b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f

Analysis

max time kernel
158s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Size

1.6MB
MD5

592292ebd42e33c8790f0d9e263b8e61
SHA1

99cd2fc2735d08e21a66c066240bac0e5a708134
SHA256

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f
SHA512

a815a8ea9455bd273d00c8ac31381dfd71ceaec1a44dd09405a477daf2e81b29668a11c69bb8fad1509011f76a16891b47cbb552f35091996151d20df6b22f64
SSDEEP

24576:FJPnE18ZcQ/qk1J9ymILSQ5OQ0u6d7QYWjlS9D/LBfkiazqSQdysDuU1SMfs8iW:DE+ZcQ/B1QkvuC80J9uRsy0B

Score

8^/10

adware bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

TTKMonitor.exeTaotaosou.exe

pid process

3264 TTKMonitor.exe
2592 Taotaosou.exe

pid	process
3264	TTKMonitor.exe
2592	Taotaosou.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

Loads dropped DLL 45 IoCs

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exeregsvr32.exeregsvr32.exeTaotaosou.exe

pid	process
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
1640	regsvr32.exe
1640	regsvr32.exe
4948	regsvr32.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Taotaosou.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taotaosou.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taotaosou.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

description ioc process

File opened for modification \??\PhysicalDrive0 b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

Drops file in Windows directory 2 IoCs

Processes:

TTKMonitor.exe

description	ioc	process
File created	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe
File opened for modification	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1520 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1520	sc.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

Taotaosou.exeb17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\taotaosou.com	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	Taotaosou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\TaoTaoSou.exe = "8000"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taotaosou.com	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\client.re.taotaosou.com	Taotaosou.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taotaosou.com\Total = "63"	Taotaosou.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taotaosou.com\NumberOfSubdomains = "1"	Taotaosou.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	Taotaosou.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\client.re.taotaosou.com\ = "63"	Taotaosou.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Taotaosou.exe

Modifies registry class 64 IoCs

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL\AppID = "{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL\AppID = "{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS\ = "0"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\ = "TTSIEPlugin 1.2 Type Library"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exeTaotaosou.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6FA69BC9FEB7505CE17154823140F58C57A04757	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6FA69BC9FEB7505CE17154823140F58C57A04757\Blob = 0300000001000000140000006fa69bc9feb7505ce17154823140f58c57a047572000000001000000f6030000308203f2308202da020900fc17a01cdb4a9ad7300d06092a864886f70d01010505003081ba310b300906035504061302434e3111300f06035504080c085a68656a69616e673111300f06035504070c0848616e677a686f7531363034060355040a0c2d48616e677a686f752054616f74616f736f7520536369656e636526546563686e6f6c6f677920436f2e2c4c7464311e301c060355040b0c1554616f74616f736f7520436f72706f726174696f6e312d302b06035504030c2454616f74616f736f7520526f6f7420436572746966696361746520417574686f72697479301e170d3134313232323035343631375a170d3234313231393035343631375a3081ba310b300906035504061302434e3111300f06035504080c085a68656a69616e673111300f06035504070c0848616e677a686f7531363034060355040a0c2d48616e677a686f752054616f74616f736f7520536369656e636526546563686e6f6c6f677920436f2e2c4c7464311e301c060355040b0c1554616f74616f736f7520436f72706f726174696f6e312d302b06035504030c2454616f74616f736f7520526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b4ddf3f9dd95bb5ae65d7c9a535ebe2ebf93ab6680e15a2633bd8150c999922c06b1c3b36c46238a7e85e3b30b42526a0c2b9a9a5196d196dd4f8cf2d7df297406857c2f409cd20ad613ade6ccbe8ea3f924c759c52f45bf4b1981317a4b9dd56ab975eb378b46dda01747063dd4036d5cae9d18a96c7899b651d7818877f65078c711b08c963790349553b8f3a29b455a38273c6df54afdbe1f3747f87231e2eb250df37c9fd485e2c010d5d85f668d1d9982e3bfce43501e65154ab020c68a76c8ca4d5b47e5684718c0aff3bc41053040db7bc6441372955ab629ae4feeaa7cc989f71faa0952203209be810476f42a21a5069de4ba0fe56d8345fa2f50430203010001300d06092a864886f70d0101050500038201010063b0ab12453daccf2b0e619e93339bbad723e52efd2859bccff6c179981a010310a64cd5a7eee8cb4620958978d925d5436a1b80b0802baf982afd5da8dc3e30173d245e60296b0a8037c116e4daa708b44b05f707b7c8e02068a3e165f35d907479622bccc20f38b4ea5a5ab3cce478babb98af1fff7409bde29314702899f86c5e792266c4a7c76dc5b6c408609f52da7c27a80a89b486546d78919995f44f3566eb4bf9401a587ad44d45aa12ed1cb4f62acf336b5c4c55f06b5a37d06804ea2a211c3c00416d0e46dc25168e923be817f34455e5d96f4ff356967d990c5e13186d33fcf9861157b9576527c31d95e13f00662b4fb322ab9fb6f782bdee80	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 5900000001000000160000005200530041002f0053004800410033003800340000004b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f000000180000000100000010000000ea6089055218053dd01e37e1d806eedf5c000000010000000400000000080000190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb960f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235040000000100000010000000adab5c4df031fb9299f71ada7e18f6131400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e103000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Taotaosou.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 5900000001000000160000005200530041002f0053004800410033003800340000004b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa25c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	Taotaosou.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Taotaosou.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

pid	process
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

pid process

4536 b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
664
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

description pid process

Token: SeLoadDriverPrivilege 4536 b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

description	pid	process
Token: SeLoadDriverPrivilege	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exeTaotaosou.exe

pid	process
4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taotaosou.exe

pid	process
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe
2592	Taotaosou.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Taotaosou.exe

pid process

2592 Taotaosou.exe
2592 Taotaosou.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exeTTKMonitor.execmd.execmd.exenet.execmd.exeregsvr32.exe

description	pid	process	target process
PID 4536 wrote to memory of 3264	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	TTKMonitor.exe
PID 4536 wrote to memory of 3264	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	TTKMonitor.exe
PID 4536 wrote to memory of 3264	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	TTKMonitor.exe
PID 3264 wrote to memory of 3868	3264	TTKMonitor.exe	cmd.exe
PID 3264 wrote to memory of 3868	3264	TTKMonitor.exe	cmd.exe
PID 3264 wrote to memory of 3868	3264	TTKMonitor.exe	cmd.exe
PID 3264 wrote to memory of 2304	3264	TTKMonitor.exe	cmd.exe
PID 3264 wrote to memory of 2304	3264	TTKMonitor.exe	cmd.exe
PID 3264 wrote to memory of 2304	3264	TTKMonitor.exe	cmd.exe
PID 2304 wrote to memory of 3960	2304	cmd.exe	net.exe
PID 3868 wrote to memory of 1520	3868	cmd.exe	sc.exe
PID 2304 wrote to memory of 3960	2304	cmd.exe	net.exe
PID 2304 wrote to memory of 3960	2304	cmd.exe	net.exe
PID 3868 wrote to memory of 1520	3868	cmd.exe	sc.exe
PID 3868 wrote to memory of 1520	3868	cmd.exe	sc.exe
PID 3960 wrote to memory of 228	3960	net.exe	net1.exe
PID 3960 wrote to memory of 228	3960	net.exe	net1.exe
PID 3960 wrote to memory of 228	3960	net.exe	net1.exe
PID 4536 wrote to memory of 5060	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	cmd.exe
PID 4536 wrote to memory of 5060	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	cmd.exe
PID 4536 wrote to memory of 5060	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	cmd.exe
PID 5060 wrote to memory of 1640	5060	cmd.exe	regsvr32.exe
PID 5060 wrote to memory of 1640	5060	cmd.exe	regsvr32.exe
PID 5060 wrote to memory of 1640	5060	cmd.exe	regsvr32.exe
PID 1640 wrote to memory of 4948	1640	regsvr32.exe	regsvr32.exe
PID 1640 wrote to memory of 4948	1640	regsvr32.exe	regsvr32.exe
PID 4536 wrote to memory of 2592	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	Taotaosou.exe
PID 4536 wrote to memory of 2592	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	Taotaosou.exe
PID 4536 wrote to memory of 2592	4536	b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe	Taotaosou.exe

C:\Users\Admin\AppData\Local\Temp\b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe
"C:\Users\Admin\AppData\Local\Temp\b17a073d50ff31792ad956d2306a22fd069b6b88e669a94cddbf1cfabe9a638f.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe
"C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe" -install
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config Schedule start= auto
3⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
4⤵
- Launches sc.exe
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start Schedule
3⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\net.exe
net start Schedule
4⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Schedule
5⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSRegPlugin.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s .\TTSIEPlugin_64.dll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\regsvr32.exe
/s .\TTSIEPlugin_64.dll
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4948

C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe
"C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe" -hide
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Taotaosou\np_B00E.dll
Filesize
257KB

MD5
54a5acc1be0617aa2a74d99f26dee5b7

SHA1
6a140a312ab84ccadc9211c9f6363b2ef69e9a4e

SHA256
e7e209ef69ffc503097fa45c5fc4dbd7d1c7f4016400d7feda09d8fb849ac399

SHA512
a89548a303e04eda7cf938299f835f40d8ab1382401debb59aa150650329e467727a0e5cb68c1861e4d7596476a537a4dcc14abb40be8f07a90cf20715e22777

Download Submit
C:\ProgramData\Taotaosou\np_B00E.dll
Filesize
257KB

MD5
54a5acc1be0617aa2a74d99f26dee5b7

SHA1
6a140a312ab84ccadc9211c9f6363b2ef69e9a4e

SHA256
e7e209ef69ffc503097fa45c5fc4dbd7d1c7f4016400d7feda09d8fb849ac399

SHA512
a89548a303e04eda7cf938299f835f40d8ab1382401debb59aa150650329e467727a0e5cb68c1861e4d7596476a537a4dcc14abb40be8f07a90cf20715e22777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
76e7d5bf61b2e80d159f88aa9798ce91

SHA1
32a46de50c9c02b068e39cf49b78c7e2d5ace20d

SHA256
280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

SHA512
5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
916c512d221c683beeea9d5cb311b0b0

SHA1
bf0db4b1c4566275b629efb095b6ff8857b5748e

SHA256
64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8

SHA512
af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
9ea3168c5e1971c6d2e13737b66823dc

SHA1
09a9ec1fa9bcb58eff8178041bdcf788933457f8

SHA256
9a2677712e4283b70b8da161ba8da67e4ad203644520b4dbc31985794757c7a4

SHA512
ab2861b5dfbf498c4a213ff4e9b41464e566681e82300d655e7df62922f7fcb679e39382869205cdefc4606e37f88b36ad5928a736ec2421e8f9a4f5096b79ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
f80f1b6375d6088fe33a48c9e9d0abfe

SHA1
fca20e26f7615292384e5662090f24b0910bd56a

SHA256
50aa6663c5645f7c32532da200bd0f7c6a2a8055722e5b879ddabe446af058cc

SHA512
f919240c421f4cf1e2aa6ccafc4827422c1dbb97b3bbc4011ad724f559320630df783f71a317aa64ef2bf8e63ce3113e687800d174f31daa7337ac2e7782732e

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\DuiLib.dll
Filesize
657KB

MD5
f5faa33d352cad3924bfb21a2651164c

SHA1
3882ffdcc6f65f2c13f4c134aab36ebc2517e828

SHA256
aa9a870309be5d09f928d0e3212bd931a8ea9eb9ca497e71b61907823f84738d

SHA512
6ffe1e20f53e90f7724813fbc4ef2167750bf9f396a8254114e31d1b823afda5a3014756686a414a8f0e8add23089aa87001f7d335bbac4a5b17f323dd030db8

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\DuiLib.dll
Filesize
657KB

MD5
f5faa33d352cad3924bfb21a2651164c

SHA1
3882ffdcc6f65f2c13f4c134aab36ebc2517e828

SHA256
aa9a870309be5d09f928d0e3212bd931a8ea9eb9ca497e71b61907823f84738d

SHA512
6ffe1e20f53e90f7724813fbc4ef2167750bf9f396a8254114e31d1b823afda5a3014756686a414a8f0e8add23089aa87001f7d335bbac4a5b17f323dd030db8

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKInsAssistant.dll
Filesize
621KB

MD5
c68566b6f729889bf9b22888c7f89ce3

SHA1
33c8142f0ab44582709ca742fc57ff02d478ce12

SHA256
158d515290963217563e5e7b3e8a40234f092e7d73669c9a5860b5820454b1e4

SHA512
2bb2cfe77230fad449b7273296abc37d394ac45bc6cd7f4bce319b45cf58e4ba6d1dd168f9b81de7f08b53e243e4ba46e85fe022b0d1f8556b2ceb520f49a5b1

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKInsAssistant.dll
Filesize
621KB

MD5
c68566b6f729889bf9b22888c7f89ce3

SHA1
33c8142f0ab44582709ca742fc57ff02d478ce12

SHA256
158d515290963217563e5e7b3e8a40234f092e7d73669c9a5860b5820454b1e4

SHA512
2bb2cfe77230fad449b7273296abc37d394ac45bc6cd7f4bce319b45cf58e4ba6d1dd168f9b81de7f08b53e243e4ba46e85fe022b0d1f8556b2ceb520f49a5b1

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe
Filesize
277KB

MD5
6ff1f83809eed307b46a51add9c26cc4

SHA1
83ccafc476c346a28b91091cdb418a42590db9ac

SHA256
49f658f6817b4a77c36f71cec7236c5a585ccc0d8ecb4c2f236b1ad832884b33

SHA512
3ba49c36a2b46dd7cddf31a3b23565a565b77174e919bac661b5783c070ab112dea6459fd10f8073e79dbd460fd0a6243818ede02843b7e8fbdcad73fc7a7989

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe
Filesize
277KB

MD5
6ff1f83809eed307b46a51add9c26cc4

SHA1
83ccafc476c346a28b91091cdb418a42590db9ac

SHA256
49f658f6817b4a77c36f71cec7236c5a585ccc0d8ecb4c2f236b1ad832884b33

SHA512
3ba49c36a2b46dd7cddf31a3b23565a565b77174e919bac661b5783c070ab112dea6459fd10f8073e79dbd460fd0a6243818ede02843b7e8fbdcad73fc7a7989

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin.dll
Filesize
127KB

MD5
d36425318197995f22a00598651de36e

SHA1
0b1633574936eef6f649298f9b30f314d7098d95

SHA256
68c6d6d9ec45f40e60e2748abc29710e50f07afd17b26bec60a417c79cd77dd9

SHA512
a163a0f5498c1b9b95084d661b0fc29efb98174c2a79493c26301e20d176c2c2e50373a91c59c7548fce3da2ec21ae544a665e0309f1de8089381596497a31f1

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin_64.dll
Filesize
156KB

MD5
6b22a25f0f03812e944ab5338007e3b5

SHA1
4ede4eca8a9238ea8d33ec73390b47dd9a2b99c0

SHA256
0687411f0c01e4738210a6e31e34f46b81ec5acfd5aa910de15ff7b8bfa98bcd

SHA512
6273b525d69c604dd5bc42e70b2dd3f0b33e0a86c97d7917076afc83dcd4b27ffc0f5e692722332ed76757c8f68e5eaea61d9594ce0ed6dfccdc87a46cd25c49

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin_64.dll
Filesize
156KB

MD5
6b22a25f0f03812e944ab5338007e3b5

SHA1
4ede4eca8a9238ea8d33ec73390b47dd9a2b99c0

SHA256
0687411f0c01e4738210a6e31e34f46b81ec5acfd5aa910de15ff7b8bfa98bcd

SHA512
6273b525d69c604dd5bc42e70b2dd3f0b33e0a86c97d7917076afc83dcd4b27ffc0f5e692722332ed76757c8f68e5eaea61d9594ce0ed6dfccdc87a46cd25c49

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin_64.dll
Filesize
156KB

MD5
6b22a25f0f03812e944ab5338007e3b5

SHA1
4ede4eca8a9238ea8d33ec73390b47dd9a2b99c0

SHA256
0687411f0c01e4738210a6e31e34f46b81ec5acfd5aa910de15ff7b8bfa98bcd

SHA512
6273b525d69c604dd5bc42e70b2dd3f0b33e0a86c97d7917076afc83dcd4b27ffc0f5e692722332ed76757c8f68e5eaea61d9594ce0ed6dfccdc87a46cd25c49

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin_64.dll
Filesize
156KB

MD5
6b22a25f0f03812e944ab5338007e3b5

SHA1
4ede4eca8a9238ea8d33ec73390b47dd9a2b99c0

SHA256
0687411f0c01e4738210a6e31e34f46b81ec5acfd5aa910de15ff7b8bfa98bcd

SHA512
6273b525d69c604dd5bc42e70b2dd3f0b33e0a86c97d7917076afc83dcd4b27ffc0f5e692722332ed76757c8f68e5eaea61d9594ce0ed6dfccdc87a46cd25c49

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSRegPlugin.bat
Filesize
73B

MD5
c7e8d764bb3afd9d90122c1e67ab04ad

SHA1
4992549ce2c208c804a0b053b798b07dd5e102a1

SHA256
92d0cfb9d06cd867d169f4b9f9eb9ccf82ef7d72605a5066e4c2415b667254a8

SHA512
89fcc9989ad422b3bb7be906c19a8b42ccddc842def42075aba53203564eaef6ea991162a78f264b819c881927ad4dbbf1b6cf69ca9e2e67d729b0a039ddf08e

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TaoTaoSou.exe
Filesize
839KB

MD5
fdb9d332c4c1e92f7cff5a6ea542588f

SHA1
5715ec412bbb6bd8de8c91c5f6b8920b57bb9f76

SHA256
e876de5946effbf26a0aef74619d8a57a655d0a81b5379cc2ff4b418057b5e00

SHA512
b4ee5bc94dab7bf543c0715557fbaf0f69670b15ee14d6032dcb15b433ae4d31aa0fc21557c959eca7bb845574e8b7964f6ef8b8a43715bc4ca07099d577dffd

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe
Filesize
839KB

MD5
fdb9d332c4c1e92f7cff5a6ea542588f

SHA1
5715ec412bbb6bd8de8c91c5f6b8920b57bb9f76

SHA256
e876de5946effbf26a0aef74619d8a57a655d0a81b5379cc2ff4b418057b5e00

SHA512
b4ee5bc94dab7bf543c0715557fbaf0f69670b15ee14d6032dcb15b433ae4d31aa0fc21557c959eca7bb845574e8b7964f6ef8b8a43715bc4ca07099d577dffd

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\dump.dll
Filesize
85KB

MD5
007698d9872587d32488fd233b2d4bd6

SHA1
407c60dc6fdf27c93e4deeeef31c723b4e2d1837

SHA256
1ecdb83690fe6afc86b746718ec1924d7dbdfef7a0234ce3bf7f614466fb63da

SHA512
bc04b27b5e49caa1bc058c5c78adcaad15bc715261df6e3026bd56dd1969819d5107c7d753d17da1fc510bc4fa3c7fdd2d87640799fad48d83f71a2a6f54d10b

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\dump.dll
Filesize
85KB

MD5
007698d9872587d32488fd233b2d4bd6

SHA1
407c60dc6fdf27c93e4deeeef31c723b4e2d1837

SHA256
1ecdb83690fe6afc86b746718ec1924d7dbdfef7a0234ce3bf7f614466fb63da

SHA512
bc04b27b5e49caa1bc058c5c78adcaad15bc715261df6e3026bd56dd1969819d5107c7d753d17da1fc510bc4fa3c7fdd2d87640799fad48d83f71a2a6f54d10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\Internet.dll
Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\Internet.dll
Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\Internet.dll
Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\Internet.dll
Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\TTKInsAssistant.dll
Filesize
621KB

MD5
c68566b6f729889bf9b22888c7f89ce3

SHA1
33c8142f0ab44582709ca742fc57ff02d478ce12

SHA256
158d515290963217563e5e7b3e8a40234f092e7d73669c9a5860b5820454b1e4

SHA512
2bb2cfe77230fad449b7273296abc37d394ac45bc6cd7f4bce319b45cf58e4ba6d1dd168f9b81de7f08b53e243e4ba46e85fe022b0d1f8556b2ceb520f49a5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\TTKInsAssistant.dll
Filesize
621KB

MD5
c68566b6f729889bf9b22888c7f89ce3

SHA1
33c8142f0ab44582709ca742fc57ff02d478ce12

SHA256
158d515290963217563e5e7b3e8a40234f092e7d73669c9a5860b5820454b1e4

SHA512
2bb2cfe77230fad449b7273296abc37d394ac45bc6cd7f4bce319b45cf58e4ba6d1dd168f9b81de7f08b53e243e4ba46e85fe022b0d1f8556b2ceb520f49a5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\md5dll.dll
Filesize
6KB

MD5
62d8907081163ac876b635b034fcac80

SHA1
242741234ae35d02a6ab2aacbbe50a34985537e3

SHA256
eb55c822401ae1f5b1db987583e2abc4fe149a3d4b1564b1335ebd39c863f0d0

SHA512
b6e1bc57ad58489c82c59ddf7030d3a42fd44db3d569d4101bc2dc27835323a4b2517403682755bd086dba9d83aa84a45f81ca8388755890c8b4cafab6f67a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\md5dll.dll
Filesize
6KB

MD5
62d8907081163ac876b635b034fcac80

SHA1
242741234ae35d02a6ab2aacbbe50a34985537e3

SHA256
eb55c822401ae1f5b1db987583e2abc4fe149a3d4b1564b1335ebd39c863f0d0

SHA512
b6e1bc57ad58489c82c59ddf7030d3a42fd44db3d569d4101bc2dc27835323a4b2517403682755bd086dba9d83aa84a45f81ca8388755890c8b4cafab6f67a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskAE48.tmp\npextins.dll
Filesize
70KB

MD5
d9971356808fc02ef7f17206190e36a3

SHA1
27553ecbc8be301166072492cd6ba913b8fc6534

SHA256
2dc31ca030b5d3b32db8de2de96c57888be40e2bb565eaed8451f34c53878323

SHA512
d602b409889f83706743cf46d37de6f8fc89bcb43c6007d50c17274e9dc6aac6fb2e88cd2220651b7119c5a21ac6e04b699f5599fcb69376406ac5aec1049080

Download Submit
C:\Users\Admin\AppData\Roaming\TaoTaoSou\TTSConfig.ini
Filesize
47B

MD5
c2556b6a2af9fa93cb3907a56bf3989b

SHA1
279bc1981affae70a0068874af8db168dba14f92

SHA256
38e815c83581dad4fd58c41deb56143b64eb0a63c7ca35251d10280c665d6157

SHA512
d6688b3ed6d28eb56a0598851536a64e6c41541a03b8f091f2d4560a5a1fec1d6913638a49ff0a9fadda482744211979fe14bf20e83e3f8bd1350409d120d266

Download Submit
C:\Users\Admin\AppData\Roaming\TaoTaoSou\hlog
Filesize
448B

MD5
1c83108b5c8d0f08e18742c90764fc2c

SHA1
b6426eaa324744632404104a1157c2252a10ac09

SHA256
b95aa1605a1b25e702605019f03c686e192e1100a4c8a0842619bdcc50fc468f

SHA512
b94546aec99cc07814a5488b995b0abd70593f84ace2bc6ca7550b6e648b6519ca13d9611417881747996c348004cb5d484ff86ee0f71be19d038a808400740a

Download Submit
C:\Users\Admin\AppData\Roaming\Taotaosou\ttsusign
Filesize
32B

MD5
f5010361c1a8212bcdfa1a76ff515b26

SHA1
7c75a421490f74d00104349ea102e5c47af53ed9

SHA256
2de2889588be137980bd482d5c07d11bb33881e7bb6c584dab01b11761d07dfa

SHA512
a7a0439a0815b65c0565923f5eea10800d6aa85aa77504bc462187144e2ab9b19c8f3c3af714600dd6bafebbf57a37e5afbf5db720c5bd86dce0b8742c2c26fb

Download Submit
memory/228-184-0x0000000000000000-mapping.dmp

Download
memory/1520-183-0x0000000000000000-mapping.dmp

Download
memory/1640-192-0x0000000000000000-mapping.dmp

Download
memory/2304-181-0x0000000000000000-mapping.dmp

Download
memory/2592-204-0x0000000000000000-mapping.dmp

Download
memory/3264-177-0x0000000000000000-mapping.dmp

Download
memory/3868-180-0x0000000000000000-mapping.dmp

Download
memory/3960-182-0x0000000000000000-mapping.dmp

Download
memory/4536-140-0x0000000002420000-0x000000000242B000-memory.dmp

Filesize
44KB

Download
memory/4536-135-0x00000000030B0000-0x0000000003151000-memory.dmp

Filesize
644KB

Download
memory/4948-196-0x0000000000000000-mapping.dmp

Download
memory/5060-188-0x0000000000000000-mapping.dmp

Download