Malware Analysis Report

2025-01-18 21:46

Sample ID 240414-zmfp9sdc44
Target ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118
SHA256 3594a89b11b5e20c329010af45e885c4cff430ea4725952d887eeeeaa0e49fa3
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3594a89b11b5e20c329010af45e885c4cff430ea4725952d887eeeeaa0e49fa3

Threat Level: Shows suspicious behavior

The file ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 20:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 20:49

Reported

2024-04-14 20:52

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe
PID 1096 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe
PID 1096 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe
PID 1096 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat" "

C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe

"C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe.bat

MD5 feb26fbef6ec6ee69b554929c15f3099
SHA1 7dc1ac3dcb16702db4607a715ffbd277f636f976
SHA256 a1578e24e58591abdc34c9907f802fe9efef0f22622f29b62ce2bae95740e975
SHA512 6b24378c22e26203e2f24c9db482e512de7ae4566f0dab01ae83a30187560f15d7b73d25cea366225dce5bdd788e75a2fe66e5e66d831aa4a1880d9791b8c914

C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat

MD5 50e0c2e0b8f423379c50766aefa8b119
SHA1 82696eeec352abc5e34a9258d3db9eba333d2975
SHA256 bc995c38ebf36ab02f4c6956732b6e04129cd4f51e1c3e339764cae5a34e1eea
SHA512 5213bf3ef5b58eadfa51f1eace729b840739a8fd9ffdba629b473bc8fa9da0f479e84b96de994c57482372d75de9c122debef59a063f5c21f5148be6b0739124

\Users\Admin\AppData\Local\Temp\2jd8dSomi5ExC8h.exe

MD5 d750f79b38a1d911d49d55923bae6d6b
SHA1 a6bd9e36dd41b456398a1b3dff95005475aff68c
SHA256 b27d810e749982344402b5ce3b07ddfbf4dda6cfb936acd015ee4b6e829d8d5c
SHA512 8cc8a28cb9e81b2c948c252725de057b36175809237ec7c751516f493c9d26fe87a4f5b173d5fa2a0113c046187914cc214208a8934b064e937b484578cc8927

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 20:49

Reported

2024-04-14 20:52

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC} C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\XlKankan.dll C:\Windows\SysWOW64\xcopy.exe N/A
File opened for modification C:\Windows\SysWOW64\XlKankan.dll C:\Windows\SysWOW64\xcopy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.vbs C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\20240414\52wr55uCO8fC8cT8\script\XlKankan.dll C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\MYShowIeLinkIe6.reg C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\huhoab.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe.bat C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe.bat C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\20240414\52wr55uCO8fC8cT8\script\Script.vbs.bat C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
File created C:\Windows\MyShowIeLinkIe7.reg C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\AddRight.reg C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\20240414\52wr55uCO8fC8cT8\script\reg.bat C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\userid.txt C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
File created C:\Windows\search.reg C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\20240414\52wr55uCO8fC8cT8\script\regBHO.reg C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\tao.ico C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File created C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe N/A
File opened for modification C:\Windows\SysWOW64 C:\Windows\SysWOW64\xcopy.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F2CF5485-4E02-4F68-819C-B92DE9277049} = 8554cff2024e684f819cb92de927704922001c000800000006000000010000000000000000000000000000004c0000000114020000000000c000000000000046810000001000000010a155c0ffe9ca0118bf0ffd11edca0118bf0ffd11edca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008e3ab9151000444f43554d457e310000440003000400efbe8c3ada21a23c2c701400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a53c0586100041444d494e497e310000320003000400efbe8c3acb23a53c058614000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a23c809611004641564f52497e3100003e0003000400efbea23c0070a23c8096140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a63ce45d1000fe94a56300001c0003000400efbea23c0070a63ce45d14000000fe94a56300001400000060000000030000a058000000000000007063323031303035303232317663620008fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824608fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824600000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}.ico" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[¹È¸è]Ñ¡´Ê¿ìËÙËÑË÷ C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[°Ù¶È]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/baidu.htm" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = "Á´½Ó" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c00000000000004681000000100000009ed10ec233ecca01e61abf65c5edca019ed10ec233ecca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c00310000000000a53c284a1000444f43554d457e310000440003000400efbea53c1249a73cf1481400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a63c8e0c100041444d494e497e310000320003000400efbea53c284aa73cf14814000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a63c760f11004641564f52497e3100003e0003000400efbea53c284aa73c3344140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a53c294a1000fe94a56300001c0003000400efbea53c294aa73c334414000000fe94a56300001400000060000000030000a0580000000000000068792d3636796c7032363264663675000ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e00026180888870ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e000261808888700000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006200000001000000a0060000a00f000005000000220400002600000002000000a10600006001000004000000a1000000c600000003000000a1020000d4040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\URL = "http://www.mylovewebs.com/api/taobao/so.htm?word={searchTerms}" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[×ÛºÏ]Ñ¡´Ê¿ìËÙËÑË÷ C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[ÓеÀ]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/youdao.htm" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\Explorer C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\URL = "http://www.mylovewebs.com/api/baidu/so.htm?word={searchTerms}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[¹È¸è]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/google.htm" C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 65cf80b551e1c349b73f70b13fca8e86 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\DisplayName = "ÌÔ±¦ËÑË÷" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\SortIndex = "6" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[ÓеÀ]Ñ¡´Ê¿ìËÙËÑË÷ C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c0000000000000468100000010000000feb8496527bbc90112c0b16e27bbc9015aac066827bbc9010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008c3acb231000444f43554d457e310000440003000400efbe8c3ada218c3acb231400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a003100000000008c3acc23100041444d494e497e310000320003000400efbe8c3acb238c3acc2314000000410064006d0069006e006900730074007200610074006f0072000000180056003100000000008c3ace2311004641564f52497e3100003e0003000400efbe8c3acb238c3ace23140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d313236393300180030003500000000008c3acf231000fe94a56300001c0003000400efbe8c3acc238c3acf2314000000fe94a56300001400000060000000030000a0580000000000000067686f73747870332d3436373638300008fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa208fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa200000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000030000000140000002a000000010000008006000080010000030000008102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\SortIndex = "2" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[×ÛºÏ]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/index.htm" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Explorer\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconURL = "http://www.taobao.com/favicon.ico" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{E140FB5B-2A9D-4FA4-A20F-089B92412200}.ico" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\MenuExt\ʹÓÃ[°Ù¶È]Ñ¡´Ê¿ìËÙËÑË÷ C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000340000001b000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000030000002003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\DisplayName = "°Ù¶Èһϣ¬Äã¾ÍÖªµÀ" C:\Windows\SysWOW64\regedit.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "_xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\ = "QvodAdBlocker" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\Clsid\ = "{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ini\ = "AllTypes" C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\XlKankan.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "_xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "AllTypes" C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\ = "QvodAdBlocker.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\HELPDIR\ = "C:\\Windows\\System32" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\.ini = "inifile" C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32\ = "C:\\Windows\\SysWow64\\XlKankan.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open\command C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ = "QvodAdBlocker.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ProgID\ = "QvodAdBlocker.xunlei" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\.txt = "txtfile" C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open\command\ = "\"C:\\Windows\\20240414\\52wr55uCO8fC8cT8\\script\\script.exe\" \"%1\"" C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe N/A
N/A N/A C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe N/A
N/A N/A C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe
PID 2988 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe
PID 2988 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe
PID 4712 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe
PID 2400 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe
PID 2400 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe
PID 2440 wrote to memory of 4292 N/A C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 4292 N/A C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 4292 N/A C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 4212 N/A C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 4212 N/A C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 4212 N/A C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4212 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4212 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4212 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4212 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4212 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4292 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4292 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4292 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 4212 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4212 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4212 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2168 wrote to memory of 1280 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\attrib.exe
PID 2168 wrote to memory of 1280 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\attrib.exe
PID 2168 wrote to memory of 1280 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\attrib.exe
PID 2168 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3808 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3808 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3808 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 2676 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3796 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3796 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3796 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3160 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3160 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3160 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1392 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1392 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 1392 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cacls.exe
PID 2168 wrote to memory of 3696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\regedit.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3480,i,353436235481858446,15149564830344523381,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat" "

C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe

"C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe.bat" "

C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe

"C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\52wr55uCO8fC8cT8\script\Script.vbs.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\52wr55uCO8fC8cT8\script\reg.bat" "

C:\Windows\SysWOW64\xcopy.exe

xcopy /c /q /y /i XlKankan.dll C:\Windows\system32

C:\Windows\SysWOW64\regedit.exe

regedit /s regBHO.reg

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.vbs"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s XlKankan.dll

C:\Windows\SysWOW64\attrib.exe

"C:\Windows\System32\attrib.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" +r +s

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r Administrators

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c Administrators:CI

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r Administrator

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r users

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r system

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r everyone

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r user

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r "Power Users"

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÍøÉϹºÎï.bt" /e /c /r "Admin"

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\MYShowIeLinkIe6.reg

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\MyShowIeLinkIe7.reg

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\search.reg

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe.bat" "

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\AddRight.reg

C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe

"C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tj.vippin.cn udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe

MD5 d750f79b38a1d911d49d55923bae6d6b
SHA1 a6bd9e36dd41b456398a1b3dff95005475aff68c
SHA256 b27d810e749982344402b5ce3b07ddfbf4dda6cfb936acd015ee4b6e829d8d5c
SHA512 8cc8a28cb9e81b2c948c252725de057b36175809237ec7c751516f493c9d26fe87a4f5b173d5fa2a0113c046187914cc214208a8934b064e937b484578cc8927

C:\Users\Admin\AppData\Local\Temp\ef7a26b11985f15ff1586346a1a0fa22_JaffaCakes118.exe.bat

MD5 50e0c2e0b8f423379c50766aefa8b119
SHA1 82696eeec352abc5e34a9258d3db9eba333d2975
SHA256 bc995c38ebf36ab02f4c6956732b6e04129cd4f51e1c3e339764cae5a34e1eea
SHA512 5213bf3ef5b58eadfa51f1eace729b840739a8fd9ffdba629b473bc8fa9da0f479e84b96de994c57482372d75de9c122debef59a063f5c21f5148be6b0739124

C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat

MD5 44781ecbc3fdd62ff0d6ad9ace00960d
SHA1 849dfdc6493dbf7c462b42b4c335805bf4c83303
SHA256 fca7eb6781eb2cad239585c9c1b45ff43a36b8e773e2af7762ddf3247d545a51
SHA512 539ff865f1141c5be819744c8a74681157c87044d77e90ba004308709cf54ba7b84e3a5891c937ce20a023926eecb2f3416da6353c122ee35456827a52b50c3d

C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe.bat

MD5 7e3ed6ff8321724236b7d6079a5f2614
SHA1 46c2df33b7f1ae9391746280c2e46a3a60b57923
SHA256 14b01eade16014ea40a62a9196bdfd6cf4294af37d4590b4212e879aa4391853
SHA512 60c46358a02ced11106a65c515175aa2964bf76eae8d882ef15302aeec83198208e402d5a51079334f18a40112db9d9cf11353de46a66cd5f421ba1b51cfec17

C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.exe

MD5 f02b9933474b6099ac5b090feb90ac1c
SHA1 dc4466ac88cf81472cc181e3c2cd9a697c28b05a
SHA256 d37ddcc76f5e64b7b72ba4413273f50b1de5d7db4c1cd45f9183ba3e644ecc72
SHA512 6b0afc5c87dda7b3c5bbea7458adc70aa0c26b16bae954df9af8c826a4f0694f78bbd899de29b065eda23db7d4717e5585cee6e50f86fe0593d999e97a1fc8c8

C:\Windows\20240414\52wr55uCO8fC8cT8\script\reg.bat

MD5 d426a1646ddadd0e41ff5358eeceb3c4
SHA1 69e585d10ad1f4d03a4ceec7f4e336951e10406f
SHA256 86861d7856b53976d754875343237f55e63ca5580db3e57f6ffbbc86977ef573
SHA512 401c3aa8a1a426cb7c6fdfc0e0cd5da193abb8c44c17143996e57838060f22601c51fc3a3da915d0ac3a3f7a70a217fa9576c575bc9f5a30b542c9a5a206dd97

C:\Windows\20240414\52wr55uCO8fC8cT8\script\Script.vbs.bat

MD5 22ae2418a24fb06d64824aae25c22683
SHA1 fa31cd566b838eace4db96ffa9e4b9d3ce684cc9
SHA256 902a3b8098fd9045767b026cefbc08ee679c484f602ffdd73a3b1d33052810d0
SHA512 f4075a759bd13577c1e1340454cac58b8510496c426ea40c9db2fd15d63c667b2d0e1807b7b8a6f2f7aad40f76eece18da6c36aa1d57387afc301b5fc128112b

C:\Windows\20240414\52wr55uCO8fC8cT8\script\XlKankan.dll

MD5 ce8f0033298014df0508a996b638b5eb
SHA1 610f52ba70f2053a9a4dba08d88a3f97243aa3d6
SHA256 9e9a8a9522ae2822ff0130a9d7736417d32a85c6c66c44048d8b2d2ec4677466
SHA512 216dcd79aa7bedd2e9c819978c2477787ce4b2a34f33c64881db21d1ebc96e0b44169d652c68bd4053bcb963a6b1c673d585e44feb6c30ef30121f0076ce3200

C:\Windows\20240414\52wr55uCO8fC8cT8\script\script.vbs

MD5 7cbe625c56b5b4817cba2b1a6f441221
SHA1 9686b366e6648a3c9817bd43f24962222f7043c8
SHA256 8e99e84fba3278469a9abbce52086acaaaa69f31ca46d83a40b722c92768bf90
SHA512 3949a0f412314b8fa5e9e2280ea276f5d7039db0acef95779127fd3471b0d757ac6544ee4391d646b9a7a32d0132308b5a9444d3cd8d946240962f3eaa32ba2e

C:\Windows\20240414\52wr55uCO8fC8cT8\script\regBHO.reg

MD5 b93db4ec7eba064cbd7336085953cce9
SHA1 79b458e4b5c974ce2361b103905a941eae0210b9
SHA256 2b6fb4f8615a821498deb27a55261d482fcf97a1dbe8143d233ee7d1b9b63dac
SHA512 420819a9aeeed54337aaabe2f4cf5f0f6b91cda6bacc5eae496320e2d22cc4eafccef7e38d4085d868ab28177889bcbf025f496c14b5df0384bc93ad14d591a6

C:\Windows\userid.txt

MD5 e702e51da2c0f5be4dd354bb3e295d37
SHA1 bf5ce6bca1837184b86a1fb332edb735665ca1ed
SHA256 f8726da5732fa9095e0129c6c25619a35d435aa39e17a15998fa87ee96d34aeb
SHA512 6609b272fbd5c1710ac6311e49232ac188ade52707868acd29f51302c92939b8bd47901966ee0076aad312257d75a47c06ba419eb3201fee93c6e55c08f814c3

C:\Users\Public\Desktop\ÍøÉϹºÎï.bt

MD5 e51f9cdcf7efb98e0859c9f85ce367e2
SHA1 02a5a939959597a5bbadc703fddff668aa98360d
SHA256 044775cb0f1e2b9162c192dcaea0ff0fa1be84bf7bb0e388c8190e237e861a33
SHA512 0f0028bb11ec79b02424d81891421eae8989faad76a82e8ac7a90bc2522ea97cc3ed163495827d0a4e80f0a0e97b0d7aacc877e070c7a921a948d8b9995ea026

C:\Windows\MYShowIeLinkIe6.reg

MD5 4f69fa82c34c91514da21a5933644af8
SHA1 e131f57f41ce95b46195d460852718b83517579a
SHA256 7cd8b741bfaee5cd14779b69d71b362aac4c928097c6b4af8ce0ce16bde52a46
SHA512 276588f960d28023febd87873c7852f401ab6ebfb3d90bf8b21b1998949d8ab00badb42d1a05934587aa6b4ad0ab06a3d649dcdb70f384ca70339049243463c4

C:\Windows\MyShowIeLinkIe7.reg

MD5 dbd46bf2e72f6dfbb21295f4e3066d47
SHA1 cdd6ca2f6455c1e528c40a520bcdb8669df8f548
SHA256 71927f4f034db038385346e34209ad069139f54d73bae34bfaf4f29b7010fc6b
SHA512 ad013387a0c7608375b7a3c5fdb27f0d9e79b051d84b1ee9221346499f386d30473b5e2727f6a4e8a8122cf8ac2d473a5ce5e368e62da09441ed48e5c088bd11

C:\Windows\search.reg

MD5 8e2ec860bfbd9aa37ea44e51d559ea9b
SHA1 f64e2891ec34d4909f28b2ae14c0a9f712a0e29c
SHA256 ff8d92c2bbe81ccfa1a6ac46ac66e7b42dc4fd18a27924c2e6511d2579f092df
SHA512 ad551272a90d79aef258d22680c07a5d81b0b31e1712dc2a60ac2c67f8af13f18c3a5f99f8408231bc5bb4f68882a5d75ed5c0e203059575eea5940d8b841dc1

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk

MD5 9768fcfd905f1923456134eb0f05b937
SHA1 ae800b3a745e7740f3e90f8c5311a95a8b077982
SHA256 0d7beef22796e8d15e838e0cc426dc603f9184ebf06b220d8bf5f452f16882ae
SHA512 f1896b14686db8c8d21f18bebf94c1191a13bb78b9b2ad8a008277634ac72353eee470cb283b3fdc770879d75dfc12e6822bafeab7887928513bd39d6e6b83e9

C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe.bat

MD5 6cbabd69758ad149a491127c19816043
SHA1 fe0276f610aa71eaff8ab9775e204b64e7f091ce
SHA256 01f914bc8e9241af5501fe11d9003f2e8517127f96de92f8a50032dc84bbadc9
SHA512 5470327768ffab3d10d614ff384b82893422694810422bcbe33ad189c07fd03265107cb0ad8922e07dd2405c51967e5eff6077f809534b912e480e80133854a5

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

MD5 65a58e520f7c7bdf0a92864845e1cb5a
SHA1 d4e780bdf56bde361c5706e71ab9c610cab1658b
SHA256 701269ed7bf973b4afecf7e661ecccda7220825c0d2020b01afa8575659d8cf4
SHA512 47d277b4134dd17c72713d578858e0f7ea725a5b395b24773848392a0f4e6f307f3d9c07b3515a128d36772b752a7245e9e444ffd41d29ba12b8311601fcaf36

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

MD5 228f249ad55e4c73203be05ce087cce1
SHA1 d064542726ab1ff646e2f0db07311a261db39ff2
SHA256 25257638548823d0f72a5376f5ce7bc651dfaea25c626806a8f1be0e12057499
SHA512 fd97a7d8ed8f1fbeedb10da142bc658824de1efc10bd856776237e0f6a7cbdaa4540584a9671a4226a836d6a5479810c953d61075a83f23440d7493a5c8ce4ce

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

MD5 5f58e183980d3cfb74e354ad0c47921b
SHA1 5f473fe289a30015a496d81f8ee837d4fc4b914d
SHA256 ca8179f73bc3fa65d60155bc5d17fe6493b87f687647d70171b76cccc7d7e01e
SHA512 dc08d6799410752e0b2d6115d67cfa5a11e494017c725257e54eb4fc924913bc2fafac8631b706108cfcc9d62ca7da7e8f44868d3368c4da0e7b17098a4518ea

C:\Windows\AddRight.reg

MD5 53d75aea40be26a09d46f220accfb528
SHA1 82e1a094df1d4137697dfeb9f6b77b877d77ef8a
SHA256 a86cc1150a07bef8f91c426568651eae78be6af0ba06fc067014d6a9fb2c52c2
SHA512 1151e563503ef2841c8a052f0166565238fb86359ac4ded9939e77438e1efccc8d43d767e4dd59502dad4e0b38bf1bda7616254acbeb2b1ac07b2d30b0df3736

C:\Windows\20240414\8q2vW2ri8EWP5YCV\smss.exe

MD5 cad792a9299e0207d0f0418d76a1dd2d
SHA1 accc023e2d41989d6a64be0d213c86c1a2b6cc4c
SHA256 d8b96eb03a7b8735825cac8940693801bc4895145f0393b4da3b30428a30646c
SHA512 fe5d51fbf7492a56800dedd5d9d37d6ba4210419ef0a7be43c124f9c9d3e19031a483ad71f89e19cec04f84812c40bc2917b464a937470bf9ef837fbdf49eb9c

C:\Users\Admin\AppData\Local\Temp\j5J58kVXYS8mND2.exe.bat

MD5 69897b095b1bfedeb93bd3ce9283beba
SHA1 40b02ed3e01ac35c694285af1bfd4deeefc52a1b
SHA256 5c6d138659b883f00dd01cb820ff8bf22c69088f6fa9cce139f0322e922dfec4
SHA512 3ad9c75d2872c807a83126d60a5a01d572d6f01e93399ebf25443870907912152c9799f3807e20baa69e45fb5865adfb136d6fbe1d294643b26e3fe8b1243d13