051a80a2a82dd18faa9d0738c5403f3f0dbd0926e0525a445596cc6ef2d7d754

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
Size

3.6MB
MD5

fb71a9372f7195356b87f195e68b534a
SHA1

08f7a9fa06a9cde87f38dff3aa8b57efed5a1099
SHA256

051a80a2a82dd18faa9d0738c5403f3f0dbd0926e0525a445596cc6ef2d7d754
SHA512

906e0b239b6de7a3f7ef9118355793dd342853501109b9328ccb284f9142c69f4081671795b3b80eff894b550b26e6bb6a0731134bbcfb0cc9d9a75d78ea36ce
SSDEEP

98304:KcXMbp8CtkFM8zRi8FSP4xnKjhFyikOfDiV7mR/eht2:RcTkeWim045ygiFfDK2/Et2

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1100 netsh.exe
1788 netsh.exe
Executes dropped EXE 6 IoCs

Processes:

TXSSOSetup.exeTencentdl.exeQQVipDownloader.exeInstTXSSO.exetencentdl.exetencentdl.exe

pid process

2120 TXSSOSetup.exe
2736 Tencentdl.exe
2436 QQVipDownloader.exe
2488 InstTXSSO.exe
2348 tencentdl.exe
864 tencentdl.exe

pid	process
1100	netsh.exe
1788	netsh.exe

pid	process
2120	TXSSOSetup.exe
2736	Tencentdl.exe
2436	QQVipDownloader.exe
2488	InstTXSSO.exe
2348	tencentdl.exe
864	tencentdl.exe

Loads dropped DLL 58 IoCs

Processes:

fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exeTXSSOSetup.exeQQVipDownloader.exeInstTXSSO.exeTencentdl.exeregsvr32.exeregsvr32.exeregsvr32.exetencentdl.exeregsvr32.exetencentdl.exe

pid	process
2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
2120	TXSSOSetup.exe
2120	TXSSOSetup.exe
2120	TXSSOSetup.exe
2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
2120	TXSSOSetup.exe
2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
2120	TXSSOSetup.exe
2436	QQVipDownloader.exe
2488	InstTXSSO.exe
2488	InstTXSSO.exe
2736	Tencentdl.exe
2736	Tencentdl.exe
2736	Tencentdl.exe
2736	Tencentdl.exe
2736	Tencentdl.exe
2736	Tencentdl.exe
2736	Tencentdl.exe
2736	Tencentdl.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2488	InstTXSSO.exe
2488	InstTXSSO.exe
2488	InstTXSSO.exe
2488	InstTXSSO.exe
2736	Tencentdl.exe
2076	regsvr32.exe
400	regsvr32.exe
2012	regsvr32.exe
2076	regsvr32.exe
400	regsvr32.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2348	tencentdl.exe
2348	tencentdl.exe
1508	regsvr32.exe
2348	tencentdl.exe
2348	tencentdl.exe
2348	tencentdl.exe
2348	tencentdl.exe
2348	tencentdl.exe
2348	tencentdl.exe
864	tencentdl.exe
864	tencentdl.exe
864	tencentdl.exe
864	tencentdl.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
864	tencentdl.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

tencentdl.exetencentdl.exeQQVipDownloader.exeTencentdl.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	tencentdl.exe
File opened for modification	\??\PhysicalDrive0	tencentdl.exe
File opened for modification	\??\PhysicalDrive0	QQVipDownloader.exe
File opened for modification	\??\PhysicalDrive0	Tencentdl.exe

Drops file in Program Files directory 23 IoCs

Processes:

Tencentdl.exeInstTXSSO.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\dlcore.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\DownloadProxyPS.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\bugreport_xf.exe	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOLUIControl.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\SSOConfig.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\2052\PGFStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\tnproxy.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\InstallInfo.xml	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOPlatform.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\dlcore.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\Tencentdl.exe	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\tinyxml.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\npSSOAxCtrlForPTLogin.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOCommon.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\2052\SSOStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\SSOConfig.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\extract.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml	InstTXSSO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exetencentdl.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9E49847-9822-4139-BC55-7173ED1ADA11}\ = "PSFactoryBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\AppID = "{A956F47E-83F6-4F72-92EE-679C8687CD19}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib\ = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\ = "TXSSO Common 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B855B42B-1121-4354-9483-86B614838220}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\ = "ISSOForPTLogin3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\TypeLib\ = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0"	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOLUIControl.SSOLUICtrl.1\CLSID\ = "{83335675-FCF0-45CE-A9E6-38C150EFBE63}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B855B42B-1121-4354-9483-86B614838220}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\ = "ISSOLUICtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib\ = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib\ = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9E49847-9822-4139-BC55-7173ED1ADA11}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ = "ITXSSOBuffer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOLUIControl.SSOLUICtrl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\VersionIndependentProgID\ = "SSOLUIControl.SSOLUICtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9E49847-9822-4139-BC55-7173ED1ADA11}\NumMethods\ = "4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\ = "SSOAxCtrlForPTLogin 2.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ = "ITXSSOArrayRead"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ = "IDownloader_2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0"	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\InprocServer32	regsvr32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

QQVipDownloader.exetencentdl.exe

pid process

2436 QQVipDownloader.exe
2436 QQVipDownloader.exe
2436 QQVipDownloader.exe
864 tencentdl.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

QQVipDownloader.exe

pid process

2436 QQVipDownloader.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

QQVipDownloader.exe

pid process

2436 QQVipDownloader.exe
2436 QQVipDownloader.exe

pid	process
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe
864	tencentdl.exe

pid	process
2436	QQVipDownloader.exe

pid	process
2436	QQVipDownloader.exe
2436	QQVipDownloader.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exeTXSSOSetup.exeInstTXSSO.exeTencentdl.exetencentdl.exe

description	pid	process	target process
PID 2756 wrote to memory of 2120	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 2756 wrote to memory of 2120	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 2756 wrote to memory of 2120	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 2756 wrote to memory of 2120	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 2756 wrote to memory of 2120	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 2756 wrote to memory of 2120	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 2756 wrote to memory of 2120	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 2756 wrote to memory of 2736	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	Tencentdl.exe
PID 2756 wrote to memory of 2736	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	Tencentdl.exe
PID 2756 wrote to memory of 2736	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	Tencentdl.exe
PID 2756 wrote to memory of 2736	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	Tencentdl.exe
PID 2756 wrote to memory of 2436	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	QQVipDownloader.exe
PID 2756 wrote to memory of 2436	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	QQVipDownloader.exe
PID 2756 wrote to memory of 2436	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	QQVipDownloader.exe
PID 2756 wrote to memory of 2436	2756	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	QQVipDownloader.exe
PID 2120 wrote to memory of 2488	2120	TXSSOSetup.exe	InstTXSSO.exe
PID 2120 wrote to memory of 2488	2120	TXSSOSetup.exe	InstTXSSO.exe
PID 2120 wrote to memory of 2488	2120	TXSSOSetup.exe	InstTXSSO.exe
PID 2120 wrote to memory of 2488	2120	TXSSOSetup.exe	InstTXSSO.exe
PID 2120 wrote to memory of 2488	2120	TXSSOSetup.exe	InstTXSSO.exe
PID 2120 wrote to memory of 2488	2120	TXSSOSetup.exe	InstTXSSO.exe
PID 2120 wrote to memory of 2488	2120	TXSSOSetup.exe	InstTXSSO.exe
PID 2488 wrote to memory of 2012	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2012	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2012	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2012	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2012	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2012	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2012	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 400	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 400	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 400	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 400	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 400	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 400	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 400	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2076	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2076	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2076	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2076	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2076	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2076	2488	InstTXSSO.exe	regsvr32.exe
PID 2488 wrote to memory of 2076	2488	InstTXSSO.exe	regsvr32.exe
PID 2736 wrote to memory of 2348	2736	Tencentdl.exe	tencentdl.exe
PID 2736 wrote to memory of 2348	2736	Tencentdl.exe	tencentdl.exe
PID 2736 wrote to memory of 2348	2736	Tencentdl.exe	tencentdl.exe
PID 2736 wrote to memory of 2348	2736	Tencentdl.exe	tencentdl.exe
PID 2348 wrote to memory of 1100	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1100	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1100	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1100	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1788	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1788	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1788	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1788	2348	tencentdl.exe	netsh.exe
PID 2348 wrote to memory of 1508	2348	tencentdl.exe	regsvr32.exe
PID 2348 wrote to memory of 1508	2348	tencentdl.exe	regsvr32.exe
PID 2348 wrote to memory of 1508	2348	tencentdl.exe	regsvr32.exe
PID 2348 wrote to memory of 1508	2348	tencentdl.exe	regsvr32.exe
PID 2348 wrote to memory of 1508	2348	tencentdl.exe	regsvr32.exe
PID 2348 wrote to memory of 1508	2348	tencentdl.exe	regsvr32.exe
PID 2348 wrote to memory of 1508	2348	tencentdl.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\TXSSOSetup.exe
"C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\TXSSOSetup.exe" -DIR="C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\TXSSO\InstTXSSO.exe
"C:\Users\Admin\AppData\Local\Temp\TXSSO\InstTXSSO.exe" "C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO" "C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\\SSOCommon.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2012

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\\npSSOAxCtrlForPTLogin.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:400

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\\SSOLUIControl.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2076

C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\Tencentdl.exe
"C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\Tencentdl.exe" /Install
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2736

C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe
"C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" /RegServer
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" description="C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" action=allow
4⤵
- Modifies Windows Firewall
PID:1100

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件Crash上报" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\127\bugreport_xf.exe" description="C:\program files (x86)\common files\tencent\qqdownload\127\bugreport_xf.exe" action=allow
4⤵
- Modifies Windows Firewall
PID:1788

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\127\DownloadProxyPS.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:1508

C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\QQVipDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\QQVipDownloader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2436

C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe
"C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\npSSOAxCtrlForPTLogin.dll
Filesize
194KB

MD5
6aaafff9946c2fca0f74a45497c781f5

SHA1
aab0557e83ed54b956ffd159e1f76a5abeca9ef6

SHA256
9bdf42d867153622be14a65d7e56de0dde2f6e8c3ca693e0e50b65cd2756ef23

SHA512
171282874f5f08ae72ed84425be6bc2b099470d76f52f2059891746f853dcfc7f6e1f973b6ba13b063e4309839ec6674431fd09bb8f72dbed44fccd8cc96395b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\QQVipDownloader.exe
Filesize
1023KB

MD5
65dbfaf76be7baf0369e1a202f8499cc

SHA1
542dca77ea0f20b91b8ebac80e326686dd507c55

SHA256
e997d69e9649210f79167f2a8501196ac2a62a23944b5d0d39b1e9bd7e3b774f

SHA512
0880bc2a3182708e3ac620f4028a85eb1683bda96f0246ea5751c9ad20c3ea2c1e9879751b4f57fea0ee16b41347a93be88ef0f87661583971204179b917b608

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SkinConfig.ini
Filesize
556B

MD5
17501d683b148722ab2b4891a08db326

SHA1
5c41264ccb84132e5db9b4745affa970105927cb

SHA256
69c66f84ab3c9a12fde440f8d7f4c92f97ff9fc8b6e51a2ed221896d6c8187fb

SHA512
07bc400ead6a604bb22994795ef8be1da4b67f9437df206d2fc109f7bab39e6b47dc59fe8e4684e7663988c39311766a9821460cc0b81625f666d821bf297c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\Tencentdl.exe
Filesize
915KB

MD5
7e8dfc56349967d134ccdc9de4cd772f

SHA1
80f9636e5f2b7509d50e3e865b5c0d921348fff0

SHA256
fcaf44a74ec98e9780ddded45729dab1dc292c3a1bfed1c1a7ce56f1fed9b604

SHA512
b25fa86519cc23157f253ab816e8f8dfab54c5eddb72ec2092ece5b33767131f2ebdb4c791a2e28688c3bbbddc0db1e34d046f309592f95bf4665f5f12617010

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\VerConfig.ini
Filesize
2KB

MD5
6896830b7ed673d8bc50e7c0b564618e

SHA1
fbecc6f20f02c89d29180f8debaf48e55482d172

SHA256
f61513617aed4841918e841424dd381e39319742729d8f320e171d6f29b16d31

SHA512
c1a5bff0a7cb303ffbd5172f818f012024230fb465e9a406f82f4958ba71822974256413b011aef71fdb8bbb9acd8e369b5d58c2ed37ca9c69e78485f4cc2b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\bugreport.exe
Filesize
274KB

MD5
cae77f70a1dbc517f1281403f0a68c1e

SHA1
96fdd9317aa6236ccd396dd469c46eda564326f2

SHA256
18a53e047d0536e49385177d00d526f252de98d5d04e58e057c7684f820788c2

SHA512
b33c4e3de966847e280fd827c39c0dfad1e65a7c24f28b7572eb35aca0c36fc0544eab3e34d5b80613543bf7c644a1b41dc3d7886e1b4923a93077ccadb2799c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\config.ini
Filesize
830B

MD5
fbb667e9cb865a796ebe1cf407a2d7ef

SHA1
a4e825d61b5160f43d61a5b6b822adf37e6326b8

SHA256
074b011e07b317dc323b81213419a3b507e9fd116619de9ad0c0dd54aaf80e55

SHA512
34dad819b204fc916c2a4a50197a92a40b2ab54ed579fc3b52160a01635e64ab2ac01426eafdb5615155f6f09f0f1569a048ecd7a5cf43731410edbee6f64185

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\curllib.dll
Filesize
228KB

MD5
45882035d3e92e52b511c497432c0f80

SHA1
beebd03fafda345f2068c8892272d66bf7726ac2

SHA256
f79808272d03aa7a2e904438f97a63dee8d0d62fd4ed77709eb80ca3bdba6510

SHA512
4a00a0d8d0dd4fa3774722c5dad647e86127f1a1abe83df7b80388c6ef1aa69089402fc12a06a3fc4f800335db5ca99345b8d75b584a2b467f9a43254c303817

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\tinyxml.dll
Filesize
99KB

MD5
e42fb6e8b70cef85bfaae7cd0e716e21

SHA1
463a423283b5c22056cca0c2bcad1969194e69c2

SHA256
0460e9e03edf807453e66f0332c84a4f8ea8ace16e25b8c2e62abe12a6b7eebc

SHA512
c30105e53c89756eab9d7c92d35e9934ece9ac9ecdec92cb56e63ffdf2b1ec3294dedc4942fd0dfae16367968f697786179534b9b0de7f2962e0c95a406a7056

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO\I18N\2052\PGFStringBundle.xml
Filesize
6KB

MD5
15b8a58b2174cb7766e0e373580265a2

SHA1
c4f707c12e8f798b8b59aac155dd9fac89cd732c

SHA256
673eb178dae8cf3addcbb5d82969ec47a3631ac59a20e6cc806938de5cc3beb6

SHA512
0f8dc202a4eec0e8d66faed1dbbe57e599024f0206bcfc13141ecf56e5873d0278a394ba64794a5a6a08d987a0b81878732251161ba5ecec8d69560d9846c0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml
Filesize
3KB

MD5
9abdb8aa100a963bee543ef44d194e76

SHA1
a10a879eaf2ad95a2fce534959ad8ff25079a9fb

SHA256
58adbbb6f500699838a417c5d8fbd1ad80e44849dafce453f80bc75f5d90b614

SHA512
5a1a40eccecfaeb4dac7a23f1904861735ab50b52b0e0240e7f34aa7a9c7c627d6867fda16dd3827b2fdb33be2c759b492ff5dd658a23cfa1a161d534172973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO\I18N\SSOConfig.xml
Filesize
394B

MD5
2b563ba463450a8fd6f4bb7789503b44

SHA1
3cb6c17b613682106f3382d212d29b8af10df13e

SHA256
32f912e1eceb0000e04ddb3c627b00c4533e882cc34e3d8117bc9cafeb2faf8b

SHA512
b392808aa0686ff4b374c0e99af68428b361e6880f22dd5d59ca08e78228ad3162927d3fc347b53b26dae2bfbafbc795209fa5d1606af69604b9d2dc689affb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO\bin\SSOCommon.dll
Filesize
1.5MB

MD5
8db6c69fb57b1b3c39e26deb183e0a71

SHA1
79430886d5903784f53d2b541bc26512b1f5517c

SHA256
bbed821ef363e1dd69442417355d781391d1af6532d62d1f67c2c64de9121155

SHA512
c16015df421080b296f6361ddbaf6f73ab5515de1c7202a7e0507ccf83471d5af974402c915f854294a0af2d2be1e43b694ec84c706355b96985eb0e6cae9fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO\bin\SSOLUIControl.dll
Filesize
482KB

MD5
0a97d034a281a99b4c5cbe10e30c27db

SHA1
c1bd2da331903cbd35e8bb61186e527653628d4a

SHA256
5ee176db9b6317ad7dbd0adc2f6b1735ed2fd55b10084565e27f28f829fe09dc

SHA512
c6cd07d06cb6b1913cc59f67707dbd4e9444ea70078209faeacbdd8e35d9f632306fd907b42b18132583b2cc9938790b28a250ed4b76ef11d0288879a7c97a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO\bin\SSOPlatform.dll
Filesize
1.3MB

MD5
73f49831086377eb8d02b2b30f256897

SHA1
0930b17f251999ddc0ac636a416564613fd8905e

SHA256
cff96f4fbfa0b7efc619a0c9ad39978873e24a8c9e737f6c64d57836d99bd182

SHA512
d68ce3882ed3097f820e33099766c5150be52e48bc0f5c7c36f30dec2497b4b244ecc9bc0e20c655eb275f6cce59be23c2bf4af8f4e96167ef098d55414766d3

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\TXSSO\SetupLogs\setuplog.log
Filesize
894B

MD5
2575e52662d3d53b5b8c54e4d952783b

SHA1
9b7f3f3a74bf14480a61cf2ce5bec32076f4cad5

SHA256
6b2ded3fd7c6b4ecc7d3f25909ee5c53213566222aceb65b2402435f72a94a37

SHA512
767ad3e56a8313e816f19976f570cf65565de658fc51711da1052355304b97788495d94c41e0f86eb712d02e6b8d4135886d699b8e5eb45c700deab27a68fc3e

Download Submit
\??\c:\users\admin\appdata\local\temp\qqvipdownloader\cf_1436384783\dlcore.dll
Filesize
1.9MB

MD5
0ed92ed82d4d1b22fe231c177b45eac5

SHA1
d858a692e6c0a364137c4d0190816809b8c37f7f

SHA256
ad1425b8497cf8b5891adbd51371c3ceb0f977e6e417b6c3f3262e6b6f01e2fc

SHA512
8d7d60e84314ba2b5b1a9248e6ddf1f2723844ebde1953343ee5f825f1d3e30a5a9a504d028c9311f9aa82c17929c4927769b7ae6df986003b2c1aaef0be3aa1

Download Submit
\??\c:\users\admin\appdata\local\temp\qqvipdownloader\cf_1436384783\downloadproxyps.dll
Filesize
67KB

MD5
9c629978377e3edc8d0b001115f93eec

SHA1
c563aad2e04b0e69b3ceeb722f7f7e85dd3cb410

SHA256
1ce25ffc0d8671f5c44573ec190533860cc3bec823d2dcfaf4548a0bd76add50

SHA512
34cb1eafd31385094bc0f2f03da80fb94662a7a966dff7f9be974b5e850e2c588e82546edfaf244b7f20046fd63421495b7a429d50184d074b83208d86dcd619

Download Submit
\??\c:\users\admin\appdata\local\temp\qqvipdownloader\cf_1436384783\extract.dll
Filesize
358KB

MD5
9da51d4506bd094fbfc7d337338fc872

SHA1
1b5799ef6b66ac9471842f17570813e7c42cdb27

SHA256
f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501

SHA512
07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

Download Submit
\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\TXSSOSetup.exe
Filesize
1.2MB

MD5
e9756141d085d3b332014d7f9b184480

SHA1
7527574eb3b415744815ec4c51ae423ee58494e7

SHA256
8aa5ad11255f7526bd924a14b2ad0f4511ec2abf9f80abc5d2ac3d147490088a

SHA512
20f6c37ca83d4fe3cc34fe0018d184447ec2c2c990930601eeb9e5f29e8da4cc1b172894deada85d0bdcbb7bb09e907a757aa2932aaaea46fa5ed19444a0a439

Download Submit
\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\tnproxy.dll
Filesize
707KB

MD5
3bad47f1e11387358ba090fbc2682713

SHA1
e7e7843d3fd4f45fdb65ff40936bc28a10651589

SHA256
26c906e83d280f03e021a5730908cc40551f8ef98e048b9ae001354ec83ae736

SHA512
c00f7079746cc0ab961680ca784cac036ad60c2883e032fea9d8ac4791579f5cb952a341efb0068a38f81ab84c6dc870ddd8ae5ddb66d17a812a80fc8e1486eb

Download Submit
\Users\Admin\AppData\Local\Temp\TXSSO\InstTXSSO.exe
Filesize
92KB

MD5
58b88204dec307f6a58c6295d3f29c48

SHA1
20d225e0bf73882603d3e936adb1355fe643226d

SHA256
45c3dfbb89ad4298beb4724776df711d4dccd03f1e636c5ed20fa602e246c7bf

SHA512
cb3186cfe33c5477b1ed3c37064dadc6a5ba10af033f963fd79fcfcb4bb6bbd9079e1cb531bf91217bd118817fa3bc058ad89c7ad04b4a2fa5f89947ea0aea88

Download Submit
\Users\Admin\AppData\Local\Temp\nso238A.tmp\System.dll
Filesize
11KB

MD5
4cf3a81ab4579b30117c8a39a489d51d

SHA1
61af475e11e4e79e6a11e761fcb540d9c5eec0e9

SHA256
29f4a1c87161643e0ed5c46b46786d9a48437ec5dc6b99f4ff14037429e6e20a

SHA512
885d131304afbe92b9b0a16830b6b34c6b78e44f972c20aad63cf3695a400f2d82cf217753da2a2e5e399fdd5dd3306a257e9501a86884cad853e01ee125a664

Download Submit
memory/864-225-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/864-224-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/864-227-0x0000000004EB0000-0x0000000004F5F000-memory.dmp

Filesize
700KB

Download
memory/2436-223-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2436-226-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download