Malware Analysis Report

2025-03-15 04:33

Sample ID 241027-1jwsra1kdz
Target 7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118
SHA256 3c27e55b273c022f59e8d637a2971f7ae9a8a87bc347f0ed24ff7cfce0eda3f3
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3c27e55b273c022f59e8d637a2971f7ae9a8a87bc347f0ed24ff7cfce0eda3f3

Threat Level: Shows suspicious behavior

The file 7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops Chrome extension

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Modifies Internet Explorer start page

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:41

Reported

2024-10-27 21:43

Platform

win7-20241010-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3CD2E291-94AC-11EF-8B1E-52DE62627832} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20273d12b928db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000030f1b30037ee51f13106d2b78572ad445d7302e0b6d7b62820327d5d0427291c000000000e8000000002000020000000e7eac0a64f35c2793391d164f1b744ece1d2a3c09e150b9eacd6a09ce48d63d4900000001788437a50f34523a08229e2ab399cd2ca2928c2ab4805b2fb2b0c04e534cfec3dfec9d4b51630156d79621b120ebe7afb68eba65acb79a6b78b25e7ab7b60e49cddea46e7f5c31a1da3314e671b5bd0f94aae1181aba5dc5349e6c32897cfd75122d53c1bd45ff6c76f2f4f393c341b4e13bf9bf9d615a6d9db39461aaf940711beaffaac3fbb15acc78082cd7c084e400000007d118a26752e84d7b20221d89cc69bf83615538f0b9ddf13fb9d5f904387517eb810cacce0f843cf564760203c8a0f1fe4680e409bce67733d246b51d98f0566 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000002463af5a4bc56b39eaf8cfd92cc0c3b5c63ae304a9e5bf92f6ca37ad0754b4e8000000000e80000000020000200000009aa1436488ba2805b14983d791d333ea8ac08ac7e238d7e5d6dbe759b150c5fa200000002ed24a6e26fbca9f1d95370be744ca133378017f187717d28cc320fe18319a1d40000000ec99db533f91f14af08d9a746f37402685e3f8201a5904b169976f56346ac39ec43f56b8ccadaf84889292f494da93ced5e5987cfc78ba7ad3c6d7037d60fb49 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436227164" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crp80E4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
PID 2904 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
PID 2904 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
PID 2904 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
PID 2904 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
PID 2904 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
PID 2904 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
PID 2904 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2904 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2904 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2904 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2904 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2904 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2904 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2904 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2520 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2092 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\crp80E4.exe

/S /notray

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

-home -home2 -hie -hff -hgc -spff -et -channel 162341

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.4shared.com/mp3/VjIVqqho/__1_.html?ref=downloadhelpererror

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.security.baidu.co.th udp
US 8.8.8.8:53 dc634.4shared.com udp
US 104.193.90.83:80 download.security.baidu.co.th tcp
US 199.101.134.235:80 dc634.4shared.com tcp
US 8.8.8.8:53 search.b1.org udp
US 8.8.8.8:53 www.4shared.com udp
US 199.101.134.237:80 www.4shared.com tcp
US 199.101.134.237:80 www.4shared.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.193.90.83:80 download.security.baidu.co.th tcp

Files

\Users\Admin\AppData\Local\Temp\crp80E4.exe

MD5 661cf9c90eb099fb7b6a394dd8cde2e4
SHA1 3704e119ea16a3c336f63dc808176a22fbb8582a
SHA256 1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07
SHA512 13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761

\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

MD5 a3e93460c26e27a69594dc44eb58e678
SHA1 a615a8a12aa4e01c2197f4f0d78605a75979a048
SHA256 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6
SHA512 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QHNCLM1T.txt

MD5 e638f53684d1b96af36281440d64fe27
SHA1 8901f65829e97903488170fd6011e0feba3f5b3a
SHA256 38fe7faac70c93c90357a36f21fb077598b85ca3fbeb8612cc571d69e6ba1a24
SHA512 a221e819327fda6fe6cc27765b2a259d8256a0e0b51dd42372bf002fa36c8b6960d0218364c42b7f2d08a1c83204381533a8bcb9222763f40af69b3e66b73cbf

C:\Users\Admin\AppData\Local\Temp\CabA518.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA5B7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b53080f1e0c4c5adbf3eace810831d13
SHA1 b87378a6e4f10a80662a53c28cfc1ee39fc2aaf9
SHA256 bfeb7e7f9b1438ba0ac9e04c8ee6df1db22e1d22d5e84ef78f3b77913c82e3e0
SHA512 785d8b7119817b3ba360319834014fb9da9ce554fda4f1598c577bb0457fcefe7ade10d7240a3e14a3140797d8f4d9571c54bd732816f3a4f8449c0315cdad68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06d37461ce49181ed8f00533d748b346
SHA1 3c07e63d9db812e112b3dd242155c0e470142bde
SHA256 50670a30dfad25001f2ef0ac0356ff80005ce74d5a9b4df145b8fc2b81d1ac49
SHA512 e7750e6a7f0bda83744f0e0eafbfb83db2f26d886c1c2029656c53fee67779e5648fbb4a058baf5959197e59ce433af5dd1ef190c9ac96232df26019d8d733a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 834529f3f6085ca8be7b27582dff5f1b
SHA1 8b96c69f3efb6cc382ac685111a7d7c5bbb20881
SHA256 1007de7cdd532f033242eeda6c6902b8dc36a544a6c388abdc4232be0a0bd91b
SHA512 155c10243a4174a942827b4b4f978bbbc1ea0b112d1178a3847b9ea3790e9fa8abd77a7f349917a6a42a6b6808790f54f80989d69c3a44db224206fc48aa990f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b108d57f734717a7c97d2ff0110426f4
SHA1 d18d6e570f3b13b75159313216fb2e7d917ba70c
SHA256 b8c94464a4e1f3ada9341e3e11dbb891ad0f5e26e71a4d84b52b7bfff94aa5b2
SHA512 ea4420c87775b4851b42846553aa06a0dcc5a0c891442f0e28e5dbcc6541633ecf1b1e3b2787cb0e2c38070bd72c965ee67ae73324b827372693328d798c74b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a0ae9a9759a9a3f99bde07004be15ab
SHA1 26995332e10b96151a292ca62b791a8650e6f906
SHA256 77a8cf327e07cfa0a93b5b4ce009be1acf6cd336d6a7e9f75d83e974137c10dd
SHA512 de30d9cd88bfdf7223c5e91e90504a433db6e8d15e78a254a5fd0736432454b8644534f2f3cc0e70034b32243e6d61d68edd2cf93d698647f0cc4f037e305ff5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 056e6722aee976a75e646e6a9b402b63
SHA1 8d7403260806efd4eab8f22232d74c179d55e809
SHA256 0f047e33c9a9c9122aa73e9665cb108a52e62ec6fc77fcf9265391fe956f4429
SHA512 935ebeca0c968e4b8a1d610f9f7d3fed576195008dc1d8ccd739d9f9d4803b93df40d2137223f64db060c8e8c74d8094bd777d1f867fd78779c4a9973d868861

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a939e2c597885bcb9a7298448966785a
SHA1 29007f36cb1f911f10fce0a8f686bf3dde097aa4
SHA256 fa7b6515f8d2d17ad59e74799e1b3d9139f9861e95f2f665e702388fd3054f97
SHA512 ba8d45be1218808f9c6238254f2c2ecd14b81e3f69d176f0840124fca8a1595495ceb236e2deda19d02ef95027a2be376fdf9d4c7419eaf65343a75faaf4b303

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bfa57022b833fcd9f237a58367f31ed
SHA1 99f8d0f962c39f1f32de0af21225c498d1ff3452
SHA256 6abe59b3e5e171baf1f85b0ff13d5e2012671900e860af836cce739e3a461126
SHA512 213af0158e2267c7b6450258c83bcc952a19a52c451df5941db5e4a49af634f2224c1885d33bebfe4c0d0a78c747fba674c0e6b3c5c0c11e79235d1c83483163

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 708d87fc8ea23ab5593cb35a9a44b7fb
SHA1 ed5b7009363147279436550182fb3e3ff23f669f
SHA256 cd165aca8cde73d2774d988201d6f1dd502cceb892bb34570780eb677ebe37db
SHA512 7dafff62b7af334b2f26198c10c41d8d5e9a909733a96fb6d68d7ed50ca84493202e09ebb72c5e6849bba09f7353f386913bff06a6a463efa534cf428c38cb34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4083e3bb90754ba7abc60e8f9ee5a89e
SHA1 8b682b99d377dfd1f70f8c7285a588f9b7a94f04
SHA256 76112f8e72b8d0024176c56c4fb8ecca9ebb5214b24e7ddfb7fd8d94b7a7b4a5
SHA512 82db79fa995ab1835b64fcd04c0549d06d9f283c0edb1b2d1c43ebeeb6fd48f49b651691563882e55b965dcc70928911b5333ec65edf5996923d6357f743d829

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b94cc2cef391d5af2c626028659d203
SHA1 1805b140a6d6ba11064e3c81fe901ee7aab1c8ac
SHA256 e751d88dd15b368838bcc4b14603f75ff942f83c5569a348893d57a4ffca0d23
SHA512 dd33f79e41636e112dda37b81e96e0bf8820c5a49e7d71071f081bc2aaf18871206f3285c63c1aa1c9a7aa7d570f16e49768e67a638907f1a49e9bbb87d00699

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78532030317128cc859068e1480e29e6
SHA1 1c64ebb039bd4d330ba7784c35f964d92bd32ad6
SHA256 ae72bcdbd09c74620de4962c69a476b91b2fc0c13b0dd82d12e1b444e0ebe6d3
SHA512 22726d959390db9f8876402474514870a104e4a3e7ca3b4e1a57756ce9091a1dcb0b2e2d2ce1b577ed75a4fc3b17fa92dca5e4c918990cea11f6a14b4548ba64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20e7eeff66c986a1ee2174d03180fbb3
SHA1 6057079d12e935acbb66fe02dafe7a0a06abddd6
SHA256 21952d433d697a56f0469c4f1ab7249c5aa60afc6c374aa969f4fc00010a18aa
SHA512 607a383eb442b1817a9ab2baf15172dd8ed71ba42c63cadbc46138465720c1d41c7226278d71075f20a86d948a7c0a9aa1bdc7ac4b24742c2440b4809142aed6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50b96aa3bde8ec70ea4f11b908c03356
SHA1 f716ed17e96ba80b2d6a361503dc9f9286592011
SHA256 0351716d23d58a97bbeab2fc18f6529462cd415f194ad87017986cca2fe5962c
SHA512 656e0776a5996c0b054f265efa9ad391dfdecc8fc8bd25f5d2f62fc9e25e2e10af4a367ae6c5f92f184e80fda399c2cc07a3acd946abccf462d8aff55792f09f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35b7e2f1d3daefafdb9fb2fad1c64744
SHA1 307796495633db4a7e6bf815021def588ef23442
SHA256 443c38e16b589c3f03cc76d44b100663fc1516e496f666a43cb61c81ccf7652a
SHA512 1e6704d07c9e7f21a0312cb44c4ffa33768eb4301633f46ad86da2bc9e2961c16e24d30fd6625ca3225a620908a7d4fbd54e7e1053f15c9ae53a6a498dd2e8de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4942af97d409aad76feb632459d32e48
SHA1 981dadd925ea127d7e902650827ea5c697e6db82
SHA256 7bf1116e1a8e904856b7ebcd5f5d903f2d778337f238c0ead72310124d4b2fae
SHA512 b76e21825c57f4fb61f94054c80c3f39ca3b38dfe22f6fd81105e2c02d94a409bc3c1eb52d9cfef88cef3d0565c059fa38c13cc13a242ce317e5818f912feb4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb84898722aa205792b8da41f1f9df3c
SHA1 6355187da97e7adf64453065c6af92b10775071f
SHA256 f97ec59f654ba1846da9581bb750a5c5460936612e4e1efc0ea7afe6f1a476a8
SHA512 6218c92438fc60168fb41bd34c8ea265a10f5a479513d0dca53d180aa47bfb6d2257e7c68d835c7861735f2d1fdd4fc47e1c82edca96b30d98cc0463556203a6

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:41

Reported

2024-10-27 21:43

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe
PID 3040 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe
PID 3040 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe
PID 3040 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 3040 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 3040 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
PID 3040 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3040 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 2456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe

/S /notray

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

-home -home2 -hie -hff -hgc -spff -et -channel 162341

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/mp3/VjIVqqho/__1_.html?ref=downloadhelpererror

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd35a46f8,0x7ffdd35a4708,0x7ffdd35a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2740 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 download.security.baidu.co.th udp
US 104.193.90.83:80 download.security.baidu.co.th tcp
US 8.8.8.8:53 dc634.4shared.com udp
US 199.101.134.234:80 dc634.4shared.com tcp
US 8.8.8.8:53 www.4shared.com udp
US 8.8.8.8:53 234.134.101.199.in-addr.arpa udp
US 8.8.8.8:53 83.90.193.104.in-addr.arpa udp
US 199.101.134.234:80 www.4shared.com tcp
US 199.101.134.234:80 www.4shared.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 104.193.90.83:80 download.security.baidu.co.th tcp

Files

C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe

MD5 661cf9c90eb099fb7b6a394dd8cde2e4
SHA1 3704e119ea16a3c336f63dc808176a22fbb8582a
SHA256 1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07
SHA512 13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

MD5 a3e93460c26e27a69594dc44eb58e678
SHA1 a615a8a12aa4e01c2197f4f0d78605a75979a048
SHA256 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6
SHA512 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ba6ef346187b40694d493da98d5da979
SHA1 643c15bec043f8673943885199bb06cd1652ee37
SHA256 d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA512 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

\??\pipe\LOCAL\crashpad_4600_KNNXQYIOIGAZLSVG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b8880802fc2bb880a7a869faa01315b0
SHA1 51d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512 e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8a397468b718572f173514dbf1911daf
SHA1 952d270ef46a6f6d52395ce4d31a7202390ad706
SHA256 19c838de963648c4f48eaabecf4672830401d13e4882ce8c1fe53573aef7c4c6
SHA512 7d32a28b595296d6da2c87d52bd195c06142de850e77ada55639edd819a2614b24eaba0485c51474f60f58c0bf5ed563973e501e60718c2193cebe205f224faa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3a7fa6a300d241223e236c45da2535a3
SHA1 71fecd53f921ff1d5aaf89c4a8f26d5dacf54bc1
SHA256 a9e328dd05f3c10c60c9e15aa6c443f401140c0f353048d5e6f86ea7030a9e7e
SHA512 a6c38c0ad2c1241c0167cdcb563218de4ab47cfe4dacd40fb622fade1113951f9a729b171779bd5ac59af54c9ca27479bc3f90d429c43c15d9812cbdec098558

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fd4fb252c6e219371cb63645ef2dd13f
SHA1 a41b8323e648382025ac00cfc4b04caf85ef82b7
SHA256 6e459a5b093cf004100d8be530d72540b8a14a007ef6e0d79ae3055e5ccc00a2
SHA512 f7994c6e2ec1f077e0cd1c405c9a8ef4a873bb8ce15e20411511c68120f6269e5e6e7af79d7c240b87205f3a03d54b447f78920f938c2e3cdb5d02b850ed98d0