Analysis Overview
SHA256
3c27e55b273c022f59e8d637a2971f7ae9a8a87bc347f0ed24ff7cfce0eda3f3
Threat Level: Shows suspicious behavior
The file 7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Drops Chrome extension
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Modifies Internet Explorer start page
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:41
Reported
2024-10-27 21:43
Platform
win7-20241010-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crp80E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\crp80E4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3CD2E291-94AC-11EF-8B1E-52DE62627832} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20273d12b928db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000030f1b30037ee51f13106d2b78572ad445d7302e0b6d7b62820327d5d0427291c000000000e8000000002000020000000e7eac0a64f35c2793391d164f1b744ece1d2a3c09e150b9eacd6a09ce48d63d4900000001788437a50f34523a08229e2ab399cd2ca2928c2ab4805b2fb2b0c04e534cfec3dfec9d4b51630156d79621b120ebe7afb68eba65acb79a6b78b25e7ab7b60e49cddea46e7f5c31a1da3314e671b5bd0f94aae1181aba5dc5349e6c32897cfd75122d53c1bd45ff6c76f2f4f393c341b4e13bf9bf9d615a6d9db39461aaf940711beaffaac3fbb15acc78082cd7c084e400000007d118a26752e84d7b20221d89cc69bf83615538f0b9ddf13fb9d5f904387517eb810cacce0f843cf564760203c8a0f1fe4680e409bce67733d246b51d98f0566 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000002463af5a4bc56b39eaf8cfd92cc0c3b5c63ae304a9e5bf92f6ca37ad0754b4e8000000000e80000000020000200000009aa1436488ba2805b14983d791d333ea8ac08ac7e238d7e5d6dbe759b150c5fa200000002ed24a6e26fbca9f1d95370be744ca133378017f187717d28cc320fe18319a1d40000000ec99db533f91f14af08d9a746f37402685e3f8201a5904b169976f56346ac39ec43f56b8ccadaf84889292f494da93ced5e5987cfc78ba7ad3c6d7037d60fb49 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436227164" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\crp80E4.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crp80E4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crp80E4.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\crp80E4.exe
/S /notray
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
-home -home2 -hie -hff -hgc -spff -et -channel 162341
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.4shared.com/mp3/VjIVqqho/__1_.html?ref=downloadhelpererror
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.security.baidu.co.th | udp |
| US | 8.8.8.8:53 | dc634.4shared.com | udp |
| US | 104.193.90.83:80 | download.security.baidu.co.th | tcp |
| US | 199.101.134.235:80 | dc634.4shared.com | tcp |
| US | 8.8.8.8:53 | search.b1.org | udp |
| US | 8.8.8.8:53 | www.4shared.com | udp |
| US | 199.101.134.237:80 | www.4shared.com | tcp |
| US | 199.101.134.237:80 | www.4shared.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 104.193.90.83:80 | download.security.baidu.co.th | tcp |
Files
\Users\Admin\AppData\Local\Temp\crp80E4.exe
| MD5 | 661cf9c90eb099fb7b6a394dd8cde2e4 |
| SHA1 | 3704e119ea16a3c336f63dc808176a22fbb8582a |
| SHA256 | 1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07 |
| SHA512 | 13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761 |
\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
| MD5 | a3e93460c26e27a69594dc44eb58e678 |
| SHA1 | a615a8a12aa4e01c2197f4f0d78605a75979a048 |
| SHA256 | 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6 |
| SHA512 | 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QHNCLM1T.txt
| MD5 | e638f53684d1b96af36281440d64fe27 |
| SHA1 | 8901f65829e97903488170fd6011e0feba3f5b3a |
| SHA256 | 38fe7faac70c93c90357a36f21fb077598b85ca3fbeb8612cc571d69e6ba1a24 |
| SHA512 | a221e819327fda6fe6cc27765b2a259d8256a0e0b51dd42372bf002fa36c8b6960d0218364c42b7f2d08a1c83204381533a8bcb9222763f40af69b3e66b73cbf |
C:\Users\Admin\AppData\Local\Temp\CabA518.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarA5B7.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b53080f1e0c4c5adbf3eace810831d13 |
| SHA1 | b87378a6e4f10a80662a53c28cfc1ee39fc2aaf9 |
| SHA256 | bfeb7e7f9b1438ba0ac9e04c8ee6df1db22e1d22d5e84ef78f3b77913c82e3e0 |
| SHA512 | 785d8b7119817b3ba360319834014fb9da9ce554fda4f1598c577bb0457fcefe7ade10d7240a3e14a3140797d8f4d9571c54bd732816f3a4f8449c0315cdad68 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06d37461ce49181ed8f00533d748b346 |
| SHA1 | 3c07e63d9db812e112b3dd242155c0e470142bde |
| SHA256 | 50670a30dfad25001f2ef0ac0356ff80005ce74d5a9b4df145b8fc2b81d1ac49 |
| SHA512 | e7750e6a7f0bda83744f0e0eafbfb83db2f26d886c1c2029656c53fee67779e5648fbb4a058baf5959197e59ce433af5dd1ef190c9ac96232df26019d8d733a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 834529f3f6085ca8be7b27582dff5f1b |
| SHA1 | 8b96c69f3efb6cc382ac685111a7d7c5bbb20881 |
| SHA256 | 1007de7cdd532f033242eeda6c6902b8dc36a544a6c388abdc4232be0a0bd91b |
| SHA512 | 155c10243a4174a942827b4b4f978bbbc1ea0b112d1178a3847b9ea3790e9fa8abd77a7f349917a6a42a6b6808790f54f80989d69c3a44db224206fc48aa990f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b108d57f734717a7c97d2ff0110426f4 |
| SHA1 | d18d6e570f3b13b75159313216fb2e7d917ba70c |
| SHA256 | b8c94464a4e1f3ada9341e3e11dbb891ad0f5e26e71a4d84b52b7bfff94aa5b2 |
| SHA512 | ea4420c87775b4851b42846553aa06a0dcc5a0c891442f0e28e5dbcc6541633ecf1b1e3b2787cb0e2c38070bd72c965ee67ae73324b827372693328d798c74b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a0ae9a9759a9a3f99bde07004be15ab |
| SHA1 | 26995332e10b96151a292ca62b791a8650e6f906 |
| SHA256 | 77a8cf327e07cfa0a93b5b4ce009be1acf6cd336d6a7e9f75d83e974137c10dd |
| SHA512 | de30d9cd88bfdf7223c5e91e90504a433db6e8d15e78a254a5fd0736432454b8644534f2f3cc0e70034b32243e6d61d68edd2cf93d698647f0cc4f037e305ff5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 056e6722aee976a75e646e6a9b402b63 |
| SHA1 | 8d7403260806efd4eab8f22232d74c179d55e809 |
| SHA256 | 0f047e33c9a9c9122aa73e9665cb108a52e62ec6fc77fcf9265391fe956f4429 |
| SHA512 | 935ebeca0c968e4b8a1d610f9f7d3fed576195008dc1d8ccd739d9f9d4803b93df40d2137223f64db060c8e8c74d8094bd777d1f867fd78779c4a9973d868861 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a939e2c597885bcb9a7298448966785a |
| SHA1 | 29007f36cb1f911f10fce0a8f686bf3dde097aa4 |
| SHA256 | fa7b6515f8d2d17ad59e74799e1b3d9139f9861e95f2f665e702388fd3054f97 |
| SHA512 | ba8d45be1218808f9c6238254f2c2ecd14b81e3f69d176f0840124fca8a1595495ceb236e2deda19d02ef95027a2be376fdf9d4c7419eaf65343a75faaf4b303 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9bfa57022b833fcd9f237a58367f31ed |
| SHA1 | 99f8d0f962c39f1f32de0af21225c498d1ff3452 |
| SHA256 | 6abe59b3e5e171baf1f85b0ff13d5e2012671900e860af836cce739e3a461126 |
| SHA512 | 213af0158e2267c7b6450258c83bcc952a19a52c451df5941db5e4a49af634f2224c1885d33bebfe4c0d0a78c747fba674c0e6b3c5c0c11e79235d1c83483163 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 708d87fc8ea23ab5593cb35a9a44b7fb |
| SHA1 | ed5b7009363147279436550182fb3e3ff23f669f |
| SHA256 | cd165aca8cde73d2774d988201d6f1dd502cceb892bb34570780eb677ebe37db |
| SHA512 | 7dafff62b7af334b2f26198c10c41d8d5e9a909733a96fb6d68d7ed50ca84493202e09ebb72c5e6849bba09f7353f386913bff06a6a463efa534cf428c38cb34 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4083e3bb90754ba7abc60e8f9ee5a89e |
| SHA1 | 8b682b99d377dfd1f70f8c7285a588f9b7a94f04 |
| SHA256 | 76112f8e72b8d0024176c56c4fb8ecca9ebb5214b24e7ddfb7fd8d94b7a7b4a5 |
| SHA512 | 82db79fa995ab1835b64fcd04c0549d06d9f283c0edb1b2d1c43ebeeb6fd48f49b651691563882e55b965dcc70928911b5333ec65edf5996923d6357f743d829 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1b94cc2cef391d5af2c626028659d203 |
| SHA1 | 1805b140a6d6ba11064e3c81fe901ee7aab1c8ac |
| SHA256 | e751d88dd15b368838bcc4b14603f75ff942f83c5569a348893d57a4ffca0d23 |
| SHA512 | dd33f79e41636e112dda37b81e96e0bf8820c5a49e7d71071f081bc2aaf18871206f3285c63c1aa1c9a7aa7d570f16e49768e67a638907f1a49e9bbb87d00699 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78532030317128cc859068e1480e29e6 |
| SHA1 | 1c64ebb039bd4d330ba7784c35f964d92bd32ad6 |
| SHA256 | ae72bcdbd09c74620de4962c69a476b91b2fc0c13b0dd82d12e1b444e0ebe6d3 |
| SHA512 | 22726d959390db9f8876402474514870a104e4a3e7ca3b4e1a57756ce9091a1dcb0b2e2d2ce1b577ed75a4fc3b17fa92dca5e4c918990cea11f6a14b4548ba64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20e7eeff66c986a1ee2174d03180fbb3 |
| SHA1 | 6057079d12e935acbb66fe02dafe7a0a06abddd6 |
| SHA256 | 21952d433d697a56f0469c4f1ab7249c5aa60afc6c374aa969f4fc00010a18aa |
| SHA512 | 607a383eb442b1817a9ab2baf15172dd8ed71ba42c63cadbc46138465720c1d41c7226278d71075f20a86d948a7c0a9aa1bdc7ac4b24742c2440b4809142aed6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50b96aa3bde8ec70ea4f11b908c03356 |
| SHA1 | f716ed17e96ba80b2d6a361503dc9f9286592011 |
| SHA256 | 0351716d23d58a97bbeab2fc18f6529462cd415f194ad87017986cca2fe5962c |
| SHA512 | 656e0776a5996c0b054f265efa9ad391dfdecc8fc8bd25f5d2f62fc9e25e2e10af4a367ae6c5f92f184e80fda399c2cc07a3acd946abccf462d8aff55792f09f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35b7e2f1d3daefafdb9fb2fad1c64744 |
| SHA1 | 307796495633db4a7e6bf815021def588ef23442 |
| SHA256 | 443c38e16b589c3f03cc76d44b100663fc1516e496f666a43cb61c81ccf7652a |
| SHA512 | 1e6704d07c9e7f21a0312cb44c4ffa33768eb4301633f46ad86da2bc9e2961c16e24d30fd6625ca3225a620908a7d4fbd54e7e1053f15c9ae53a6a498dd2e8de |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4942af97d409aad76feb632459d32e48 |
| SHA1 | 981dadd925ea127d7e902650827ea5c697e6db82 |
| SHA256 | 7bf1116e1a8e904856b7ebcd5f5d903f2d778337f238c0ead72310124d4b2fae |
| SHA512 | b76e21825c57f4fb61f94054c80c3f39ca3b38dfe22f6fd81105e2c02d94a409bc3c1eb52d9cfef88cef3d0565c059fa38c13cc13a242ce317e5818f912feb4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb84898722aa205792b8da41f1f9df3c |
| SHA1 | 6355187da97e7adf64453065c6af92b10775071f |
| SHA256 | f97ec59f654ba1846da9581bb750a5c5460936612e4e1efc0ea7afe6f1a476a8 |
| SHA512 | 6218c92438fc60168fb41bd34c8ea265a10f5a479513d0dca53d180aa47bfb6d2257e7c68d835c7861735f2d1fdd4fc47e1c82edca96b30d98cc0463556203a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:41
Reported
2024-10-27 21:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341" | C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7612ada5af2ac8606d45c1c2b74249f3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe
/S /notray
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
-home -home2 -hie -hff -hgc -spff -et -channel 162341
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4shared.com/mp3/VjIVqqho/__1_.html?ref=downloadhelpererror
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd35a46f8,0x7ffdd35a4708,0x7ffdd35a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,4430958688302988930,17195559231395637991,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2740 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.security.baidu.co.th | udp |
| US | 104.193.90.83:80 | download.security.baidu.co.th | tcp |
| US | 8.8.8.8:53 | dc634.4shared.com | udp |
| US | 199.101.134.234:80 | dc634.4shared.com | tcp |
| US | 8.8.8.8:53 | www.4shared.com | udp |
| US | 8.8.8.8:53 | 234.134.101.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.90.193.104.in-addr.arpa | udp |
| US | 199.101.134.234:80 | www.4shared.com | tcp |
| US | 199.101.134.234:80 | www.4shared.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 104.193.90.83:80 | download.security.baidu.co.th | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\crpB7A8.exe
| MD5 | 661cf9c90eb099fb7b6a394dd8cde2e4 |
| SHA1 | 3704e119ea16a3c336f63dc808176a22fbb8582a |
| SHA256 | 1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07 |
| SHA512 | 13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761 |
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
| MD5 | a3e93460c26e27a69594dc44eb58e678 |
| SHA1 | a615a8a12aa4e01c2197f4f0d78605a75979a048 |
| SHA256 | 3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6 |
| SHA512 | 39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ba6ef346187b40694d493da98d5da979 |
| SHA1 | 643c15bec043f8673943885199bb06cd1652ee37 |
| SHA256 | d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73 |
| SHA512 | 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c |
\??\pipe\LOCAL\crashpad_4600_KNNXQYIOIGAZLSVG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b8880802fc2bb880a7a869faa01315b0 |
| SHA1 | 51d1a3fa2c272f094515675d82150bfce08ee8d3 |
| SHA256 | 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812 |
| SHA512 | e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8a397468b718572f173514dbf1911daf |
| SHA1 | 952d270ef46a6f6d52395ce4d31a7202390ad706 |
| SHA256 | 19c838de963648c4f48eaabecf4672830401d13e4882ce8c1fe53573aef7c4c6 |
| SHA512 | 7d32a28b595296d6da2c87d52bd195c06142de850e77ada55639edd819a2614b24eaba0485c51474f60f58c0bf5ed563973e501e60718c2193cebe205f224faa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3a7fa6a300d241223e236c45da2535a3 |
| SHA1 | 71fecd53f921ff1d5aaf89c4a8f26d5dacf54bc1 |
| SHA256 | a9e328dd05f3c10c60c9e15aa6c443f401140c0f353048d5e6f86ea7030a9e7e |
| SHA512 | a6c38c0ad2c1241c0167cdcb563218de4ab47cfe4dacd40fb622fade1113951f9a729b171779bd5ac59af54c9ca27479bc3f90d429c43c15d9812cbdec098558 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fd4fb252c6e219371cb63645ef2dd13f |
| SHA1 | a41b8323e648382025ac00cfc4b04caf85ef82b7 |
| SHA256 | 6e459a5b093cf004100d8be530d72540b8a14a007ef6e0d79ae3055e5ccc00a2 |
| SHA512 | f7994c6e2ec1f077e0cd1c405c9a8ef4a873bb8ce15e20411511c68120f6269e5e6e7af79d7c240b87205f3a03d54b447f78920f938c2e3cdb5d02b850ed98d0 |