Malware Analysis Report

2025-01-18 22:16

Sample ID 240430-ys6yzagf89
Target 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118
SHA256 9f0939584e0fa2a5764d39eed63b42e6dd744bfd237c7e10fa3b5e9c93c2dd15
Tags
adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9f0939584e0fa2a5764d39eed63b42e6dd744bfd237c7e10fa3b5e9c93c2dd15

Threat Level: Shows suspicious behavior

The file 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Drops startup file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Runs .reg file with regedit

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: RenamesItself

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 20:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 20:03

Reported

2024-04-30 20:06

Platform

win7-20240419-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe C:\Windows\hot.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe C:\Windows\hot.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\hot.exe N/A
N/A N/A C:\Windows\SysWOW64\qq.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "c:\\windows\\s\\smss.exe" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659}\ = "??????" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tao.ico C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\movie.ico C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\reg.reg C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qq.exe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\del.bat C:\Windows\SysWOW64\qq.exe N/A
File opened for modification C:\Windows\SysWOW64\host.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lnk.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dll.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexlore.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexlore.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\360\360se3\360s.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Maxthon2\imaxthon.exe C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\????.lnk C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\back_XUNLEI.DLL C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\hot.exe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\updateLnk.vbe C:\Windows\hot.exe N/A
File opened for modification C:\Windows\google.exe C:\Windows\hot.exe N/A
File created C:\Windows\back_XUNLEI.DLL C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\bhoreg.reg C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\????.lnk C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\StrongIndex.reg C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\google.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\google.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\XUNLEI.DLL C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\StrongIndex.reg C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main \??\c:\windows\s\smss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID\ = "XunLeiAdBlocker.XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\Attributes = 00000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ = "_XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\Attributes = 00000000 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ = "_XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe http://www.dianxin.cn?162" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R) C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\InprocServer32\ = "C:\\Windows\\XUNLEI.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\ = "XunLeiAdBlocker" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock\Clsid\ = "{571392DB-3536-4ED1-98E4-5CF495999659}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A} C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\0\win32\ = "C:\\Windows\\XUNLEI.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 548 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 548 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 548 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 548 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2780 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2780 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2780 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2780 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1792 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1792 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1792 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1792 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2100 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\hot.exe
PID 2100 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\hot.exe
PID 2100 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\hot.exe
PID 2100 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\hot.exe
PID 2996 wrote to memory of 2992 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2992 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2992 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2992 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2668 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2668 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2668 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2668 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2728 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2728 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2728 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2728 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2832 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\WScript.exe
PID 2996 wrote to memory of 2832 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\WScript.exe
PID 2996 wrote to memory of 2832 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\WScript.exe
PID 2996 wrote to memory of 2832 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\WScript.exe
PID 2996 wrote to memory of 2548 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2548 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2548 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2548 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2072 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2072 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2072 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2100 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\qq.exe
PID 2100 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\qq.exe
PID 2100 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\qq.exe
PID 2100 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\qq.exe
PID 2924 wrote to memory of 1180 N/A C:\Windows\SysWOW64\qq.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1180 N/A C:\Windows\SysWOW64\qq.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1180 N/A C:\Windows\SysWOW64\qq.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1180 N/A C:\Windows\SysWOW64\qq.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\hot.exe

C:\Windows\hot.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files (x86)\Internet Explorer\iexlore.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Maxthon2\imaxthon.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\360\360se3\360s.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\system32\reg.reg

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\updateLnk.vbe" 0

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Windows\google.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\system32\reg.reg

C:\Windows\SysWOW64\qq.exe

C:\Windows\system32\qq.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\SysWOW64\del.bat

\??\c:\windows\s\smss.exe

"c:\windows\s\smss.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "smss" /d "c:\windows\s\smss.exe" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe" 0

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\XUNLEI.DLL"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe" 0

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\XUNLEI.DLL

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\bhoreg.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 stat.aectime.com udp
US 8.8.8.8:53 tongji.dianxin.cn udp
CN 219.153.20.180:80 tongji.dianxin.cn tcp
US 8.8.8.8:53 www.mylovewebs.com udp
US 38.31.224.28:80 www.mylovewebs.com tcp
US 38.31.224.28:80 www.mylovewebs.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp

Files

memory/2100-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\StrongIndex.reg

MD5 3840df4f59fc8472804d6534ee47c86f
SHA1 cb5df88f2a661c72edcdf8461e95e5ae7aa529d3
SHA256 fe35a7171754b3368aea0fb7fa4a57fe17d49a4fc95645286c599fd2223b8166
SHA512 c0bd0c72c43088a96f289492ba3c8076531d858255579fbe15a447a80e317eb4eaff818c0d5e5e42cfeedf4c6257887ca49c284efda6becb2a5e572eb7132c28

C:\Windows\hot.exe

MD5 e87bd49ad0363b5112570021264e88ce
SHA1 6b879a50ab9528f863870d319a0b1d66ec5f1b36
SHA256 a25164ad33196d13c50a6998440d66baaabc403a02fddf0ebd408ce700e2bb69
SHA512 64a74c43f665125b9febe0523429d1e390a835d7a801a9bf8f6011f265c7f740e5cdcefa9292f6287eb6bf54bced51c9484f28c0570740f6e7ce8e7c67c06826

C:\Windows\SysWOW64\reg.reg

MD5 06384c898003bd123646056e835eb171
SHA1 92906b2a8c0112c29374352644871873de00208a
SHA256 1a74f3572ff21f2967f6043b7e77bfd769beba2a226a182904e8d35924e1e304
SHA512 a2c4a781090b93dcb87e30b34e485fb5109f6398f21a0483cc15f9b0b9cedde73f4f107c8e10f0a629a730a0085f3b36cea61a466d7089fff972b44bda235e59

C:\Windows\updateLnk.vbe

MD5 5bf80e38e5312144f5a3f637bff1adfd
SHA1 62de872c490ee580a5d6a8b77276a0b0b7c82438
SHA256 e7e01513bcab6a0b6c6191138d53fe680ef8790239471cee7a398060259e2174
SHA512 5489967a469bfd4033b4cce86343bb5d075f39be496d2e83ac67b5e7e293d577e4c325f4d0230a5aa2e2a5af526584003d12e27e1b302462630db2e867c0a634

\Windows\SysWOW64\qq.exe

MD5 1222247a98269a3f305840c7cccd8d02
SHA1 8aba585b8c9d7737b411c5ef008513c6bc3fe222
SHA256 5e9f2a7a2bb8e43b5b7ad6c472e9100dc6fc4a982634b96c968ca649fa76589b
SHA512 ef576a047b23adf876730ccac1f645e89ac0019a3208c74c0cd17a0565958e5af9b6f37328a1eeb481fd2e7d20b86ff480eda2375e9b770d327b661ca01b307a

C:\Windows\SysWOW64\del.bat

MD5 84058ffb298449cd911b8ed3e382352e
SHA1 8a7a77f0dae04c4e7fc850bc50a749135feb4c78
SHA256 f2ddd8a2652810d07d8fd85ec3dedad84a1595bce6f2dec13e01607cc1c3171c
SHA512 fc6c59c8b56d46a551d613253e5ec0c973c48185efb4fbe82000fb21dbe48f9b8a5750c7ab04f07f8abd83d727e85f3b847e2b3f644bfc22d0865409f5e709cf

memory/2924-56-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe

MD5 32ad14609ab972a8063fca62fef35295
SHA1 67fa67b824671ffb35418f30863607fc0a5f2a59
SHA256 f5b7139c4dbf533334ad46e03d7b69d28d5a6505b6ca1866ac9541423da04bca
SHA512 7bbc1b6f9ab42d8a64a17721239ca63f2233f4b3173d0b41bfa2fcb900d7de85b6491038ceff4b30dcedbeb7b78ee8586b271d15d9e22557534bd2a0d26d3c3c

C:\Windows\XUNLEI.DLL

MD5 7b339e9e67773d0622ef801afbd28b8d
SHA1 6c5cd55f56ba8d01d7c68b64540bb9ef9e0fcb12
SHA256 b2334d85640afb8b617b2e8a04d35474dc2b46376b30429314772eee363f6747
SHA512 cf3a571c3fff7e6eca3cb5b04ad30faa3a7ed1fb19f8a5792d49a095e43265032d37a863b8a6a778433ffc033ae78274ab09e9096013ec944f162fd0aad298fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe

MD5 ac426679bceba77a1d2d9f2755387f37
SHA1 9ca63a59a805799bb92dbb1500970408ef918ae5
SHA256 090f3cd8b3d1b0232a340b1b32cb1c5d25d16218f047b11c05213e12a3ff51b8
SHA512 5fd657aef38640cb4e5525cc7a986f2150e1b3b00dac1b1782b862d1ff5a5e4da26f59e64db1ecd1f41a4c2a26d34e201837de3e81977da93fc25a402832f702

C:\Windows\bhoreg.reg

MD5 5445be71fa6b294bbbc40f3025197a45
SHA1 2b67ceef71dfb405424d91ca21d864a300ef2fec
SHA256 e9d2aa5fca34c11fd1fd3b1f73607e0b8004e14de835e95252394f4e5a96ed97
SHA512 481b8547790491d3a61c42ac1906e519d6ed244cdf92088ad72cd319e8bb56fd0cf73579e9e8d35fd5d53524469b29465c350e0e4c5ba94434d661c9943409ff

memory/1608-90-0x0000000004B50000-0x0000000005BB2000-memory.dmp

memory/2100-98-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PH7CXNA3\common[1].js

MD5 3fe851c08d4a64733c249b3aef00dd3c
SHA1 dfd9e1bacb53fef86b9dc40244bd6edecdfae636
SHA256 2adc9f8d62d1550b4b8aac988f5ef4eb55bcdd48b569fac7251169366a40fb37
SHA512 50aa265a3dd0a111061447ca7508be27a01cb1eca9f553c8b5609b2434461322500586261708bf8dbd135f287282a7be64963604f6239104c334f8464be77bec

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\tj[1].js

MD5 52bc1705043251299cd4b4e71bde9a59
SHA1 489d2a67263f969618c2a85caaa488887a9c8747
SHA256 465987a7ecbd938a8648bb9aac3871b33db724ba23f35da6e95f6c4c0dd52189
SHA512 0bbb43d576ac5b6694107cf37202172407a75e8f88c7ae423704f90b7346eae1de9ed64fdf2d6b15d9db73d140bc4667709d986fd41e5554e330f906cac59969

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 20:03

Reported

2024-04-30 20:06

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\hot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe C:\Windows\hot.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe C:\Windows\hot.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\hot.exe N/A
N/A N/A C:\Windows\SysWOW64\qq.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "c:\\windows\\s\\smss.exe" C:\Windows\SysWOW64\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659}\ = "??????" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\host.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\lnk.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dll.vbe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\tao.ico C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\movie.ico C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\reg.reg C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\qq.exe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\del.bat C:\Windows\SysWOW64\qq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\iexlore.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexlore.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\Maxthon2\imaxthon.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files\360\360se3\360s.exe C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\StrongIndex.reg C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\back_XUNLEI.DLL C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\bhoreg.reg C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\google.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\back_XUNLEI.DLL C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\????.lnk C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\StrongIndex.reg C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\updateLnk.vbe C:\Windows\hot.exe N/A
File opened for modification C:\Windows\google.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\hot.exe C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File opened for modification C:\Windows\google.exe C:\Windows\hot.exe N/A
File opened for modification C:\Windows\XUNLEI.DLL C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A
File created C:\Windows\????.lnk C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ = "Rundll32.exe" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll" C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\Attributes = 00000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\ = "00.00.00.00" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ = "Rundll32.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ = "Rundll32.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID\ = "XunLeiAdBlocker.XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\InprocServer32\ = "C:\\Windows\\XUNLEI.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ = "_XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock\Clsid\ = "{571392DB-3536-4ED1-98E4-5CF495999659}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\hot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ = "XunLeiAdBlocker.XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32 C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R) C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ = "XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID\ = "XunLeiAdBlocker.XunLeiBlock" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\0\win32\ = "C:\\Windows\\XUNLEI.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock\Clsid\ = "{571392DB-3536-4ED1-98E4-5CF495999659}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R) C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A
N/A N/A \??\c:\windows\s\smss.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3700 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3700 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 656 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2272 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2272 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1200 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1200 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1200 wrote to memory of 3236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 656 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\hot.exe
PID 656 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\hot.exe
PID 656 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\hot.exe
PID 4896 wrote to memory of 1428 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1428 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1428 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1056 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1056 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1056 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1800 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1800 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 1800 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5096 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5096 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4896 wrote to memory of 4968 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\WScript.exe
PID 4896 wrote to memory of 4968 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\WScript.exe
PID 4896 wrote to memory of 4968 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\WScript.exe
PID 4896 wrote to memory of 3384 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 3384 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 4896 wrote to memory of 3384 N/A C:\Windows\hot.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\qq.exe
PID 656 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\qq.exe
PID 656 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\qq.exe
PID 4056 wrote to memory of 3192 N/A C:\Windows\SysWOW64\qq.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 3192 N/A C:\Windows\SysWOW64\qq.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 3192 N/A C:\Windows\SysWOW64\qq.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\s\smss.exe
PID 3192 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\s\smss.exe
PID 3192 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\s\smss.exe
PID 772 wrote to memory of 5080 N/A \??\c:\windows\s\smss.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 5080 N/A \??\c:\windows\s\smss.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 5080 N/A \??\c:\windows\s\smss.exe C:\Windows\SysWOW64\reg.exe
PID 656 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 656 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 656 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 656 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 656 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 656 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 656 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 656 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 656 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 3616 wrote to memory of 1456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\StrongIndex.reg

C:\Windows\hot.exe

C:\Windows\hot.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Internet Explorer\iexlore.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Maxthon2\imaxthon.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\360\360se3\360s.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c regedit.exe /s C:\Windows\system32\reg.reg

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Windows\system32\reg.reg

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\updateLnk.vbe" 0

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c copy "C:\Windows\hot.exe " "C:\Windows\google.exe"

C:\Windows\SysWOW64\qq.exe

C:\Windows\system32\qq.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\del.bat

\??\c:\windows\s\smss.exe

"c:\windows\s\smss.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "smss" /d "c:\windows\s\smss.exe" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe" 0

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\XUNLEI.DLL"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe" 0

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\XUNLEI.DLL

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\bhoreg.reg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1612 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 stat.aectime.com udp
US 8.8.8.8:53 tongji.dianxin.cn udp
CN 219.153.20.180:80 tongji.dianxin.cn tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 www.mylovewebs.com udp
US 38.31.224.28:80 www.mylovewebs.com tcp
US 38.31.224.28:80 www.mylovewebs.com tcp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 8.8.8.8:53 28.224.31.38.in-addr.arpa udp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 111.45.3.198:443 hm.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp

Files

memory/656-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\StrongIndex.reg

MD5 3840df4f59fc8472804d6534ee47c86f
SHA1 cb5df88f2a661c72edcdf8461e95e5ae7aa529d3
SHA256 fe35a7171754b3368aea0fb7fa4a57fe17d49a4fc95645286c599fd2223b8166
SHA512 c0bd0c72c43088a96f289492ba3c8076531d858255579fbe15a447a80e317eb4eaff818c0d5e5e42cfeedf4c6257887ca49c284efda6becb2a5e572eb7132c28

C:\Windows\hot.exe

MD5 e87bd49ad0363b5112570021264e88ce
SHA1 6b879a50ab9528f863870d319a0b1d66ec5f1b36
SHA256 a25164ad33196d13c50a6998440d66baaabc403a02fddf0ebd408ce700e2bb69
SHA512 64a74c43f665125b9febe0523429d1e390a835d7a801a9bf8f6011f265c7f740e5cdcefa9292f6287eb6bf54bced51c9484f28c0570740f6e7ce8e7c67c06826

C:\Windows\SysWOW64\reg.reg

MD5 06384c898003bd123646056e835eb171
SHA1 92906b2a8c0112c29374352644871873de00208a
SHA256 1a74f3572ff21f2967f6043b7e77bfd769beba2a226a182904e8d35924e1e304
SHA512 a2c4a781090b93dcb87e30b34e485fb5109f6398f21a0483cc15f9b0b9cedde73f4f107c8e10f0a629a730a0085f3b36cea61a466d7089fff972b44bda235e59

C:\Windows\updateLnk.vbe

MD5 e8636c3313b44fd3012050a201114200
SHA1 8511dd23b85cf9b356235771cbd4302f449f4a08
SHA256 87851c5b11f3cd1f894c4a47b9a787cfb2b18c8934d86047a5901c81a4215e34
SHA512 54d156a85068e5e621147b100ec45f579e74ddd5d7e5f39a71b687a255a953563a2eda33a3b5c77bc8f428e62b3a68e3581b0bb68a1658dcac456c3e66863f3a

C:\Windows\SysWOW64\qq.exe

MD5 1222247a98269a3f305840c7cccd8d02
SHA1 8aba585b8c9d7737b411c5ef008513c6bc3fe222
SHA256 5e9f2a7a2bb8e43b5b7ad6c472e9100dc6fc4a982634b96c968ca649fa76589b
SHA512 ef576a047b23adf876730ccac1f645e89ac0019a3208c74c0cd17a0565958e5af9b6f37328a1eeb481fd2e7d20b86ff480eda2375e9b770d327b661ca01b307a

C:\Windows\SysWOW64\del.bat

MD5 84058ffb298449cd911b8ed3e382352e
SHA1 8a7a77f0dae04c4e7fc850bc50a749135feb4c78
SHA256 f2ddd8a2652810d07d8fd85ec3dedad84a1595bce6f2dec13e01607cc1c3171c
SHA512 fc6c59c8b56d46a551d613253e5ec0c973c48185efb4fbe82000fb21dbe48f9b8a5750c7ab04f07f8abd83d727e85f3b847e2b3f644bfc22d0865409f5e709cf

memory/4056-42-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe

MD5 32ad14609ab972a8063fca62fef35295
SHA1 67fa67b824671ffb35418f30863607fc0a5f2a59
SHA256 f5b7139c4dbf533334ad46e03d7b69d28d5a6505b6ca1866ac9541423da04bca
SHA512 7bbc1b6f9ab42d8a64a17721239ca63f2233f4b3173d0b41bfa2fcb900d7de85b6491038ceff4b30dcedbeb7b78ee8586b271d15d9e22557534bd2a0d26d3c3c

C:\Windows\XUNLEI.DLL

MD5 7b339e9e67773d0622ef801afbd28b8d
SHA1 6c5cd55f56ba8d01d7c68b64540bb9ef9e0fcb12
SHA256 b2334d85640afb8b617b2e8a04d35474dc2b46376b30429314772eee363f6747
SHA512 cf3a571c3fff7e6eca3cb5b04ad30faa3a7ed1fb19f8a5792d49a095e43265032d37a863b8a6a778433ffc033ae78274ab09e9096013ec944f162fd0aad298fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe

MD5 ac426679bceba77a1d2d9f2755387f37
SHA1 9ca63a59a805799bb92dbb1500970408ef918ae5
SHA256 090f3cd8b3d1b0232a340b1b32cb1c5d25d16218f047b11c05213e12a3ff51b8
SHA512 5fd657aef38640cb4e5525cc7a986f2150e1b3b00dac1b1782b862d1ff5a5e4da26f59e64db1ecd1f41a4c2a26d34e201837de3e81977da93fc25a402832f702

C:\Windows\bhoreg.reg

MD5 5445be71fa6b294bbbc40f3025197a45
SHA1 2b67ceef71dfb405424d91ca21d864a300ef2fec
SHA256 e9d2aa5fca34c11fd1fd3b1f73607e0b8004e14de835e95252394f4e5a96ed97
SHA512 481b8547790491d3a61c42ac1906e519d6ed244cdf92088ad72cd319e8bb56fd0cf73579e9e8d35fd5d53524469b29465c350e0e4c5ba94434d661c9943409ff

memory/656-81-0x0000000000400000-0x0000000000442000-memory.dmp