613364d7d06754a835b6f034b7a3bf20a8a805dfd55e1542ef66de72cf4414a5

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 14:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe
Size

148KB
MD5

af8f1ed7971134be7e98c6640e6b63ff
SHA1

76dcd79694d924bc1c3b580059326cfa098f15af
SHA256

613364d7d06754a835b6f034b7a3bf20a8a805dfd55e1542ef66de72cf4414a5
SHA512

c0f2c889352fa61891c97673dfd2119f0d54ccadede7869bdb3fa98b2a418137ee081252eb9ed899346b9175a4ab4cee078c3eb709287d50c980739d3beaa035
SSDEEP

3072:yziUjE5x5q4QmiqKxXn/Yg1MxpQAStrvGfmdV:yziUjE32/YgKKntzGU

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	script.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	52r8bcO52Stn52y.exe

Executes dropped EXE 3 IoCs

pid	Process
4444	52r8bcO52Stn52y.exe
1544	script.exe
4828	smss.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}	regedit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XlKankan.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\XlKankan.dll	xcopy.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\20240820\52r8bcO52Stn52yp\script\script.vbs	52r8bcO52Stn52y.exe
File created	C:\Windows\20240820\52r8bcO52Stn52yp\script\reg.bat	52r8bcO52Stn52y.exe
File opened for modification	C:\Windows\SysWOW64	xcopy.exe
File created	C:\Windows\search.reg	WScript.exe
File created	C:\Windows\.reg	WScript.exe
File created	C:\Windows\AddRight.reg	WScript.exe
File created	C:\Windows\20240820\52r8bcO52Stn52yp\script\XlKankan.dll	52r8bcO52Stn52y.exe
File created	C:\Windows\userid.txt	script.exe
File created	C:\Windows\20240820\52r8bcO52Stn52yp\script\Script.vbs.bat	script.exe
File created	C:\Windows\xsxfhe.vbs	WScript.exe
File created	C:\Windows\tao.ico	52r8bcO52Stn52y.exe
File created	C:\Windows\20240820\52r8bcO52Stn52yp\script\script.exe.bat	52r8bcO52Stn52y.exe
File created	C:\Windows\SetWindowsIndex.reg	WScript.exe
File created	C:\Windows\MYShowIeLinkIe6.reg	WScript.exe
File created	C:\Windows\20240820\cg5t5ENH5DS8ejeL\smss.exe.bat	52r8bcO52Stn52y.exe
File created	C:\Windows\20240820\52r8bcO52Stn52yp\script\script.exe	52r8bcO52Stn52y.exe
File created	C:\Windows\20240820\52r8bcO52Stn52yp\script\regBHO.reg	52r8bcO52Stn52y.exe
File created	C:\Windows\20240820\cg5t5ENH5DS8ejeL\smss.exe	52r8bcO52Stn52y.exe
File created	C:\Windows\MyShowIeLinkIe7.reg	WScript.exe
File opened for modification	C:\Windows\SetWindowsIndex.reg	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	script.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52r8bcO52Stn52y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[¹È¸è]Ñ¡´Ê¿ìËÙËÑË÷	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c0000000000000468100000010000000feb8496527bbc90112c0b16e27bbc9015aac066827bbc9010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008c3acb231000444f43554d457e310000440003000400efbe8c3ada218c3acb231400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a003100000000008c3acc23100041444d494e497e310000320003000400efbe8c3acb238c3acc2314000000410064006d0069006e006900730074007200610074006f0072000000180056003100000000008c3ace2311004641564f52497e3100003e0003000400efbe8c3acb238c3ace23140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d313236393300180030003500000000008c3acf231000fe94a56300001c0003000400efbe8c3acc238c3acf2314000000fe94a56300001400000060000000030000a0580000000000000067686f73747870332d3436373638300008fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa208fff6b72738414d8df317a72f9d101cdd0c5a861a27de11b28a8662afbb9fa200000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F2CF5485-4E02-4F68-819C-B92DE9277049} = 8554cff2024e684f819cb92de927704922001c000800000006000000010000000000000000000000000000004c0000000114020000000000c000000000000046810000001000000010a155c0ffe9ca0118bf0ffd11edca0118bf0ffd11edca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008e3ab9151000444f43554d457e310000440003000400efbe8c3ada21a23c2c701400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a53c0586100041444d494e497e310000320003000400efbe8c3acb23a53c058614000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a23c809611004641564f52497e3100003e0003000400efbea23c0070a23c8096140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a63ce45d1000fe94a56300001c0003000400efbea23c0070a63ce45d14000000fe94a56300001400000060000000030000a058000000000000007063323031303035303232317663620008fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824608fff6b72738414d8df317a72f9d101c92a9ac9dce58df11a8ce001e65ca824600000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}.ico"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\DisplayName = "ÌÔ±¦ËÑË÷"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[°Ù¶È]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/baidu.htm"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[ÓÐµÀ]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/youdao.htm"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\SortIndex = "2"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\URL = "http://www.mylovewebs.com/api/taobao/so.htm?word={searchTerms}"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006200000001000000a0060000a00f000005000000220400002600000002000000a10600006001000004000000a1000000c600000003000000a1020000d4040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000340000001b000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\SearchScopes	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconPath = "C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{E140FB5B-2A9D-4FA4-A20F-089B92412200}.ico"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[¹È¸è]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/google.htm"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\SortIndex = "6"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Explorer\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout = 110000005c00000000000000240000001b0000004a0000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f000000560000000100000020070000a00f00000500000062050000260000000200000021070000a00f00000400000021010000a00f0000030000002003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 65cf80b551e1c349b73f70b13fca8e86	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[×ÛºÏ]Ñ¡´Ê¿ìËÙËÑË÷	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[×ÛºÏ]Ñ¡´Ê¿ìËÙËÑË÷\ = "http://www.mylovewebs.com/api/tag/index.htm"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[°Ù¶È]Ñ¡´Ê¿ìËÙËÑË÷	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\DisplayName = "°Ù¶ÈÒ»ÏÂ£¬Äã¾ÍÖªµÀ"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Toolbar\Explorer	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383} = 8145e001ee4ed011bfe900aa005b4383100000000000000001e032f401000000	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}\URL = "http://www.mylovewebs.com/api/baidu/so.htm?word={searchTerms}"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ[ÓÐµÀ]Ñ¡´Ê¿ìËÙËÑË÷	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\LinksFolderName = "Á´½Ó"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383} = 21bf5c0e5fd1d011830100aa005b438322001c000800000006000000010000000000000000000000000000004c0000000114020000000000c00000000000004681000000100000009ed10ec233ecca01e61abf65c5edca019ed10ec233ecca010000000000000000010000000000000000000000000000005b0114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c00310000000000a53c284a1000444f43554d457e310000440003000400efbea53c1249a73cf1481400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e0067007300000018004a00310000000000a63c8e0c100041444d494e497e310000320003000400efbea53c284aa73cf14814000000410064006d0069006e006900730074007200610074006f007200000018005600310000000000a63c760f11004641564f52497e3100003e0003000400efbea53c284aa73c3344140028004600610076006f00720069007400650073000000407368656c6c33322e646c6c2c2d31323639330018003000350000000000a53c294a1000fe94a56300001c0003000400efbea53c294aa73c334414000000fe94a56300001400000060000000030000a0580000000000000068792d3636796c7032363264663675000ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e00026180888870ed24080beba3a40a5d7359938b74ca04778a6832a58df11b1e000261808888700000000	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000030000000140000002a000000010000008006000080010000030000008102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}\FaviconURL = "http://www.taobao.com/favicon.ico"	regedit.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.zaodezhu.com/?my=1026"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.zaodezhu.com/?my=1026"	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open\command\ = "\"C:\\Windows\\20240820\\52r8bcO52Stn52yp\\script\\script.exe\" \"%1\""	script.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ProgID\ = "QvodAdBlocker.xunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32\ = "C:\\Windows\\SysWow64\\XlKankan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\.ini = "inifile"	script.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\ = "QvodAdBlocker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ini\ = "AllTypes"	script.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\ = "QvodAdBlocker.xunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\ = "00.00.00.00"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell	script.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "AllTypes"	script.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\ÊôÐÔ(&R)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open	script.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\ÊôÐÔ(&R)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "_xunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\TypeLib\ = "{352EE19A-DA33-499F-B3B1-7A2DFC87D983}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.xunlei\Clsid\ = "{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{352EE19A-DA33-499F-B3B1-7A2DFC87D983}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\XlKankan.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe http://www.zaodezhu.com/?my=1026"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes	script.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\.txt = "txtfile"	script.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "É¾³ý(&D)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllTypes\shell\open\command	script.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command	regedit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\Attributes = 00000000	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\ = "QvodAdBlocker.xunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01E9FB1E-8145-4702-B7B3-B687F49F8CDC}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE02D2D8-63BF-4E08-9922-E58DBCFCFE33}\ = "xunlei"	regsvr32.exe

Runs .reg file with regedit 8 IoCs

pid	Process
1684	regedit.exe
4072	regedit.exe
3716	regedit.exe
1772	regedit.exe
948	regedit.exe
2376	regedit.exe
2040	regedit.exe
2312	regedit.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4828	smss.exe
4828	smss.exe
4828	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 208	3064	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe	86
PID 3064 wrote to memory of 208	3064	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe	86
PID 3064 wrote to memory of 208	3064	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe	86
PID 3064 wrote to memory of 116	3064	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe	87
PID 3064 wrote to memory of 116	3064	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe	87
PID 3064 wrote to memory of 116	3064	af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe	87
PID 208 wrote to memory of 4444	208	cmd.exe	90
PID 208 wrote to memory of 4444	208	cmd.exe	90
PID 208 wrote to memory of 4444	208	cmd.exe	90
PID 4444 wrote to memory of 4704	4444	52r8bcO52Stn52y.exe	94
PID 4444 wrote to memory of 4704	4444	52r8bcO52Stn52y.exe	94
PID 4444 wrote to memory of 4704	4444	52r8bcO52Stn52y.exe	94
PID 4704 wrote to memory of 1544	4704	cmd.exe	96
PID 4704 wrote to memory of 1544	4704	cmd.exe	96
PID 4704 wrote to memory of 1544	4704	cmd.exe	96
PID 1544 wrote to memory of 1860	1544	script.exe	97
PID 1544 wrote to memory of 1860	1544	script.exe	97
PID 1544 wrote to memory of 1860	1544	script.exe	97
PID 1544 wrote to memory of 1680	1544	script.exe	99
PID 1544 wrote to memory of 1680	1544	script.exe	99
PID 1544 wrote to memory of 1680	1544	script.exe	99
PID 1680 wrote to memory of 3528	1680	cmd.exe	101
PID 1680 wrote to memory of 3528	1680	cmd.exe	101
PID 1680 wrote to memory of 3528	1680	cmd.exe	101
PID 1680 wrote to memory of 4072	1680	cmd.exe	102
PID 1680 wrote to memory of 4072	1680	cmd.exe	102
PID 1680 wrote to memory of 4072	1680	cmd.exe	102
PID 1860 wrote to memory of 1876	1860	cmd.exe	103
PID 1860 wrote to memory of 1876	1860	cmd.exe	103
PID 1860 wrote to memory of 1876	1860	cmd.exe	103
PID 1680 wrote to memory of 2932	1680	cmd.exe	104
PID 1680 wrote to memory of 2932	1680	cmd.exe	104
PID 1680 wrote to memory of 2932	1680	cmd.exe	104
PID 1876 wrote to memory of 4644	1876	WScript.exe	106
PID 1876 wrote to memory of 4644	1876	WScript.exe	106
PID 1876 wrote to memory of 4644	1876	WScript.exe	106
PID 1876 wrote to memory of 1324	1876	WScript.exe	108
PID 1876 wrote to memory of 1324	1876	WScript.exe	108
PID 1876 wrote to memory of 1324	1876	WScript.exe	108
PID 1876 wrote to memory of 1020	1876	WScript.exe	110
PID 1876 wrote to memory of 1020	1876	WScript.exe	110
PID 1876 wrote to memory of 1020	1876	WScript.exe	110
PID 1876 wrote to memory of 3868	1876	WScript.exe	112
PID 1876 wrote to memory of 3868	1876	WScript.exe	112
PID 1876 wrote to memory of 3868	1876	WScript.exe	112
PID 1876 wrote to memory of 3900	1876	WScript.exe	114
PID 1876 wrote to memory of 3900	1876	WScript.exe	114
PID 1876 wrote to memory of 3900	1876	WScript.exe	114
PID 1876 wrote to memory of 3788	1876	WScript.exe	116
PID 1876 wrote to memory of 3788	1876	WScript.exe	116
PID 1876 wrote to memory of 3788	1876	WScript.exe	116
PID 1876 wrote to memory of 4976	1876	WScript.exe	118
PID 1876 wrote to memory of 4976	1876	WScript.exe	118
PID 1876 wrote to memory of 4976	1876	WScript.exe	118
PID 1876 wrote to memory of 4592	1876	WScript.exe	120
PID 1876 wrote to memory of 4592	1876	WScript.exe	120
PID 1876 wrote to memory of 4592	1876	WScript.exe	120
PID 1876 wrote to memory of 4648	1876	WScript.exe	122
PID 1876 wrote to memory of 4648	1876	WScript.exe	122
PID 1876 wrote to memory of 4648	1876	WScript.exe	122
PID 1876 wrote to memory of 1796	1876	WScript.exe	123
PID 1876 wrote to memory of 1796	1876	WScript.exe	123
PID 1876 wrote to memory of 1796	1876	WScript.exe	123
PID 1876 wrote to memory of 4720	1876	WScript.exe	126

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3948	attrib.exe
4320	attrib.exe
4644	attrib.exe
4720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\52r8bcO52Stn52y.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\52r8bcO52Stn52y.exe
    "C:\Users\Admin\AppData\Local\Temp\52r8bcO52Stn52y.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\20240820\52r8bcO52Stn52yp\script\script.exe.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Windows\20240820\52r8bcO52Stn52yp\script\script.exe
        
        "C:\Windows\20240820\52r8bcO52Stn52yp\script\script.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\20240820\52r8bcO52Stn52yp\script\Script.vbs.bat" "
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\20240820\52r8bcO52Stn52yp\script\script.vbs"
        7⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" +r +s
        8⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4644
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r Administrators
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c Administrators:CI
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r Administrator
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r users
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r system
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r everyone
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r user
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r "Power Users"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\Internet Explorer.tt" /e /c /r "Admin"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" +r +s
        8⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4720
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r Administrators
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c Administrators:CI
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r Administrator
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r users
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r system
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r everyone
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r user
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r "Power Users"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.css" /e /c /r "Admin"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" +r +s
        8⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3948
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r Administrators
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c Administrators:CI
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r Administrator
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r users
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r system
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r everyone
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r user
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r "Power Users"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.css" /e /c /r "Admin"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\System32\attrib.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" +r +s
        8⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4320
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r Administrators
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c Administrators:CI
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r Administrator
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r users
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r system
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r everyone
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r user
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r "Power Users"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\cacls.exe
        
        "C:\Windows\System32\cacls.exe" "C:\Users\Public\Desktop\ÌØÉ«¹ºÎï.bt" /e /c /r "Admin"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\SetWindowsIndex.reg
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Runs .reg file with regedit
        
        PID:3716
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\MYShowIeLinkIe6.reg
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Runs .reg file with regedit
        
        PID:1772
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\MyShowIeLinkIe7.reg
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Runs .reg file with regedit
        
        PID:948
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\search.reg
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Runs .reg file with regedit
        
        PID:2376
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\.reg
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Runs .reg file with regedit
        
        PID:2040
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\AddRight.reg
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Runs .reg file with regedit
        
        PID:1684
        
        C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\SetWindowsIndex.reg
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Runs .reg file with regedit
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\20240820\52r8bcO52Stn52yp\script\reg.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /c /q /y /i XlKankan.dll C:\Windows\system32
        7⤵
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3528
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s regBHO.reg
        7⤵
        Installs/modifies Browser Helper Object
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4072
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s XlKankan.dll
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\20240820\cg5t5ENH5DS8ejeL\smss.exe.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
    - - C:\Windows\20240820\cg5t5ENH5DS8ejeL\smss.exe
        
        "C:\Windows\20240820\cg5t5ENH5DS8ejeL\smss.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\52r8bcO52Stn52y.exe.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:116

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d3a6a43e9d3e65e07792d7217bbd45d0 DK5BnI690kuxO/ZChllkvQ.0.1.0.0.0
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52r8bcO52Stn52y.exe

Filesize
112KB

MD5
ea30f91149efa0bafdf3824e8909e1a6

SHA1
91bf1e48dd4a71d0ee7fb55584594d3f90eb86b6

SHA256
b90d8c4189c0d7d19981fc56b7981b813098a067ee29829653001af8dc93385f

SHA512
f6fec138773bd83867bf2c328bf9bb27be7d054fe4ab77f566c9fdede39f0257ccb15b6671ddda2ed80120a8021e87546c33dc1a96933c88631bb86aa81bfcf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\52r8bcO52Stn52y.exe.bat

Filesize
207B

MD5
998aabbe1650cfa45b6138c13da1e032

SHA1
e01849298f6bbebf00c047b25b66d2c70f161f96

SHA256
157388ae5e9f5c22efb18bd059b1a22c6513238b32d504ebf7cba3eed9f5f487

SHA512
c9e915875f998bcca3ace768d4ee624fb39eebee24f02acba48b976d50ade306c3b59e379666da9e8b19dc258202b5480e26bb5eaf567230042e74f1502d0323

Download Submit
C:\Users\Admin\AppData\Local\Temp\52r8bcO52Stn52y.exe.bat

Filesize
329B

MD5
389d13287d7bd671668a7464be62c2d8

SHA1
65f5c1348965e5cb6587a5097318e27c679b9d71

SHA256
ee77126db5c60101d07d76e92e861be2ffc0432215d865177a7e5b3bf9d8b192

SHA512
e6de58e2ebff9c92327e23f4a1c9df7259711a8aba95894b9fa1a5bf528f3380dc788d5d447540e201ba4eba4ba037282b9ca0f6f93b732b4af42733ec418961

Download Submit
C:\Users\Admin\AppData\Local\Temp\af8f1ed7971134be7e98c6640e6b63ff_JaffaCakes118.exe.bat

Filesize
453B

MD5
4dcf723a02f172181e64ad6c1350c703

SHA1
edc3818956eaa556ed38d83dd93bb2119ce977bb

SHA256
1216b6e4bddc182954fae866ea0c4123f8bb50e88aac7220ef905c5baaae73ae

SHA512
fe7f3357d32d5b576429139d0a061b909ef34eb8e3ce184495b0b52099ecb31d12022706c994d0ce19d718290b08c37704e7a5c8ad276fc9c1f02c9285943e44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

Filesize
2KB

MD5
0c1db04cd492b561d39dd4c92b9d15db

SHA1
937b1bb0495b7853579aa7c2a41290e3d2827fe7

SHA256
77ed0bf0f0f4ff2a2e42dcc6eba4cc41c46afc07cf3626db8eb33bd6afc6c3ea

SHA512
1bfda82014b2af40d19e342b00e46996fdc69616cea20b2fec9079ff8f7c5892be463b29c86fc82f35354f073af7a20e9bd9131d28510dfcf9462a613cff671d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk

Filesize
2KB

MD5
d32bd11ce0af30f490681949f89834ab

SHA1
048ac3f5f07a0aff7d27d5b9da077d0071923a58

SHA256
2da43dcd3c5161f1498fe79199e4e7d62c5128d89c9d7464fac807fd2cf42e76

SHA512
d57fb419b7967e17fa752fe09799f66551f8608fc4a26277b1e1feebb4d630ec48afae9d37dc2467839ca037dec204ec942d1fb050e3412280cf95147dd84946

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

Filesize
418B

MD5
8f48c6d76826e72128aacc7d20f41671

SHA1
a0e7d1c87de71916e5b7d3d07f0090d9dd82319e

SHA256
1738ed05ed5db19eda56e6fa9905a183310b42c0c628f7eddc94854291ce3be7

SHA512
82469d37093b96ced5aa6d42eef20d5736df0a2f15be4825c8e25b1a8f67b7f1c78875a1a10d4a06e6ae298eaf36f28da36da07c19b9fee4d277f066c3456898

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

Filesize
400B

MD5
7d794977e64d0b35fc1efd56eab87b44

SHA1
eda0a4475c89743ad07118c12f6cf2c286537b84

SHA256
8ebaf28ec13b784392dfde40be32d87b5fa9ac86a94d7ecf8ed45ed26653b204

SHA512
2be588c5b9267b315c0f8a51bdd26d2dabb385ac1863125b8e454934a944b41764a56f84ab61a317c1899b0cec63b3c38ac4cf5b102b6cb7af4e09bcde4ddf63

Download Submit
C:\Users\Public\Desktop\Internet Explorer.tt

Filesize
8B

MD5
e51f9cdcf7efb98e0859c9f85ce367e2

SHA1
02a5a939959597a5bbadc703fddff668aa98360d

SHA256
044775cb0f1e2b9162c192dcaea0ff0fa1be84bf7bb0e388c8190e237e861a33

SHA512
0f0028bb11ec79b02424d81891421eae8989faad76a82e8ac7a90bc2522ea97cc3ed163495827d0a4e80f0a0e97b0d7aacc877e070c7a921a948d8b9995ea026

Download Submit
C:\Windows\.reg

Filesize
1KB

MD5
75721cb2a7848c3df7b00faf4401b9c9

SHA1
cb4ad243b92b38739b970b98ef31d37ce3d0923d

SHA256
1fbdaf7773a0ad8e371f2ed40768c2e2e9b3f63436ac1e9f0066b5177913c84a

SHA512
4f1d9c2197be1bd4830cbd942293b614b8ba18956a9af749ac905fc9f17456dcb2962f6c93fa0fdf8209a56443e5799bbf96a491e4d6974cbaee018926045206

Download Submit
C:\Windows\20240820\52r8bcO52Stn52yp\script\Script.vbs.bat

Filesize
214B

MD5
49c56a29dffb206f3baad3ea6da9adaf

SHA1
211c5326bffbf4edd247246868829939b88f47b4

SHA256
b15e1d650a22ed68b873ab8f27c84fed4a5e616e1b4a8828de19eeda2229481f

SHA512
2e3b1c7367e20177986a477222cd6a16a8fee0b849eb1d483f25d0baf19ec0629e5fe892485bbff34466cfb31bfc052e5a80dc9fdb0d5216effa270d9994aa4f

Download Submit
C:\Windows\20240820\52r8bcO52Stn52yp\script\XlKankan.dll

Filesize
28KB

MD5
ce8f0033298014df0508a996b638b5eb

SHA1
610f52ba70f2053a9a4dba08d88a3f97243aa3d6

SHA256
9e9a8a9522ae2822ff0130a9d7736417d32a85c6c66c44048d8b2d2ec4677466

SHA512
216dcd79aa7bedd2e9c819978c2477787ce4b2a34f33c64881db21d1ebc96e0b44169d652c68bd4053bcb963a6b1c673d585e44feb6c30ef30121f0076ce3200

Download Submit
C:\Windows\20240820\52r8bcO52Stn52yp\script\reg.bat

Filesize
130B

MD5
d426a1646ddadd0e41ff5358eeceb3c4

SHA1
69e585d10ad1f4d03a4ceec7f4e336951e10406f

SHA256
86861d7856b53976d754875343237f55e63ca5580db3e57f6ffbbc86977ef573

SHA512
401c3aa8a1a426cb7c6fdfc0e0cd5da193abb8c44c17143996e57838060f22601c51fc3a3da915d0ac3a3f7a70a217fa9576c575bc9f5a30b542c9a5a206dd97

Download Submit
C:\Windows\20240820\52r8bcO52Stn52yp\script\regBHO.reg

Filesize
356B

MD5
b93db4ec7eba064cbd7336085953cce9

SHA1
79b458e4b5c974ce2361b103905a941eae0210b9

SHA256
2b6fb4f8615a821498deb27a55261d482fcf97a1dbe8143d233ee7d1b9b63dac

SHA512
420819a9aeeed54337aaabe2f4cf5f0f6b91cda6bacc5eae496320e2d22cc4eafccef7e38d4085d868ab28177889bcbf025f496c14b5df0384bc93ad14d591a6

Download Submit
C:\Windows\20240820\52r8bcO52Stn52yp\script\script.exe

Filesize
14KB

MD5
181b53fa7032009d1e571e60ce740cbb

SHA1
1c2958fd8d4894d1ce7ec23b97a45eeadb20722f

SHA256
37e91baf0e737219f49bb4beedead82572b7c9c0c1b3b1232b77e7a2e7c40da5

SHA512
c60b9a29df10f63e669fd90686ca104169c3a1318f22ff6148a9bb08a07c0b836c1dab92f6d7c2dc9edc50704f66f0bcd3de704a7a41e52c5ee566efcfb6dd62

Download Submit
C:\Windows\20240820\52r8bcO52Stn52yp\script\script.exe.bat

Filesize
210B

MD5
4f5328739c1b399b1f0c5d190169527b

SHA1
e2da1274eedad60a9c82891df5abbd63079ac2ee

SHA256
32871ddb28bdc36b5a9c680391109ca1606e3aeaf49aa263e2a4b60bea893e2b

SHA512
67fa54d8fb2ef4bbfa0c7f312f7354bdcf0db3113b7fd9c41ad7711c57936e02a67a81ab15cbbe342210d6ae4f649cc089f365f5908ec70464a05100948c83ff

Download Submit
C:\Windows\20240820\52r8bcO52Stn52yp\script\script.vbs

Filesize
74KB

MD5
9ecc1bef464dc50985e94bb61ea39481

SHA1
d322f77e54cc0e7111f4e894cb2bbe9e7afd0ff0

SHA256
b02a1d340606815f766afe59c6c7bd5e73b16954fa0c2f3489a00a49a5ab4f6a

SHA512
ae5bdd6aacb71e9b9b844d8a7fa01ac474c042d931d00cadfc6b51d1aa6346794a4fdb54aa844feed9b8024ac08de2958c7970f53d6bd816edf76c2916d5f2be

Download Submit
C:\Windows\20240820\cg5t5ENH5DS8ejeL\smss.exe

Filesize
16.1MB

MD5
c2311a7f7aefb4fda570e551ba425234

SHA1
012cec73b85afe127418a3f7b41b8a2a0e4f48cd

SHA256
9767a80808b593f6a4fae80af642247497b61ef079b86d093f1881b7f433a048

SHA512
3cb24f7d202f168cf7642c134288396f18e50c9f5ac9baf365511f144cd6e0a8de0968ec81a4102dfb934526c1cbe741eedb119ff2d575fe7934c2d28b156028

Download Submit
C:\Windows\20240820\cg5t5ENH5DS8ejeL\smss.exe.bat

Filesize
183B

MD5
5ad2620a55540d85b924c3553f17cb76

SHA1
28e5663fe2009b449a834ff2b9b06bd917974c10

SHA256
eca778de9c1cc3170c10d03ae0f0051e142bebda37d9836c42c64bbc7f29800e

SHA512
22efeb40b5ae3499161d40ddc3e813a57466c9f2766a41a059014e0aba334476efba3f20d9d2c0b5ae5cad38c9427b7b0dce2f1258a1d02d1f908fc4dedb172f

Download Submit
C:\Windows\AddRight.reg

Filesize
592B

MD5
53d75aea40be26a09d46f220accfb528

SHA1
82e1a094df1d4137697dfeb9f6b77b877d77ef8a

SHA256
a86cc1150a07bef8f91c426568651eae78be6af0ba06fc067014d6a9fb2c52c2

SHA512
1151e563503ef2841c8a052f0166565238fb86359ac4ded9939e77438e1efccc8d43d767e4dd59502dad4e0b38bf1bda7616254acbeb2b1ac07b2d30b0df3736

Download Submit
C:\Windows\MYShowIeLinkIe6.reg

Filesize
7KB

MD5
4f69fa82c34c91514da21a5933644af8

SHA1
e131f57f41ce95b46195d460852718b83517579a

SHA256
7cd8b741bfaee5cd14779b69d71b362aac4c928097c6b4af8ce0ce16bde52a46

SHA512
276588f960d28023febd87873c7852f401ab6ebfb3d90bf8b21b1998949d8ab00badb42d1a05934587aa6b4ad0ab06a3d649dcdb70f384ca70339049243463c4

Download Submit
C:\Windows\MyShowIeLinkIe7.reg

Filesize
9KB

MD5
dbd46bf2e72f6dfbb21295f4e3066d47

SHA1
cdd6ca2f6455c1e528c40a520bcdb8669df8f548

SHA256
71927f4f034db038385346e34209ad069139f54d73bae34bfaf4f29b7010fc6b

SHA512
ad013387a0c7608375b7a3c5fdb27f0d9e79b051d84b1ee9221346499f386d30473b5e2727f6a4e8a8122cf8ac2d473a5ce5e368e62da09441ed48e5c088bd11

Download Submit
C:\Windows\SetWindowsIndex.reg

Filesize
150B

MD5
3f7aefcd5bf4a3945fd249d8bd39201a

SHA1
51d9e7b51b6032e5dcb5cd3f74b15585160902db

SHA256
2d13c41a8992321c6be0cec7e4da3fa8cd4711ffa5d5478a98c7e23abb1c7b4c

SHA512
a62020ed8fe2343860935f3367d658a7f2e9f5cc63bd7d4186a8a42337f49e979a24db678ca9711d73933a4c5413d1caeb247c68cffa01e4cf1bd2de83894628

Download Submit
C:\Windows\search.reg

Filesize
1KB

MD5
8e2ec860bfbd9aa37ea44e51d559ea9b

SHA1
f64e2891ec34d4909f28b2ae14c0a9f712a0e29c

SHA256
ff8d92c2bbe81ccfa1a6ac46ac66e7b42dc4fd18a27924c2e6511d2579f092df

SHA512
ad551272a90d79aef258d22680c07a5d81b0b31e1712dc2a60ac2c67f8af13f18c3a5f99f8408231bc5bb4f68882a5d75ed5c0e203059575eea5940d8b841dc1

Download Submit
C:\Windows\userid.txt

Filesize
4B

MD5
24146db4eb48c718b84cae0a0799dcfc

SHA1
183723726a927563ad46963f2138cc147d04cea0

SHA256
582c0168ba17eac49642bc85ae623204069e8d6ea06cf45af11e7de46ea31d18

SHA512
cf1c23aa0a43423bb6a89b1a5f9c4cf3109eae58749c527553b07f56446b51ee6cc24dd6020932a33b9e7c5b84c7480b2c890070fa6b75b93d08f38d0c472eb4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads