Analysis Overview
SHA256
3594a89b11b5e20c329010af45e885c4cff430ea4725952d887eeeeaa0e49fa3
Threat Level: Shows suspicious behavior
The file ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-14 20:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-14 20:49
Reported
2024-04-14 20:52
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat" "
C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe
"C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe.bat
| MD5 | feb26fbef6ec6ee69b554929c15f3099 |
| SHA1 | 7dc1ac3dcb16702db4607a715ffbd277f636f976 |
| SHA256 | a1578e24e58591abdc34c9907f802fe9efef0f22622f29b62ce2bae95740e975 |
| SHA512 | 6b24378c22e26203e2f24c9db482e512de7ae4566f0dab01ae83a30187560f15d7b73d25cea366225dce5bdd788e75a2fe66e5e66d831aa4a1880d9791b8c914 |
C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat
| MD5 | 50e0c2e0b8f423379c50766aefa8b119 |
| SHA1 | 82696eeec352abc5e34a9258d3db9eba333d2975 |
| SHA256 | bc995c38ebf36ab02f4c6956732b6e04129cd4f51e1c3e339764cae5a34e1eea |
| SHA512 | 5213bf3ef5b58eadfa51f1eace729b840739a8fd9ffdba629b473bc8fa9da0f479e84b96de994c57482372d75de9c122debef59a063f5c21f5148be6b0739124 |
\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe
| MD5 | d750f79b38a1d911d49d55923bae6d6b |
| SHA1 | a6bd9e36dd41b456398a1b3dff95005475aff68c |
| SHA256 | b27d810e749982344402b5ce3b07ddfbf4dda6cfb936acd015ee4b6e829d8d5c |
| SHA512 | 8cc8a28cb9e81b2c948c252725de057b36175809237ec7c751516f493c9d26fe87a4f5b173d5fa2a0113c046187914cc214208a8934b064e937b484578cc8927 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-14 20:49
Reported
2024-04-14 20:52
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| N/A | N/A | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| N/A | N/A | C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC} | C:\Windows\SysWOW64\regedit.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\XlKankan.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\XlKankan.dll | C:\Windows\SysWOW64\xcopy.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.vbs | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\20240414\52wr55uCO8fC8cT8\script\XlKankan.dll | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\MYShowIeLinkIe6.reg | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\huhoab.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe.bat | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe.bat | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\20240414\52wr55uCO8fC8cT8\script\Script.vbs.bat | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| File created | C:\Windows\MyShowIeLinkIe7.reg | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\AddRight.reg | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\20240414\52wr55uCO8fC8cT8\script\reg.bat | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\userid.txt | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| File created | C:\Windows\search.reg | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\20240414\52wr55uCO8fC8cT8\script\regBHO.reg | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\tao.ico | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File created | C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe | C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64 | C:\Windows\SysWOW64\xcopy.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F2CF5485-4E02-4F68-819C-B92DE9277049} = 8554cff2024e684f819cb92de927704922001c000800000006000000010000000000000000000000000000004c0000000114020000000000c000000000000046810000001000000010a155c0ffe9ca0118bf0ffd11edca0118bf0ffd11edca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008e3ab9151000444f43554d457e310000440003000400efbe8c3ada21a23c2c701400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a53c0586100041444d494e497e310000320003000400efbe8c3acb23a53c058614000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a23c809611004641564f52497e3100003e0003000400efbea23c0070a23c8096140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a63ce45d1000fe94a56300001c0003000400efbea23c0070a63ce45d14000000fe94a56300001400000060000000030000a058000000000000007063323031303035303232317663620008fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824608fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824600000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}.ico" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[¹È¸è]Ñ¡´Ê¿ìËÙËÑË÷ | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[°Ù¶È]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/baidu.htm" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = "Á´½Ó" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c00000000000004681000000100000009ed10ec233ecca01e61abf65c5edca019ed10ec233ecca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c00310000000000a53c284a1000444f43554d457e310000440003000400efbea53c1249a73cf1481400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a63c8e0c100041444d494e497e310000320003000400efbea53c284aa73cf14814000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a63c760f11004641564f52497e3100003e0003000400efbea53c284aa73c3344140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a53c294a1000fe94a56300001c0003000400efbea53c294aa73c334414000000fe94a56300001400000060000000030000a0580000000000000068792d3636796c7032363264663675000ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e00026180888870ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e000261808888700000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006200000001000000a0060000a00f000005000000220400002600000002000000a10600006001000004000000a1000000c600000003000000a1020000d4040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\URL = "http://www.mylovewebs.com/api/taobao/so.htm?word={searchTerms}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[×ÛºÏ]Ñ¡´Ê¿ìËÙËÑË÷ | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[ÓеÀ]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/youdao.htm" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\Explorer | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\URL = "http://www.mylovewebs.com/api/baidu/so.htm?word={searchTerms}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[¹È¸è]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/google.htm" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 65cf80b551e1c349b73f70b13fca8e86 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\DisplayName = "ÌÔ±¦ËÑË÷" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\SortIndex = "6" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[ÓеÀ]Ñ¡´Ê¿ìËÙËÑË÷ | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c0000000000000468100000010000000feb8496527bbc90112c0b16e27bbc9015aac066827bbc9010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008c3acb231000444f43554d457e310000440003000400efbe8c3ada218c3acb231400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a003100000000008c3acc23100041444d494e497e310000320003000400efbe8c3acb238c3acc2314000000410064006d0069006e006900730074007200610074006f0072000000180056003100000000008c3ace2311004641564f52497e3100003e0003000400efbe8c3acb238c3ace23140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d313236393300180030003500000000008c3acf231000fe94a56300001c0003000400efbe8c3acc238c3acf2314000000fe94a56300001400000060000000030000a0580000000000000067686f73747870332d3436373638300008fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa208fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa200000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000030000000140000002a000000010000008006000080010000030000008102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\SortIndex = "2" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[×ÛºÏ]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/index.htm" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Explorer\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconURL = "http://www.taobao.com/favicon.ico" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{E140FB5B-2A9D-4FA4-A20F-089B92412200}.ico" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[°Ù¶È]Ñ¡´Ê¿ìËÙËÑË÷ | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000340000001b000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000030000002003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\DisplayName = "°Ù¶Èһϣ¬Äã¾ÍÖªµÀ" | C:\Windows\SysWOW64\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "_xunlei" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\ = "QvodAdBlocker" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\Clsid\ = "{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ini\ = "AllTypes" | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\XlKankan.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "_xunlei" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "AllTypes" | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\ = "QvodAdBlocker.xunlei" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "xunlei" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\HELPDIR\ = "C:\\Windows\\System32" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\.ini = "inifile" | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32\ = "C:\\Windows\\SysWow64\\XlKankan.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\VERSION\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open\command | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ = "QvodAdBlocker.xunlei" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ProgID\ = "QvodAdBlocker.xunlei" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\.txt = "txtfile" | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open\command\ = "\"C:\\Windows\\20240414\\52wr55uCO8fC8cT8\\script\\script.exe\" \"%1\"" | C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe | N/A |
| N/A | N/A | C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe | N/A |
| N/A | N/A | C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3480,i,353436235481858446,15149564830344523381,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat" "
C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe
"C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe.bat" "
C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe
"C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\52wr55uCO8fC8cT8\script\Script.vbs.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\52wr55uCO8fC8cT8\script\reg.bat" "
C:\Windows\SysWOW64\xcopy.exe
xcopy /c /q /y /i XlKankan.dll C:\Windows\system32
C:\Windows\SysWOW64\regedit.exe
regedit /s regBHO.reg
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.vbs"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s XlKankan.dll
C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" +r +s
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r Administrators
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c Administrators:CI
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r Administrator
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r users
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r system
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r everyone
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r user
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r "Power Users"
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r "Admin"
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\MYShowIeLinkIe6.reg
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\MyShowIeLinkIe7.reg
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\search.reg
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe.bat" "
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\AddRight.reg
C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe
"C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tj.vippin.cn | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe
| MD5 | d750f79b38a1d911d49d55923bae6d6b |
| SHA1 | a6bd9e36dd41b456398a1b3dff95005475aff68c |
| SHA256 | b27d810e749982344402b5ce3b07ddfbf4dda6cfb936acd015ee4b6e829d8d5c |
| SHA512 | 8cc8a28cb9e81b2c948c252725de057b36175809237ec7c751516f493c9d26fe87a4f5b173d5fa2a0113c046187914cc214208a8934b064e937b484578cc8927 |
C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat
| MD5 | 50e0c2e0b8f423379c50766aefa8b119 |
| SHA1 | 82696eeec352abc5e34a9258d3db9eba333d2975 |
| SHA256 | bc995c38ebf36ab02f4c6956732b6e04129cd4f51e1c3e339764cae5a34e1eea |
| SHA512 | 5213bf3ef5b58eadfa51f1eace729b840739a8fd9ffdba629b473bc8fa9da0f479e84b96de994c57482372d75de9c122debef59a063f5c21f5148be6b0739124 |
C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat
| MD5 | 44781ecbc3fdd62ff0d6ad9ace00960d |
| SHA1 | 849dfdc6493dbf7c462b42b4c335805bf4c83303 |
| SHA256 | fca7eb6781eb2cad239585c9c1b45ff43a36b8e773e2af7762ddf3247d545a51 |
| SHA512 | 539ff865f1141c5be819744c8a74681157c87044d77e90ba004308709cf54ba7b84e3a5891c937ce20a023926eecb2f3416da6353c122ee35456827a52b50c3d |
C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe.bat
| MD5 | 7e3ed6ff8321724236b7d6079a5f2614 |
| SHA1 | 46c2df33b7f1ae9391746280c2e46a3a60b57923 |
| SHA256 | 14b01eade16014ea40a62a9196bdfd6cf4294af37d4590b4212e879aa4391853 |
| SHA512 | 60c46358a02ced11106a65c515175aa2964bf76eae8d882ef15302aeec83198208e402d5a51079334f18a40112db9d9cf11353de46a66cd5f421ba1b51cfec17 |
C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe
| MD5 | f02b9933474b6099ac5b090feb90ac1c |
| SHA1 | dc4466ac88cf81472cc181e3c2cd9a697c28b05a |
| SHA256 | d37ddcc76f5e64b7b72ba4413273f50b1de5d7db4c1cd45f9183ba3e644ecc72 |
| SHA512 | 6b0afc5c87dda7b3c5bbea7458adc70aa0c26b16bae954df9af8c826a4f0694f78bbd899de29b065eda23db7d4717e5585cee6e50f86fe0593d999e97a1fc8c8 |
C:\Windows\20240414\52wr55uCO8fC8cT8\script\reg.bat
| MD5 | d426a1646ddadd0e41ff5358eeceb3c4 |
| SHA1 | 69e585d10ad1f4d03a4ceec7f4e336951e10406f |
| SHA256 | 86861d7856b53976d754875343237f55e63ca5580db3e57f6ffbbc86977ef573 |
| SHA512 | 401c3aa8a1a426cb7c6fdfc0e0cd5da193abb8c44c17143996e57838060f22601c51fc3a3da915d0ac3a3f7a70a217fa9576c575bc9f5a30b542c9a5a206dd97 |
C:\Windows\20240414\52wr55uCO8fC8cT8\script\Script.vbs.bat
| MD5 | 22ae2418a24fb06d64824aae25c22683 |
| SHA1 | fa31cd566b838eace4db96ffa9e4b9d3ce684cc9 |
| SHA256 | 902a3b8098fd9045767b026cefbc08ee679c484f602ffdd73a3b1d33052810d0 |
| SHA512 | f4075a759bd13577c1e1340454cac58b8510496c426ea40c9db2fd15d63c667b2d0e1807b7b8a6f2f7aad40f76eece18da6c36aa1d57387afc301b5fc128112b |
C:\Windows\20240414\52wr55uCO8fC8cT8\script\XlKankan.dll
| MD5 | ce8f0033298014df0508a996b638b5eb |
| SHA1 | 610f52ba70f2053a9a4dba08d88a3f97243aa3d6 |
| SHA256 | 9e9a8a9522ae2822ff0130a9d7736417d32a85c6c66c44048d8b2d2ec4677466 |
| SHA512 | 216dcd79aa7bedd2e9c819978c2477787ce4b2a34f33c64881db21d1ebc96e0b44169d652c68bd4053bcb963a6b1c673d585e44feb6c30ef30121f0076ce3200 |
C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.vbs
| MD5 | 7cbe625c56b5b4817cba2b1a6f441221 |
| SHA1 | 9686b366e6648a3c9817bd43f24962222f7043c8 |
| SHA256 | 8e99e84fba3278469a9abbce52086acaaaa69f31ca46d83a40b722c92768bf90 |
| SHA512 | 3949a0f412314b8fa5e9e2280ea276f5d7039db0acef95779127fd3471b0d757ac6544ee4391d646b9a7a32d0132308b5a9444d3cd8d946240962f3eaa32ba2e |
C:\Windows\20240414\52wr55uCO8fC8cT8\script\regBHO.reg
| MD5 | b93db4ec7eba064cbd7336085953cce9 |
| SHA1 | 79b458e4b5c974ce2361b103905a941eae0210b9 |
| SHA256 | 2b6fb4f8615a821498deb27a55261d482fcf97a1dbe8143d233ee7d1b9b63dac |
| SHA512 | 420819a9aeeed54337aaabe2f4cf5f0f6b91cda6bacc5eae496320e2d22cc4eafccef7e38d4085d868ab28177889bcbf025f496c14b5df0384bc93ad14d591a6 |
C:\Windows\userid.txt
| MD5 | e702e51da2c0f5be4dd354bb3e295d37 |
| SHA1 | bf5ce6bca1837184b86a1fb332edb735665ca1ed |
| SHA256 | f8726da5732fa9095e0129c6c25619a35d435aa39e17a15998fa87ee96d34aeb |
| SHA512 | 6609b272fbd5c1710ac6311e49232ac188ade52707868acd29f51302c92939b8bd47901966ee0076aad312257d75a47c06ba419eb3201fee93c6e55c08f814c3 |
C:\Users\Public\Desktop\ÍøÉϹºÎï.bt
| MD5 | e51f9cdcf7efb98e0859c9f85ce367e2 |
| SHA1 | 02a5a939959597a5bbadc703fddff668aa98360d |
| SHA256 | 044775cb0f1e2b9162c192dcaea0ff0fa1be84bf7bb0e388c8190e237e861a33 |
| SHA512 | 0f0028bb11ec79b02424d81891421eae8989faad76a82e8ac7a90bc2522ea97cc3ed163495827d0a4e80f0a0e97b0d7aacc877e070c7a921a948d8b9995ea026 |
C:\Windows\MYShowIeLinkIe6.reg
| MD5 | 4f69fa82c34c91514da21a5933644af8 |
| SHA1 | e131f57f41ce95b46195d460852718b83517579a |
| SHA256 | 7cd8b741bfaee5cd14779b69d71b362aac4c928097c6b4af8ce0ce16bde52a46 |
| SHA512 | 276588f960d28023febd87873c7852f401ab6ebfb3d90bf8b21b1998949d8ab00badb42d1a05934587aa6b4ad0ab06a3d649dcdb70f384ca70339049243463c4 |
C:\Windows\MyShowIeLinkIe7.reg
| MD5 | dbd46bf2e72f6dfbb21295f4e3066d47 |
| SHA1 | cdd6ca2f6455c1e528c40a520bcdb8669df8f548 |
| SHA256 | 71927f4f034db038385346e34209ad069139f54d73bae34bfaf4f29b7010fc6b |
| SHA512 | ad013387a0c7608375b7a3c5fdb27f0d9e79b051d84b1ee9221346499f386d30473b5e2727f6a4e8a8122cf8ac2d473a5ce5e368e62da09441ed48e5c088bd11 |
C:\Windows\search.reg
| MD5 | 8e2ec860bfbd9aa37ea44e51d559ea9b |
| SHA1 | f64e2891ec34d4909f28b2ae14c0a9f712a0e29c |
| SHA256 | ff8d92c2bbe81ccfa1a6ac46ac66e7b42dc4fd18a27924c2e6511d2579f092df |
| SHA512 | ad551272a90d79aef258d22680c07a5d81b0b31e1712dc2a60ac2c67f8af13f18c3a5f99f8408231bc5bb4f68882a5d75ed5c0e203059575eea5940d8b841dc1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk
| MD5 | 9768fcfd905f1923456134eb0f05b937 |
| SHA1 | ae800b3a745e7740f3e90f8c5311a95a8b077982 |
| SHA256 | 0d7beef22796e8d15e838e0cc426dc603f9184ebf06b220d8bf5f452f16882ae |
| SHA512 | f1896b14686db8c8d21f18bebf94c1191a13bb78b9b2ad8a008277634ac72353eee470cb283b3fdc770879d75dfc12e6822bafeab7887928513bd39d6e6b83e9 |
C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe.bat
| MD5 | 6cbabd69758ad149a491127c19816043 |
| SHA1 | fe0276f610aa71eaff8ab9775e204b64e7f091ce |
| SHA256 | 01f914bc8e9241af5501fe11d9003f2e8517127f96de92f8a50032dc84bbadc9 |
| SHA512 | 5470327768ffab3d10d614ff384b82893422694810422bcbe33ad189c07fd03265107cb0ad8922e07dd2405c51967e5eff6077f809534b912e480e80133854a5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
| MD5 | 65a58e520f7c7bdf0a92864845e1cb5a |
| SHA1 | d4e780bdf56bde361c5706e71ab9c610cab1658b |
| SHA256 | 701269ed7bf973b4afecf7e661ecccda7220825c0d2020b01afa8575659d8cf4 |
| SHA512 | 47d277b4134dd17c72713d578858e0f7ea725a5b395b24773848392a0f4e6f307f3d9c07b3515a128d36772b752a7245e9e444ffd41d29ba12b8311601fcaf36 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
| MD5 | 228f249ad55e4c73203be05ce087cce1 |
| SHA1 | d064542726ab1ff646e2f0db07311a261db39ff2 |
| SHA256 | 25257638548823d0f72a5376f5ce7bc651dfaea25c626806a8f1be0e12057499 |
| SHA512 | fd97a7d8ed8f1fbeedb10da142bc658824de1efc10bd856776237e0f6a7cbdaa4540584a9671a4226a836d6a5479810c953d61075a83f23440d7493a5c8ce4ce |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
| MD5 | 5f58e183980d3cfb74e354ad0c47921b |
| SHA1 | 5f473fe289a30015a496d81f8ee837d4fc4b914d |
| SHA256 | ca8179f73bc3fa65d60155bc5d17fe6493b87f687647d70171b76cccc7d7e01e |
| SHA512 | dc08d6799410752e0b2d6115d67cfa5a11e494017c725257e54eb4fc924913bc2fafac8631b706108cfcc9d62ca7da7e8f44868d3368c4da0e7b17098a4518ea |
C:\Windows\AddRight.reg
| MD5 | 53d75aea40be26a09d46f220accfb528 |
| SHA1 | 82e1a094df1d4137697dfeb9f6b77b877d77ef8a |
| SHA256 | a86cc1150a07bef8f91c426568651eae78be6af0ba06fc067014d6a9fb2c52c2 |
| SHA512 | 1151e563503ef2841c8a052f0166565238fb86359ac4ded9939e77438e1efccc8d43d767e4dd59502dad4e0b38bf1bda7616254acbeb2b1ac07b2d30b0df3736 |
C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe
| MD5 | cad792a9299e0207d0f0418d76a1dd2d |
| SHA1 | accc023e2d41989d6a64be0d213c86c1a2b6cc4c |
| SHA256 | d8b96eb03a7b8735825cac8940693801bc4895145f0393b4da3b30428a30646c |
| SHA512 | fe5d51fbf7492a56800dedd5d9d37d6ba4210419ef0a7be43c124f9c9d3e19031a483ad71f89e19cec04f84812c40bc2917b464a937470bf9ef837fbdf49eb9c |
C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat
| MD5 | 69897b095b1bfedeb93bd3ce9283beba |
| SHA1 | 40b02ed3e01ac35c694285af1bfd4deeefc52a1b |
| SHA256 | 5c6d138659b883f00dd01cb820ff8bf22c69088f6fa9cce139f0322e922dfec4 |
| SHA512 | 3ad9c75d2872c807a83126d60a5a01d572d6f01e93399ebf25443870907912152c9799f3807e20baa69e45fb5865adfb136d6fbe1d294643b26e3fe8b1243d13 |