Malware Analysis Report

2024-07-28 05:18

Sample ID 240603-h46jksha53
Target 90ee8342ee7b786b303981daf9b35f84_JaffaCakes118
SHA256 21d1800941f0ded92a86f74f594496c92eaf05ae5cec42ef1836bc2dbd220582
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

21d1800941f0ded92a86f74f594496c92eaf05ae5cec42ef1836bc2dbd220582

Threat Level: Shows suspicious behavior

The file 90ee8342ee7b786b303981daf9b35f84_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Reads user/profile data of web browsers

Registers COM server for autorun

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops Chrome extension

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Browser Extensions
T1176
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 07:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 07:18

Reported

2024-06-03 07:21

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibfbbflhdimnpanfjlbegfghhiodecil\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.tlb C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.tlb C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dat C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dat C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.dll" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{B574C751-BCD6-574B-A5B8-A6C6CF674E26}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{B574C751-BCD6-574B-A5B8-A6C6CF674E26}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.dll" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2236 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2236 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2236 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2236 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2236 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2236 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2300 wrote to memory of 2988 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/U6ftBfv.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe

MD5 6223a19e77e3b9b4f633e8863ee1cf40
SHA1 ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256 d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA512 66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.dat

MD5 0a36dc65e730c415d3bcd5edfc87d61f
SHA1 78aa977adeb8f6134a9c286e0b44ada2ae4aefbb
SHA256 c777ce051b3ffdc60df65b9b8c0e38d96b4ad185790e59c2d277d861a4e9473f
SHA512 31b8bad7baac7e914d2eecd2921d8793b27fe2790e442cd00fb9104a4976c960a248dfd076e1b3b1eeec0a3eba4038a04990653abc6e439ef4ee38efa5898c34

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\background.html

MD5 ffb25881891c497b4c2312791670a4c7
SHA1 5960f2f88e769702ff8837f08d123526b3b2b354
SHA256 99095a8ce5c6d67aacc7e0311d153f94d68a8c1ddda406ce41a24fdd9e94a358
SHA512 4f976d4ae3cfc7da974b70eafd111bf9ed76c25b2167bff29352a0a3ecf587ed93506631b92672185084fb7454dae75c2005b5e092dd45b43afe156360be25ab

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\Ih6wXqy.js

MD5 96187b0ed17a091dfede72ca246e2498
SHA1 1ef3486c647c50e6506052a0063be6cdc07a9e38
SHA256 3d00d628eded5e566c631d153248f4fdbcb9d4ef8e2abc89ce7f4aab72363dcc
SHA512 054de08ce6228290fe17b1093b0ea0b4ff26f09e7b2d507ebbec6d6dc361f19a6e2c11ab671c3746f7510185c366c12615173a5495db77f3c367a41b0bba88b9

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\sqlite.js

MD5 73a28b445cb1854ee8f62a9df59bd7ca
SHA1 9e811ab93797974f1ec15103cd1e01b04d4e5b5c
SHA256 0d7fe287680ed1fc12921d0d6b3666ffc499660d5f0e687600c827880d95773a
SHA512 03380ce43d65024dd546cc70ee204ee2bd53b55f7b23ea23b57a3a1d352997898f4ea8dd6f1372ce1e16bec189383dedc5a10b5e1ea7ef13aa56854be90da6ac

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

MD5 50452501ade8b9448fa931bb4bea21c4
SHA1 0736a83abdd0af5685b9657279029d62ad036993
SHA256 b23397cdb3a248dbc389f38a07707da7ce8d954b4230c0ffdb67eb69f9c9e654
SHA512 905f414caa5c3a0d4fe505bdfd9f2b76655326a5ebe96f0dbef9df172a2e561c17dd4d56bb637ad395ac698bd614c174ad5f3fabddd36a3d7382944c944cf3b9

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

MD5 1b53c596cfb1aa2209446ff64c17dabd
SHA1 2542da14728dcdbe1763f1ee39fe9ceae38ad414
SHA256 a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f
SHA512 be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

MD5 61e93ac555bbff0b5647ef4aa24b8629
SHA1 cb0e38a297d0113c9805890fe5e63f75a5b2aed4
SHA256 d9cdfa6a9ca356f4911e079fa47a56fbdf7700a4830a0e190e31843ac0086307
SHA512 6abbec8837e9f1d65039c836740984f279f2e5c24e5f04aae0676d0466eede1604c4a05f130069ae1cc30b34d44aa3c2b75a12b5e4279767a84db3c5dcc4a906

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

MD5 98723f15454a2ecd49db303104f16037
SHA1 8d205343e5c90b2eae90bb87a19033148538b9f8
SHA256 c57fe93063c0b959a29a62a874cce8c39bbb01eb56fe650f93721bdae713d5ca
SHA512 5fd4d7471c502022b4ae30aa1c35e09c317c49aed030bd411d2e2c7667c5b4998d2e4bb7e19358ceef68e3bb666099ca0a568943ddf90c254f68fc2119047bd2

C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.dll

MD5 9afeb7fa65aa31c6b871237d14a8fb94
SHA1 58f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA256 4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512 311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.tlb

MD5 9f260bfcd1ef83627ceb2792ee3324f5
SHA1 078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.x64.dll

MD5 410bb7e2c88f92de31b83a173e173e2d
SHA1 ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256 afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512 d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 07:18

Reported

2024-06-03 07:21

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibfbbflhdimnpanfjlbegfghhiodecil\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dat C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dat C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.dll C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.tlb C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.tlb C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.dll" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{B574C751-BCD6-574B-A5B8-A6C6CF674E26}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{B574C751-BCD6-574B-A5B8-A6C6CF674E26}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{B574C751-BCD6-574B-A5B8-A6C6CF674E26}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\sKNIG8.tlb" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe
PID 2572 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3208 wrote to memory of 3352 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3208 wrote to memory of 3352 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{B574C751-BCD6-574B-A5B8-A6C6CF674E26} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\90ee8342ee7b786b303981daf9b35f84_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/U6ftBfv.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\sKNIG8.x64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.exe

MD5 6223a19e77e3b9b4f633e8863ee1cf40
SHA1 ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256 d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA512 66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

C:\Users\Admin\AppData\Local\Temp\00294823\U6ftBfv.dat

MD5 0a36dc65e730c415d3bcd5edfc87d61f
SHA1 78aa977adeb8f6134a9c286e0b44ada2ae4aefbb
SHA256 c777ce051b3ffdc60df65b9b8c0e38d96b4ad185790e59c2d277d861a4e9473f
SHA512 31b8bad7baac7e914d2eecd2921d8793b27fe2790e442cd00fb9104a4976c960a248dfd076e1b3b1eeec0a3eba4038a04990653abc6e439ef4ee38efa5898c34

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\background.html

MD5 ffb25881891c497b4c2312791670a4c7
SHA1 5960f2f88e769702ff8837f08d123526b3b2b354
SHA256 99095a8ce5c6d67aacc7e0311d153f94d68a8c1ddda406ce41a24fdd9e94a358
SHA512 4f976d4ae3cfc7da974b70eafd111bf9ed76c25b2167bff29352a0a3ecf587ed93506631b92672185084fb7454dae75c2005b5e092dd45b43afe156360be25ab

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\Ih6wXqy.js

MD5 96187b0ed17a091dfede72ca246e2498
SHA1 1ef3486c647c50e6506052a0063be6cdc07a9e38
SHA256 3d00d628eded5e566c631d153248f4fdbcb9d4ef8e2abc89ce7f4aab72363dcc
SHA512 054de08ce6228290fe17b1093b0ea0b4ff26f09e7b2d507ebbec6d6dc361f19a6e2c11ab671c3746f7510185c366c12615173a5495db77f3c367a41b0bba88b9

C:\Users\Admin\AppData\Local\Temp\00294823\ibfbbflhdimnpanfjlbegfghhiodecil\sqlite.js

MD5 73a28b445cb1854ee8f62a9df59bd7ca
SHA1 9e811ab93797974f1ec15103cd1e01b04d4e5b5c
SHA256 0d7fe287680ed1fc12921d0d6b3666ffc499660d5f0e687600c827880d95773a
SHA512 03380ce43d65024dd546cc70ee204ee2bd53b55f7b23ea23b57a3a1d352997898f4ea8dd6f1372ce1e16bec189383dedc5a10b5e1ea7ef13aa56854be90da6ac

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

MD5 1b53c596cfb1aa2209446ff64c17dabd
SHA1 2542da14728dcdbe1763f1ee39fe9ceae38ad414
SHA256 a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f
SHA512 be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

MD5 50452501ade8b9448fa931bb4bea21c4
SHA1 0736a83abdd0af5685b9657279029d62ad036993
SHA256 b23397cdb3a248dbc389f38a07707da7ce8d954b4230c0ffdb67eb69f9c9e654
SHA512 905f414caa5c3a0d4fe505bdfd9f2b76655326a5ebe96f0dbef9df172a2e561c17dd4d56bb637ad395ac698bd614c174ad5f3fabddd36a3d7382944c944cf3b9

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

MD5 61e93ac555bbff0b5647ef4aa24b8629
SHA1 cb0e38a297d0113c9805890fe5e63f75a5b2aed4
SHA256 d9cdfa6a9ca356f4911e079fa47a56fbdf7700a4830a0e190e31843ac0086307
SHA512 6abbec8837e9f1d65039c836740984f279f2e5c24e5f04aae0676d0466eede1604c4a05f130069ae1cc30b34d44aa3c2b75a12b5e4279767a84db3c5dcc4a906

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

MD5 98723f15454a2ecd49db303104f16037
SHA1 8d205343e5c90b2eae90bb87a19033148538b9f8
SHA256 c57fe93063c0b959a29a62a874cce8c39bbb01eb56fe650f93721bdae713d5ca
SHA512 5fd4d7471c502022b4ae30aa1c35e09c317c49aed030bd411d2e2c7667c5b4998d2e4bb7e19358ceef68e3bb666099ca0a568943ddf90c254f68fc2119047bd2

C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.tlb

MD5 9f260bfcd1ef83627ceb2792ee3324f5
SHA1 078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.dll

MD5 9afeb7fa65aa31c6b871237d14a8fb94
SHA1 58f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA256 4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512 311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

C:\Users\Admin\AppData\Local\Temp\00294823\sKNIG8.x64.dll

MD5 410bb7e2c88f92de31b83a173e173e2d
SHA1 ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256 afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512 d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e