Malware Analysis Report

2024-11-16 13:13

Sample ID 240625-rx789sydkr
Target 0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118
SHA256 514337d70563e1c295af6d0a6f14aab6c9766a3a428b1ea6da618698f80cc267
Tags
sality adware backdoor evasion persistence privilege_escalation stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

514337d70563e1c295af6d0a6f14aab6c9766a3a428b1ea6da618698f80cc267

Threat Level: Known bad

The file 0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality adware backdoor evasion persistence privilege_escalation stealer trojan upx

UAC bypass

Modifies firewall policy service

Windows security bypass

Sality

Windows security modification

Executes dropped EXE

Loads dropped DLL

UPX packed file

Event Triggered Execution: Component Object Model Hijacking

Installs/modifies Browser Helper Object

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 14:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 14:35

Reported

2024-06-25 14:38

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\Readme.url C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\Readme.url C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gtn.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gth.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppPath = "C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\Policy = "3" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppName = "GoogleToolbarNotifier.exe" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppPath = "C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\Policy = "3" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppName = "GoogleToolbarNotifier.exe" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{96FBC13C-8214-4100-88E0-FF74D7A1CB4D} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorBho.1 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ = "IProtectorLib3" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier\\5.6.6209.1142\\swg.dll" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ProgID\ = "protector_dll.ProtectorBho.1" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID\ = "protector_dll.ProtectorLib.1" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ProtectorExe.ProtectorHost.1\ = "ProtectorHost Class" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorLib\CurVer C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.Protector\ = "Protector Class" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\AppID = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.Protector\CLSID\ = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ = "IProtector" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\AppID = "{96FBC13C-8214-4100-88E0-FF74D7A1CB4D}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorBho C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ = "IProtectorLib4" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\ = "ProtectorHost Class" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\Depend = "C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier\\5.6.6209.1142\\gtn.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ = "IProtector" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9891812B-5820-4A77-827E-772B200239E1}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\VersionIndependentProgID C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorLib.1\CLSID\ = "{84798B8E-69F8-4846-9516-373C2996E2F7}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ = "IProtectorHost" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A97CA128-6998-4F8E-807E-8ED05FADAFB0} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ProtectorExe.ProtectorHost\CurVer\ = "ProtectorExe.ProtectorHost.1" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorLib.1 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9891812B-5820-4A77-827E-772B200239E1} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 1668 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 1668 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 1668 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 1668 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1668 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1668 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1668 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 1668 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 1668 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 2756 wrote to memory of 2704 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe
PID 2756 wrote to memory of 2704 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe
PID 2756 wrote to memory of 2704 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe
PID 2756 wrote to memory of 2704 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe
PID 2756 wrote to memory of 2704 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe
PID 2756 wrote to memory of 2704 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe
PID 2756 wrote to memory of 2704 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe"

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

"C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" /RegServer "/dll=C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gtn.dll" "/swg64=C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s "C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll"

Network

N/A

Files

memory/1668-0-0x0000000000400000-0x000000000058D000-memory.dmp

\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

MD5 5d61be7db55b026a5d61a3eed09d0ead
SHA1 215950ce5d40907b041346f22b4e404ee591581d
SHA256 d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae
SHA512 b1dbb67867cbb36c322bd774bf01267f56e398e364ebce4bd6f67c225c330b0b1843b06397e55f7f04dcc8d75b039083ccf08313b0ed03ecff7eb00033b0a598

C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gtn.dll

MD5 f13572d2a69ee7686c8bf69a3198b0b1
SHA1 26cdf09c5f11647afbedc8d2387a06d0df872fb5
SHA256 8281f7b6fce82d524acda06a9cb52fe682f04ba7da92781e360421ca856eb770
SHA512 a4b535ec9dde60a25aa1eceb9b1dd2cb8e87d5367b12341cc2f127f40cb005c925934b3e857b6738daf27c176bef6c418b07354f2345c06e496688c2ff90c03c

memory/1668-1-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-13-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-16-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-18-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-40-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/1668-38-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-45-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/2756-47-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2756-44-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2756-42-0x0000000002470000-0x0000000002543000-memory.dmp

\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll

MD5 2b6d566b536e695d9f40f5c19ae758b6
SHA1 524134ab5bd356e82ca55efdc4ce2df234b41a3e
SHA256 b0197d20b998dc8d4168852176cc80ea7f022fa61ef4655386434c71c6ecdc52
SHA512 0fef60a85a306d7a2eb5b22a34a3146fc722d2114cae9bd1f90487b4cf84d7fc7ad7527f284db14da797a3c6888fd0868d6beda3f611668143c3b08b173c1844

memory/1668-17-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-39-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-36-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2756-50-0x00000000001C0000-0x00000000001C2000-memory.dmp

\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll

MD5 995d0b5c99b02e99eff9a7fb2cd3d533
SHA1 1dba82ace762fac96c7603903e7ce19b48a6a31d
SHA256 9126809c61d68fae65f4e908d29cefa29ca61dc8d52658b33d1f149a8f7bedd5
SHA512 dac1cf76ebac1105714575e133abd3f6d2658c4f74f3c8d9bf43cdebeec7cb3a1dea68b5d140b0976797e2a883150bf3f5be6daaa2e54b9e14d24a7ada939473

memory/2756-35-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1668-30-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1668-28-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1668-27-0x00000000002A0000-0x00000000002A2000-memory.dmp

C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\Readme.url

MD5 b8d4d990533e99b091ff84c8e712ce5d
SHA1 7a23952ffef0c77da17e2f84d84256b6b908c412
SHA256 1ed9f968c56a00e80537da1ba120300892d57c7459edab63ac21a93071a9d6ee
SHA512 1f90617fdf6fd36a29cbb039b83862c519ccb1c292751fa1c6afcf255aa283ed6a9ad3555e336d4ec517025f6246680cf54ef90cd0dcc1ee465e64bbe8b393fb

memory/1668-46-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1068-19-0x0000000000210000-0x0000000000212000-memory.dmp

memory/1668-37-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-72-0x0000000001F20000-0x0000000002FAE000-memory.dmp

memory/1668-71-0x0000000000400000-0x000000000058D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 14:35

Reported

2024-06-25 14:38

Platform

win10v2004-20240611-en

Max time kernel

116s

Max time network

130s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gtn.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gth.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\Readme.url C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\Readme.url C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppPath = "C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\Policy = "3" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppName = "GoogleToolbarNotifier.exe" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppPath = "C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\Policy = "3" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80B84A0A-EDA4-47fd-8BE1-6B49F4197EE5}\AppName = "GoogleToolbarNotifier.exe" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BACAB2F3-7213-4865-96E9-B6B06BF49192}\ = "IProtectorLib8" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorBho\CurVer\ = "protector_dll.ProtectorBho.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorBho.1\CLSID C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2351B346-00E8-4EAC-9B75-B138B465D659}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0CF48B9-DB91-49A5-BEE7-2FB45BA2F610}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.Protector\CLSID\ = "{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84798B8E-69F8-4846-9516-373C2996E2F7}\VersionIndependentProgID C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7}\ProgID\ = "protector_dll.Protector.1" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{277FD1E8-9884-4E0A-9392-7CFF83F067B2}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2212951C-1623-4095-906B-AC50B8F91016} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F7328B7-E25A-4527-B24B-D9173401BB89}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2212951C-1623-4095-906B-AC50B8F91016}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\17.0\HELPDIR C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A45CDEEB-65F5-49AE-AA3E-9376F4806075}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9891812B-5820-4A77-827E-772B200239E1}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91F39C2A-95E7-497A-A539-0AC715DC66D2}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C110376-C248-47F6-9DB2-CFCDEADB6A3E}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF606610-3627-4DF2-A6D5-32C6A355ACD1}\ = "IProtectorLib" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\Depend = "C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier\\5.6.6209.1142\\gtn.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D358B5C-3415-42BB-A606-E1089B674F41}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D932020-700E-4F0D-8446-2872ABD8B4FA}\ = "IProtectorLib3" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.Protector.1 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorBho\CurVer C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ = "IProtector12" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91959FBB-853A-4AC7-A082-2DDF787F4CA9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ = "IProtectorLib5" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD65ABB2-2628-425B-86F5-825E4A3D3AD9}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17484B9D-89FA-484F-912E-017D06C41FE0}\TypeLib\ = "{C7CB459A-7261-4AE6-A87A-17041EE98A40}" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{235317AD-6EF4-4209-9354-F88869E1A3BB}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7CB459A-7261-4AE6-A87A-17041EE98A40}\17.0\FLAGS C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1A383D4-0364-4092-82E0-C39DAE5D801D}\ProxyStubClsid32 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{315A0BBF-D55B-4FCE-833E-8BAA5B6344F6}\TypeLib\Version = "17.0" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{480AD54B-C652-44B9-BCF6-746745055CD3}\TypeLib C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6134CEA9-DD6E-495C-A0D1-4F232027D7D7} C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\protector_dll.ProtectorBho\CLSID C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EACF525-5F81-4381-9E46-DC316C39E0D2}\ = "IProtector6" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA69D3CC-7676-4A65-889F-C052977F1AA9}\ = "IProtectorHost" C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBA44040-BD27-4A09-ACC8-C08B7C723DCD}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe\"" C:\Windows\system32\regsvr32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 728 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 728 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 728 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 728 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 728 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 728 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 728 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 728 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 728 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 728 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 728 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID 728 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 728 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 728 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 728 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 728 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 728 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 728 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 728 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3812 wrote to memory of 5092 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe
PID 3812 wrote to memory of 5092 N/A C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0e6fa45ff676600822f3f7d6fa97e21c_JaffaCakes118.exe"

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

"C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" /RegServer "/dll=C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gtn.dll" "/swg64=C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll"

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s "C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/728-0-0x0000000000400000-0x000000000058D000-memory.dmp

memory/728-1-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/728-15-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/728-6-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/728-16-0x00000000023F0000-0x000000000347E000-memory.dmp

C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\gtn.dll

MD5 f13572d2a69ee7686c8bf69a3198b0b1
SHA1 26cdf09c5f11647afbedc8d2387a06d0df872fb5
SHA256 8281f7b6fce82d524acda06a9cb52fe682f04ba7da92781e360421ca856eb770
SHA512 a4b535ec9dde60a25aa1eceb9b1dd2cb8e87d5367b12341cc2f127f40cb005c925934b3e857b6738daf27c176bef6c418b07354f2345c06e496688c2ff90c03c

memory/728-17-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/3812-29-0x0000000002390000-0x0000000002463000-memory.dmp

C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll

MD5 2b6d566b536e695d9f40f5c19ae758b6
SHA1 524134ab5bd356e82ca55efdc4ce2df234b41a3e
SHA256 b0197d20b998dc8d4168852176cc80ea7f022fa61ef4655386434c71c6ecdc52
SHA512 0fef60a85a306d7a2eb5b22a34a3146fc722d2114cae9bd1f90487b4cf84d7fc7ad7527f284db14da797a3c6888fd0868d6beda3f611668143c3b08b173c1844

C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll

MD5 995d0b5c99b02e99eff9a7fb2cd3d533
SHA1 1dba82ace762fac96c7603903e7ce19b48a6a31d
SHA256 9126809c61d68fae65f4e908d29cefa29ca61dc8d52658b33d1f149a8f7bedd5
SHA512 dac1cf76ebac1105714575e133abd3f6d2658c4f74f3c8d9bf43cdebeec7cb3a1dea68b5d140b0976797e2a883150bf3f5be6daaa2e54b9e14d24a7ada939473

memory/728-22-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/728-40-0x0000000000730000-0x0000000000732000-memory.dmp

memory/728-51-0x0000000000400000-0x000000000058D000-memory.dmp

memory/728-46-0x00000000023F0000-0x000000000347E000-memory.dmp

C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\Readme.url

MD5 26459ca8c3e957b05d3a3c4e5bd6d1e4
SHA1 15a3b15568c850a788a9a3baa2f9f62309e79af6
SHA256 df0d1e1b039512207c1bf47e984faddc20a0fc6af405af276adc0613722aa530
SHA512 de1b46ae20904b62ac498286faef328b61817cb613e8dc495982b775d8612df6411cef57e2a028c4d363b63e674ae4adbb7169445cc9360d43b687ddb81c5b6d

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

MD5 5d61be7db55b026a5d61a3eed09d0ead
SHA1 215950ce5d40907b041346f22b4e404ee591581d
SHA256 d32cc7b31a6f98c60abc313abc7d1143681f72de2bb2604711a0ba20710caaae
SHA512 b1dbb67867cbb36c322bd774bf01267f56e398e364ebce4bd6f67c225c330b0b1843b06397e55f7f04dcc8d75b039083ccf08313b0ed03ecff7eb00033b0a598

memory/728-20-0x0000000000730000-0x0000000000732000-memory.dmp

memory/728-19-0x0000000000730000-0x0000000000732000-memory.dmp

memory/728-18-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/728-5-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/728-3-0x00000000023F0000-0x000000000347E000-memory.dmp

memory/728-14-0x0000000000740000-0x0000000000741000-memory.dmp

memory/728-13-0x0000000000730000-0x0000000000732000-memory.dmp