94B2-11EF-B5A6-7A9F8CACAEA3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ac53dcbe28db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436229649" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000009ac5d4e86f99c5ef301651985dcd4f30c46f1b018592fb646abc70f24db3469b000000000e800000000200002000000082cd3d811ffe720a04470e0552fc235a992c650ce1d3b37238e09d25a595d9d6900000007f5e0f0b9bf0b4402ea9601b7f9a9272bdbe3971a46f4fe11c8326d7ea89d0f38c379ec292ce23a40ae1b2dc3a8bd5d087137158d083d7400a581a195f04b095951fc5e6c9b5918b8c0cb2744955c026c9bfd4f99942688ca963716c9e579fc1ee6a12e5a3c036ee8ac00ebe17b2f13408a2681986767c29000a571b9ea6a85b4410c58e43d7c0ac28d090ee6fad25314000000091db0efa6bf0bf88a151c63d471d7528eb371733eaa328baaa98d86bb680fe23014a9f6a5b23768ead7b186c3513881d59aa9f8e144a6b907de8b697de281227 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe
PID 2372 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe
PID 2372 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe
PID 2372 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe
PID 2372 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe
PID 2372 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe
PID 2372 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe
PID 2372 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2372 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2372 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2372 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2372 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2372 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2372 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2372 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2256 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\crpDE8D.exe

/S /notray

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

-home -home2 -hie -hff -hgc -spff -et -channel 162341

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.4shared.com/mp3/QgjFoLn_/GIRL_ON_FIRE.html?ref=downloadhelpererror

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 dc500.4shared.com udp
US 74.117.178.58:80 dc500.4shared.com tcp
US 8.8.8.8:53 search.b1.org udp
US 8.8.8.8:53 www.4shared.com udp
US 8.8.8.8:53 www.4shared.com udp
US 199.101.134.235:80 www.4shared.com tcp
US 199.101.134.235:80 www.4shared.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\crpDE8D.exe

MD5 14ec55240339c1239a400fbb9bc060a6
SHA1 428982e064e12a4ebc3dbaab1f205aa17ab6b7c3
SHA256 9755e30cf56ab363aa55a4b6a74896ab41011c448aaa6c8d658de97c231ff084
SHA512 56074ff17160fb81aa6e6f0e408c4e91f4e9a8607b0d8a21248cc3b0b632a461f4e2ea4deaa1918cb29c114bb4008f10ce49e32c776a956771b77521bbbbc29c

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

MD5 a3e93460c26e27a69594dc44eb58e678
SHA1 a615a8a12aa4e01c2197f4f0d78605a75979a048
SHA256 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6
SHA512 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VO60FQBO.txt

MD5 ab130f8783148fd9e447888ac8849a05
SHA1 003fa2bdae2451301a25b59dee356d6c1039965d
SHA256 1bb4428665ab47b08e464c155dff08e2e3283b6ac4c40cd8642ad4afff4a53d2
SHA512 86f8dbde40f9a9d351fa73f5df0f08d7dc25a3a6ca8cabc77f7a4c7756c7fadcb9728955fec34c5e90915e87373d8f643e78e1b45d534b858da1d0abbeb20120

C:\Users\Admin\AppData\Local\Temp\Cab1190.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1201.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d419c5c45b1ec9b0ed58ba442fea36a5
SHA1 d7be1b624a7b6f2093a485053c8072ea6780684f
SHA256 9a52d67db1c4f8453a0731c8f04fa494864fde416dee269389e3d0754a143ef9
SHA512 88285f4dc2310cf6cf3c376908e932bc154db1373544e182920674412cf4c332311117ba8ba90b881ebfca671b6a83780b67136cb6a4cf176e68ef389f154c2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00e938cd57d605aaae257ff6d52fda2b
SHA1 43f2f7b7fc99e89b5f25084f27810bb88a811dc7
SHA256 1b8f2763360af11161b6e5eb0680fd1d0521c1b113bbbd2b86dfcb9d159c12b9
SHA512 91ad7dcda5df7116b546630ed29645accadcce92b4ea9aa1d138079dd93cfee4abe01ccc88ac3d11525201c163364a6837de4d49adb83692ecac3e66242879a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aba43aded8e75380a50a15c16d46ec80
SHA1 aae90c7d76a28ae4fb0090a8cb67359437633a11
SHA256 4790d377c8bc146f9eb8a71f0403c15e013132f6ff4df613433e8c297ca4db88
SHA512 695a2f6994325a6d942080077c40f3a0b4e5457deeb8e61e742220e8765f461278553a090688f9cd85a2f2c38812fd241cfb3b2a0951045f2ea81a768cf9172a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e738f5620eda7cf6262fc13c6cfc502
SHA1 33bebb96dc09fdaa5632779cbd6e04bfb090b4de
SHA256 ebefa1274ed07bafc6b0469a982492f9185d298f268597c88e3f25d2b6b80af6
SHA512 c96dbfb00e62a4d89c8b035dd70d3569cfd8cea8f89e4bb32bbafb3e8544edd5664ee94bf4317a08ee90968a5f3b0132dee67373833b61070e14a05d0f50a093

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53457cae854a03a5916b228c7bb616d3
SHA1 031ed0447a3d69b9524eecf04b10f1e65f87e117
SHA256 cc3e81aa79eed09f95a758eb3f28e43b0e296fbc405ec6e96309b40ab1849a6b
SHA512 806e9992b63689b19edc9a0e363b04f7adc49faf0f41c7003bf6207ebf532ef8787d34906a326241bb31e1582cc1a5ec148ca1a0d4d4b2bd3bb2f081404209ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc009c38cc12445da214d2b880843d46
SHA1 614830aed9a437e73967f74e28d90212e98616af
SHA256 a4d2e1d9cd18ad5cf5730a6badccbf8ccc2e4851e5e885c683a593c654eb763f
SHA512 2d06b28a69913fc4be993c932b0738bdd386bbb4ad68a892e39faa482437e333105cdb8f5c93fc47fa2d44a24dd668ca8aae3b35d1f6c3b18290e66754436e22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff8d3914cf9766fd8f484f8ee40ae788
SHA1 44b635873e2cc6e44cb654a74f7da329ba65e160
SHA256 a609c807325c5e85f14862b1bfc866bb7819054f57a0724d5c3b5d3a4d23052d
SHA512 2c8c30e23ed7ad22ae677af7949c4cc7b53dd1ae279530bdf3ea6a468c0fea04bdeadb9367d41c3ab8132026db35b81fbbdb6183f3c8fc719cca0218c2306be9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4dfe33946bf37646d977cb19ed887beb
SHA1 837c3bb884611b7b756b378904ed4805a28815b6
SHA256 be001dc5701b3a8a4a7b8ee53f980c84778a67265e3267fdb332188112cdd3d5
SHA512 21ac3a2d3cc7f47f1bae47d8f8dc730622f67ebc326c7a5e054fc5c31feda30c52566250b77137e76988868f16465dcc6e14bc335d4d3a738500c986876981f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff10c17eb59b252cf22a27765a8ec7c3
SHA1 5e34979bde1495f8e5d8a7fcba272f6f8ac63422
SHA256 d55f3c849ed4df8631c0c223b41f536accced300cb0ead32127bc4c60caac5cb
SHA512 e72165bd1a79334b31747ebd46a9b4bb39bd8466de8d96810e3a12fd21caa24fe912d2c300275034273c71ae07318294de4b030a80f9af33a41583908817a713

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8d8e72402ee83171a49f5a6d1eb90c3
SHA1 7937a4fc5c215b6e9a3f256d2cbf0abe589a37e6
SHA256 040b00d3a745bdae79dc8a8f55aa3d6b4c87f3634ff5ac5d4e3c00bfa5d63e4f
SHA512 76c96c675d29559f89c5c33df731f386162838216af0620a98cf09eb325dfd50904584ecc559ace6fa1617835c423c02be4dde505d2f2c71f7ff369e0ceed734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cc71a62bff0ae77802d08529b27f491
SHA1 2c25aa1f6c4ad7a4e5e6b6410c06b190ee057264
SHA256 f24403eafbb4e16e6993d782fd81020ba3e43c1c4d72b95fdd7edbb74f9637f4
SHA512 bf6491dc0ca9332c4a0aa3105e239ce95aa606504f5028ddac697591438a25062f8d1bd43d2601140351a7137e10632f1223ed9ab2958f5384c3575a2d20b990

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbed246f91bd4face145c8cd0384c425
SHA1 5881c1b4fe3598d4978369ac6f57a2c5804fdec2
SHA256 2ba150dce52871c9f8ed950032a90101d2963357965c93f7b97e1efe165fbc88
SHA512 aca3c696ae9a68dec67f74a48978bb3ec349e5c0b5d1918939167b5d1c7adc006450b350f057e80cdf8fc6f9b4d90afac47a4a5bf75c3602a1477cdd8058857c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f0c4aaa8df3684ae6c34bc8515d4f46
SHA1 831f9315aa13a7c61cc4fef10fe10c1a5085ef39
SHA256 39695b722b33a145a01669d3076d5684b9d54fb2c9829c6b94d7be3b8df35823
SHA512 e2ba38be9a6c951c89768b532eba2d9e2547ccaa5bf636d03fa6827ec881ed18383ad5cd4fbf69754ad8168650d05b49fad1d353c53d14b844cc2dc373a22c16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff9b9149502b63e45ec47188e60ce523
SHA1 bd57fb7f9729427df158a0b485d345f8a7766db5
SHA256 7b5b8c4334b90d186efd92c5db12b2d77935fa0b3b0299350b8e36dbb879bf52
SHA512 f65688a9f0e64f82d78029fa7d05e950e7a19b0a01b1c968f5f28b339b055217236e54c93aec4756014fea5935be45830f4ab40f3970d9c38ca072680efaec04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ac03472b5f2577ed74f7a68af0d5cb3
SHA1 3096945be659b5f190e6cfd2dfd2c4e685a80e46
SHA256 9b5fdec309250b180f8db56101ed6f9bb176094e68ad046dc091760a93bdb440
SHA512 56d949e5a5540726b016465a8e836377309e2e9bdc608fec8db65c4811a7fe29d1259ddee5c391b2c2c17772a60779ff519347e26d38a25876a00a03087299b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d2d9a283cd4831b4eef90950990260e
SHA1 8e1d62bbcdff21e69f6c070b8dfd8c3af33a6e98
SHA256 f6bb487180f0499c3cf0cd168932ff8e203a713f087d87158fac74fd12772ab6
SHA512 15142ce8507ac85c7045fbdf5530b0e6f47b244682605a0b3c42ccbb984b439b7bb58eeaa7ff1b77f1a2b6a62cbd72ae7f27f7a8a856e9890728eb96f537790c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a48928f3e6ff182fdde37c650a2c48af
SHA1 efa7af3c33b7029bf277da9f58ed2f323ec707b0
SHA256 66ae84a724004d78828428437a9a5ad5792a5a0880c18705acb820615223183a
SHA512 b8edbff8315a47d2bff1674658885eca77188bbb29a673a641903e41636c5fe95e4731286d7130d3f582eef182142c6cf21c87e5e2e2803f71c7b44045810edc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2dd7974ffab4d92ccf0173d3478b807c
SHA1 a39e41a4df0b39b8cb738487c5443bedefe0d03d
SHA256 1cb9ef71506f0234ea7e2708822c3946d36093f11f11a0aa5cc88fce7db8cbbc
SHA512 c82aa2b5fee336faf4e8178353dfd13d2d6f4d50c2fe6adf0ac835f7ecc298c3112f145a3013bf0cd7095ecd1c8ebfd29b9dc39889c842e6f954927ff1259875

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0bda67c38c8f3273a5a96a4eaae42878
SHA1 15b80bc0b02ecb8df3eec595febbec3955efa727
SHA256 d597cc989464951853758f831e4cfcedc754327973e75a54cfd5d16381ba39f1
SHA512 cb2ab28fce816da49403a1dfa5fb48cadbe6e3a8212fe7587d5d42c259af126677a0e485e23ed5cf51bc81b942d5a5efff9204ce9121528f432fc79e84ad1891

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff089dc06154d5b52489efcebad9e2a5
SHA1 2e805a2c132a415c94e4f0c3d2514e9c97992bee
SHA256 7e4cd85dec88abcf7d8a18b0b888b3e299a89634ca610ac179af88dcd26f22ac
SHA512 b44cdde393f130d43031c2c74f690bbb84b030c1c6ea11d854430ba05e426003762ae3b2e82f946aca634be68f11c2cbb28afe2863c811c8a736b367b1c5963f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:20

Reported

2024-10-27 22:26

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp9B76.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 112 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp9B76.exe
PID 112 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp9B76.exe
PID 112 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp9B76.exe
PID 112 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 112 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 112 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 112 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 112 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 1056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 1056 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4224 wrote to memory of 2296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\763a406e0ec3869e9ddd12426dc32da0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\crp9B76.exe

/S /notray

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

-home -home2 -hie -hff -hgc -spff -et -channel 162341

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/mp3/QgjFoLn_/GIRL_ON_FIRE.html?ref=downloadhelpererror

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8004b46f8,0x7ff8004b4708,0x7ff8004b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,10864642055900723854,16614240741454507286,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 dc500.4shared.com udp
US 199.101.134.236:80 dc500.4shared.com tcp
US 8.8.8.8:53 236.134.101.199.in-addr.arpa udp
US 8.8.8.8:53 www.4shared.com udp
US 74.117.178.93:80 www.4shared.com tcp
US 74.117.178.93:80 www.4shared.com tcp
US 8.8.8.8:53 93.178.117.74.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 download.pcfaster.baidu.com udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 download.pcfaster.baidu.com udp

Files

C:\Users\Admin\AppData\Local\Temp\crp9B76.exe

MD5 14ec55240339c1239a400fbb9bc060a6
SHA1 428982e064e12a4ebc3dbaab1f205aa17ab6b7c3
SHA256 9755e30cf56ab363aa55a4b6a74896ab41011c448aaa6c8d658de97c231ff084
SHA512 56074ff17160fb81aa6e6f0e408c4e91f4e9a8607b0d8a21248cc3b0b632a461f4e2ea4deaa1918cb29c114bb4008f10ce49e32c776a956771b77521bbbbc29c

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

MD5 a3e93460c26e27a69594dc44eb58e678
SHA1 a615a8a12aa4e01c2197f4f0d78605a75979a048
SHA256 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6
SHA512 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_4224_QZMPAKOIUSTEQIVI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 637369d95a5ea321d4e0ff10fa68a239
SHA1 a842fac7b1851a7381c4c3c1377b26c112b6fd6d
SHA256 ff49bfec3ad2cc7a4e1304ffc9d96a0a77f2f6b64bb92959eafc7da1eaff86d7
SHA512 6725e38625937a670926b259318c8d76f4f234dce637c8eecd13e373be3d2d0c2100780c295989e21270eb1c91f3b41cbe5a7085558018f87fdc64e58faa9cc9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c3f4bdfc-3281-4781-a918-29217ebb0b5c.tmp

MD5 17c93f7c600c44d52d15be6ecba7318b
SHA1 e2fd3dcaa49f16d07741f4ea10d1634b199af99c
SHA256 ebd5e0e576b8a62ff89a13bece19e1cd1c0702ba2c7d3dc5872c7c60f0fce165
SHA512 d787c5070d781ccba6d3ddcf72e49c991b1686d9918ab721be1cff7238f1d22ce83fd8c8c6960410e2c498dacd9248cb627ebf2fd5a27d9ef0a442df64d5371d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e533f5345d6725891fd0bc382c8b8e69
SHA1 6149721f24e4edee7d7282c9f9a31c5b3b4fb07d
SHA256 0d4e9bf8a4bb3a85e1dceeaeb761205805acea22099202ed795f00c03966edbe
SHA512 0e7ad43bd6c6f38e7f8e44c33ed2524e780272c092f19f0602c8f2dee8581546a1ca4e3f0390091af5262e74aa9d6d295d184a6f9d9b232df2eed5a9436b1695