051a80a2a82dd18faa9d0738c5403f3f0dbd0926e0525a445596cc6ef2d7d754

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
Size

3.6MB
MD5

fb71a9372f7195356b87f195e68b534a
SHA1

08f7a9fa06a9cde87f38dff3aa8b57efed5a1099
SHA256

051a80a2a82dd18faa9d0738c5403f3f0dbd0926e0525a445596cc6ef2d7d754
SHA512

906e0b239b6de7a3f7ef9118355793dd342853501109b9328ccb284f9142c69f4081671795b3b80eff894b550b26e6bb6a0731134bbcfb0cc9d9a75d78ea36ce
SSDEEP

98304:KcXMbp8CtkFM8zRi8FSP4xnKjhFyikOfDiV7mR/eht2:RcTkeWim045ygiFfDK2/Et2

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4512 netsh.exe
2420 netsh.exe

pid	process
4512	netsh.exe
2420	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tencentdl.exeTencentdl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	tencentdl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	Tencentdl.exe

Executes dropped EXE 6 IoCs

Processes:

TXSSOSetup.exeTencentdl.exeInstTXSSO.exeQQVipDownloader.exetencentdl.exetencentdl.exe

pid process

4412 TXSSOSetup.exe
3360 Tencentdl.exe
3272 InstTXSSO.exe
1404 QQVipDownloader.exe
1168 tencentdl.exe
468 tencentdl.exe

Loads dropped DLL 18 IoCs

Processes:

TXSSOSetup.exeQQVipDownloader.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exetencentdl.exe

pid	process
4412	TXSSOSetup.exe
1404	QQVipDownloader.exe
3708	regsvr32.exe
3708	regsvr32.exe
4712	regsvr32.exe
1428	regsvr32.exe
1428	regsvr32.exe
4852	regsvr32.exe
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe
468	tencentdl.exe
468	tencentdl.exe
468	tencentdl.exe
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe
468	tencentdl.exe
468	tencentdl.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

QQVipDownloader.exeTencentdl.exetencentdl.exetencentdl.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQVipDownloader.exe
File opened for modification	\??\PhysicalDrive0	Tencentdl.exe
File opened for modification	\??\PhysicalDrive0	tencentdl.exe
File opened for modification	\??\PhysicalDrive0	tencentdl.exe

Drops file in Program Files directory 27 IoCs

Processes:

InstTXSSO.exeTencentdl.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\2052\SSOStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\dlcore.dll	Tencentdl.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\2052\PGFStringBundle.xml	InstTXSSO.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\extract.dll	Tencentdl.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\2052	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\InstallInfo.xml	Tencentdl.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\npSSOAxCtrlForPTLogin.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOPlatform.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\tinyxml.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOCommon.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOLUIControl.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\Tencentdl.exe	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\DownloadProxyPS.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\bugreport_xf.exe	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\SSOConfig.xml	InstTXSSO.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\dlcore.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\tnproxy.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\SSOConfig.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll	InstTXSSO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

tencentdl.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib\Version = "2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ = "ITXSSOConfig"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOLUIControl.SSOLUICtrl\ = "SSOLUICtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\ = "DownloadProxy 1.0 Type Library"	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\TXSSO\\1.2.1.94\\Bin\\SSOCommon.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib\ = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ = "ITXSSOArray"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ = "ITXSSOArrayRead"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SSOLUIControl.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\TypeLib\ = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\ = "ISSOForPTLogin2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4C2BAEAE-B4D1-4b29-8BB5-9455F06BB871}\ = "SSOCommonDllBuild"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\ = "ISSOForPTLogin3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOAxCtrlForPTLogin.SSOForPTLogin.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{611AC3D9-E60C-4138-83AE-9B1C8D4082BF}\ = "SSOLUIControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\ = "ISSOLUICtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSOAxCtrlForPTLogin.SSOForPTLogin.2\ = "SSOForPTLogin2 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B855B42B-1121-4354-9483-86B614838220}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib\ = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B855B42B-1121-4354-9483-86B614838220}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B9E49847-9822-4139-BC55-7173ED1ADA11}\ProxyStubClsid32\ = "{B9E49847-9822-4139-BC55-7173ED1ADA11}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ = "ITXSSOConfig"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader"	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\TXSSO\\1.2.1.94\\Bin\\npSSOAxCtrlForPTLogin.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B855B42B-1121-4354-9483-86B614838220}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B855B42B-1121-4354-9483-86B614838220}\TypeLib	regsvr32.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

QQVipDownloader.exetencentdl.exe

pid process

1404 QQVipDownloader.exe
1404 QQVipDownloader.exe
1404 QQVipDownloader.exe
1404 QQVipDownloader.exe
468 tencentdl.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

QQVipDownloader.exe

pid process

1404 QQVipDownloader.exe
1404 QQVipDownloader.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

QQVipDownloader.exe

pid process

1404 QQVipDownloader.exe
1404 QQVipDownloader.exe

pid	process
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe
468	tencentdl.exe

pid	process
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe

pid	process
1404	QQVipDownloader.exe
1404	QQVipDownloader.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exeTXSSOSetup.exeInstTXSSO.exeTencentdl.exetencentdl.exe

description	pid	process	target process
PID 3480 wrote to memory of 4412	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 3480 wrote to memory of 4412	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 3480 wrote to memory of 4412	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	TXSSOSetup.exe
PID 3480 wrote to memory of 3360	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	Tencentdl.exe
PID 3480 wrote to memory of 3360	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	Tencentdl.exe
PID 3480 wrote to memory of 3360	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	Tencentdl.exe
PID 4412 wrote to memory of 3272	4412	TXSSOSetup.exe	InstTXSSO.exe
PID 4412 wrote to memory of 3272	4412	TXSSOSetup.exe	InstTXSSO.exe
PID 4412 wrote to memory of 3272	4412	TXSSOSetup.exe	InstTXSSO.exe
PID 3480 wrote to memory of 1404	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	QQVipDownloader.exe
PID 3480 wrote to memory of 1404	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	QQVipDownloader.exe
PID 3480 wrote to memory of 1404	3480	fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe	QQVipDownloader.exe
PID 3272 wrote to memory of 4712	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 4712	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 4712	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 1428	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 1428	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 1428	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 3708	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 3708	3272	InstTXSSO.exe	regsvr32.exe
PID 3272 wrote to memory of 3708	3272	InstTXSSO.exe	regsvr32.exe
PID 3360 wrote to memory of 1168	3360	Tencentdl.exe	tencentdl.exe
PID 3360 wrote to memory of 1168	3360	Tencentdl.exe	tencentdl.exe
PID 3360 wrote to memory of 1168	3360	Tencentdl.exe	tencentdl.exe
PID 1168 wrote to memory of 4512	1168	tencentdl.exe	netsh.exe
PID 1168 wrote to memory of 4512	1168	tencentdl.exe	netsh.exe
PID 1168 wrote to memory of 4512	1168	tencentdl.exe	netsh.exe
PID 1168 wrote to memory of 2420	1168	tencentdl.exe	netsh.exe
PID 1168 wrote to memory of 2420	1168	tencentdl.exe	netsh.exe
PID 1168 wrote to memory of 2420	1168	tencentdl.exe	netsh.exe
PID 1168 wrote to memory of 4852	1168	tencentdl.exe	regsvr32.exe
PID 1168 wrote to memory of 4852	1168	tencentdl.exe	regsvr32.exe
PID 1168 wrote to memory of 4852	1168	tencentdl.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb71a9372f7195356b87f195e68b534a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\TXSSOSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\TXSSOSetup.exe" -DIR="C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\TXSSO\InstTXSSO.exe
    "C:\Users\Admin\AppData\Local\Temp\TXSSO\InstTXSSO.exe" "C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO" "C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\\SSOCommon.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4712
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\\npSSOAxCtrlForPTLogin.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1428
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\\SSOLUIControl.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:3708
- C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\Tencentdl.exe
  "C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\Tencentdl.exe" /Install
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe
    "C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" /RegServer
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" description="C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:4512
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件Crash上报" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\127\bugreport_xf.exe" description="C:\program files (x86)\common files\tencent\qqdownload\127\bugreport_xf.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2420
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\127\DownloadProxyPS.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4852
- C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\QQVipDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\QQVipDownloader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1404

C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe
"C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\InstallInfo.xml

Filesize
1KB

MD5
b491726482b3404a8c862c4eff788b7c

SHA1
57c92b3e09092a05dff6a8a68900e1626f916ad0

SHA256
924f8d68be8f0bb2202e6a4ea81fc1356c78430f73de552534ffd014b8f6a44d

SHA512
d91f004d266d5a90865183baebfdaafb166778ad73403989c8ae1227b32ecf7bdcb484c037af307ba59e38202fbad267a59b466fd93666ae8fd7e2a10add5bbb

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\Bin\SSOCommon.DLL

Filesize
1.5MB

MD5
8db6c69fb57b1b3c39e26deb183e0a71

SHA1
79430886d5903784f53d2b541bc26512b1f5517c

SHA256
bbed821ef363e1dd69442417355d781391d1af6532d62d1f67c2c64de9121155

SHA512
c16015df421080b296f6361ddbaf6f73ab5515de1c7202a7e0507ccf83471d5af974402c915f854294a0af2d2be1e43b694ec84c706355b96985eb0e6cae9fed

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\2052\PGFStringBundle.xml

Filesize
6KB

MD5
15b8a58b2174cb7766e0e373580265a2

SHA1
c4f707c12e8f798b8b59aac155dd9fac89cd732c

SHA256
673eb178dae8cf3addcbb5d82969ec47a3631ac59a20e6cc806938de5cc3beb6

SHA512
0f8dc202a4eec0e8d66faed1dbbe57e599024f0206bcfc13141ecf56e5873d0278a394ba64794a5a6a08d987a0b81878732251161ba5ecec8d69560d9846c0f6

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\I18N\SSOConfig.xml

Filesize
394B

MD5
2b563ba463450a8fd6f4bb7789503b44

SHA1
3cb6c17b613682106f3382d212d29b8af10df13e

SHA256
32f912e1eceb0000e04ddb3c627b00c4533e882cc34e3d8117bc9cafeb2faf8b

SHA512
b392808aa0686ff4b374c0e99af68428b361e6880f22dd5d59ca08e78228ad3162927d3fc347b53b26dae2bfbafbc795209fa5d1606af69604b9d2dc689affb4

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOLUIControl.dll

Filesize
482KB

MD5
0a97d034a281a99b4c5cbe10e30c27db

SHA1
c1bd2da331903cbd35e8bb61186e527653628d4a

SHA256
5ee176db9b6317ad7dbd0adc2f6b1735ed2fd55b10084565e27f28f829fe09dc

SHA512
c6cd07d06cb6b1913cc59f67707dbd4e9444ea70078209faeacbdd8e35d9f632306fd907b42b18132583b2cc9938790b28a250ed4b76ef11d0288879a7c97a47

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\SSOPlatform.dll

Filesize
1.3MB

MD5
73f49831086377eb8d02b2b30f256897

SHA1
0930b17f251999ddc0ac636a416564613fd8905e

SHA256
cff96f4fbfa0b7efc619a0c9ad39978873e24a8c9e737f6c64d57836d99bd182

SHA512
d68ce3882ed3097f820e33099766c5150be52e48bc0f5c7c36f30dec2497b4b244ecc9bc0e20c655eb275f6cce59be23c2bf4af8f4e96167ef098d55414766d3

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.1.94\bin\npSSOAxCtrlForPTLogin.dll

Filesize
194KB

MD5
6aaafff9946c2fca0f74a45497c781f5

SHA1
aab0557e83ed54b956ffd159e1f76a5abeca9ef6

SHA256
9bdf42d867153622be14a65d7e56de0dde2f6e8c3ca693e0e50b65cd2756ef23

SHA512
171282874f5f08ae72ed84425be6bc2b099470d76f52f2059891746f853dcfc7f6e1f973b6ba13b063e4309839ec6674431fd09bb8f72dbed44fccd8cc96395b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\QQVipDownloader.exe

Filesize
1023KB

MD5
65dbfaf76be7baf0369e1a202f8499cc

SHA1
542dca77ea0f20b91b8ebac80e326686dd507c55

SHA256
e997d69e9649210f79167f2a8501196ac2a62a23944b5d0d39b1e9bd7e3b774f

SHA512
0880bc2a3182708e3ac620f4028a85eb1683bda96f0246ea5751c9ad20c3ea2c1e9879751b4f57fea0ee16b41347a93be88ef0f87661583971204179b917b608

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\bk.png

Filesize
174KB

MD5
9b10266010b169ce67d7ea798c919c52

SHA1
6e55203a8482ae95ff2e7c15d5d5ee52d96fda10

SHA256
2a8c179187054da511d3666cb192f05e101583a48f213759e26ff26a719ad84a

SHA512
5d0f79a25c99e3baeb3b52e3b0dab24a3ff2a9d0442a08413e742bec93dd48adf3f208b37a0ab7218fccdd3d34df54cc5d881e8845f1b0e1f973e5f639d835c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\btn_pause_task.png

Filesize
7KB

MD5
f8daa9b80c610c7e4186964eebc10188

SHA1
b51e815879761700af3f49fc9b6be042e78c202e

SHA256
aa3b5db80244c6b0f32569b1120aa3c1c7bfd273898e03e21a1abfb77453366a

SHA512
0c6dcfc8feb1b87691638565b8af121db1e5a894d93c9bb29c6318331be9f2a0314d644c493f7325f63cb1c5026de41d9171881f8e70cb12ca43e8fa65e1e8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\btn_resume_task.png

Filesize
8KB

MD5
9b2bc51ae4c800313da889c131c43788

SHA1
8d1b325a4bb32caaff2768016f812af9975cf8d7

SHA256
0b382220040c0fb63e9d2e2007b6dcf1c7a0f67376ec19bd5d3f05ba3b3cbea2

SHA512
5f28478a8b73f854de1761dc709830edb695badb087f16957f37b46519ced42b212291e28d0ec09ec3b0a7e740a44bdfada6a38e959955b6df652372685c32b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\btn_retry_task.png

Filesize
7KB

MD5
8abede62b4355bda746fc30d96f30ac0

SHA1
cc2023196d438e79ddc950e3e95b10f28625aed7

SHA256
9f31c3b4cfd313973ee6edec613f393d37e9af66623aeb55ec0c6d2cd748149b

SHA512
ec7fd1a72214341322f9041d3edcd811ffe3551a4885045e1898079547ca39d0aaf71db33f2cd5d070bed4abf0ed959ef4874f682850b9ea4317e422b396517f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\btn_setup.png

Filesize
26KB

MD5
1c64b5d146b8326f3ae54e62fade0397

SHA1
ee40e25eceee99b620653228079aba38e9c54ec7

SHA256
c42bce18e077644199c289d89552661356e5aa5f1c5eeaf4db56c50f57367c7c

SHA512
be615f4dc8f4f66946f85595e99f0360f79162bfc16d75ca246a80b6abadd86cac8a073b1080b547987438b0de58e470b97446dd0fb5f4e6dbbb7b5fd9deacd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\btn_start_task.png

Filesize
26KB

MD5
7f28f3539ea6e029798a0531c8687b3d

SHA1
7234af780d2717f6705f1b61d103f361203d49f3

SHA256
0163c33ddce2bf33c2e99b836496ab6603ee6a92565ec66fd4b10814d5e583ce

SHA512
7fc4e444dc11251266cbe3fb98198ef19a5121a9b1cffad2876a770d500d25370b243773d22b801d9f025e2f5947021620cf366611728547947bda7763b3511d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\btn_topspeed.png

Filesize
26KB

MD5
edd25ae6e63c6a63b0b3427e23347410

SHA1
0aaddcf10b03487b789667523b8ea00153577828

SHA256
fb946fcce10df3042136a4ad44dc85acab72a634d677b2c95dcee086e27e892b

SHA512
96ddef135f2738443534978353b27a345154a1c03718520a04fd01a71ebe5278ddd56fb0cb1e3d3bf1c03fb35b86cf0631b8d35e7df2a74ef9574bee4e89f8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\close.png

Filesize
3KB

MD5
7c30c5b3072d97621e2a7ff1f3501b8c

SHA1
2c0fc127c065bd7fc612b47404a370f06d10a3ab

SHA256
73d062334371bfeca26746cd46bdb84d471c8f8e2988a26ebe9cb58457a3de0d

SHA512
35f270468dc9e3353af46bb5546c2c5264271450d0a3e895730998b03ff6f976580df829a99a83ba6ac517091ad74d1484878b4128f6ddd81e1e9430a795518a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\file_path_input.png

Filesize
7KB

MD5
e5445b1cfa72e9038742c913f9c238f2

SHA1
f5a4c5e85a9dba939b088c3b639e0bc877ffd5b0

SHA256
8c4d607ac1e8d9cfda24ae46cc67deb25897a24d358df2cc8518cbc1af1f233c

SHA512
ab58149eefa38c642a0b396641e3dc9a656ae540984d2eaea3f4598ec3ac00842ad2004accac7788a8e92898a5e7ef0dc7b1507390d0b45bf96e3028cd6182aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\icon_path.png

Filesize
411B

MD5
9730a42dd9f53df8f32ca36dc6c3aa77

SHA1
354ab75f2565410a5969c76b287b9a5a7ed4887c

SHA256
2943e3787154995c277a0291420d86958cfba1b8acb349eedf7e8860e5c99536

SHA512
9b888108c7dac6e5919da7e638478467d75801cac2869cdb7bbd1a8819660d22235666da815340d08753f433d837ab287fd187b4d0ec6b0d7a0da30bcf4c59dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\min.png

Filesize
3KB

MD5
201874176e2641c549405c71d6f6f2af

SHA1
4077bf6aa0d03e6313be0f2949df89b56fb135bd

SHA256
45230ef54264a24a05d5350ad41161f66c623834384c95759f5331a89cbed110

SHA512
19074ced311bf0b4394ac1cf5bc4ec13c88bbe08c6505c454a2199f8a90b0db65e4497982e18c3d721bbb40c0be21f5f4591033a3515afb53769c5f2d637c177

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SKin\setting.png

Filesize
3KB

MD5
67c6e655cc98a65d4224445c1235f893

SHA1
a1ed1cb2a20d639d4d77eaa2ac0249e17131ac8d

SHA256
493759d30c5ff5b69d70b7eb5d74217ec0f00803d1e7bcca199c8be3018d0972

SHA512
19a876d0deca8bc553dc90e736ab96c9dc8ececb68399b973ef6f90be11dc51cc7a98cd6c0e438d842d2c3e3f2864990f83d82c0da4583f20cc0e7b8107ec4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\SkinConfig.ini

Filesize
556B

MD5
17501d683b148722ab2b4891a08db326

SHA1
5c41264ccb84132e5db9b4745affa970105927cb

SHA256
69c66f84ab3c9a12fde440f8d7f4c92f97ff9fc8b6e51a2ed221896d6c8187fb

SHA512
07bc400ead6a604bb22994795ef8be1da4b67f9437df206d2fc109f7bab39e6b47dc59fe8e4684e7663988c39311766a9821460cc0b81625f666d821bf297c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\TXSSOSetup.exe

Filesize
1.2MB

MD5
e9756141d085d3b332014d7f9b184480

SHA1
7527574eb3b415744815ec4c51ae423ee58494e7

SHA256
8aa5ad11255f7526bd924a14b2ad0f4511ec2abf9f80abc5d2ac3d147490088a

SHA512
20f6c37ca83d4fe3cc34fe0018d184447ec2c2c990930601eeb9e5f29e8da4cc1b172894deada85d0bdcbb7bb09e907a757aa2932aaaea46fa5ed19444a0a439

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\VerConfig.ini

Filesize
2KB

MD5
6896830b7ed673d8bc50e7c0b564618e

SHA1
fbecc6f20f02c89d29180f8debaf48e55482d172

SHA256
f61513617aed4841918e841424dd381e39319742729d8f320e171d6f29b16d31

SHA512
c1a5bff0a7cb303ffbd5172f818f012024230fb465e9a406f82f4958ba71822974256413b011aef71fdb8bbb9acd8e369b5d58c2ed37ca9c69e78485f4cc2b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\bugreport.exe

Filesize
274KB

MD5
cae77f70a1dbc517f1281403f0a68c1e

SHA1
96fdd9317aa6236ccd396dd469c46eda564326f2

SHA256
18a53e047d0536e49385177d00d526f252de98d5d04e58e057c7684f820788c2

SHA512
b33c4e3de966847e280fd827c39c0dfad1e65a7c24f28b7572eb35aca0c36fc0544eab3e34d5b80613543bf7c644a1b41dc3d7886e1b4923a93077ccadb2799c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\config.ini

Filesize
830B

MD5
fbb667e9cb865a796ebe1cf407a2d7ef

SHA1
a4e825d61b5160f43d61a5b6b822adf37e6326b8

SHA256
074b011e07b317dc323b81213419a3b507e9fd116619de9ad0c0dd54aaf80e55

SHA512
34dad819b204fc916c2a4a50197a92a40b2ab54ed579fc3b52160a01635e64ab2ac01426eafdb5615155f6f09f0f1569a048ecd7a5cf43731410edbee6f64185

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\curllib.dll

Filesize
228KB

MD5
45882035d3e92e52b511c497432c0f80

SHA1
beebd03fafda345f2068c8892272d66bf7726ac2

SHA256
f79808272d03aa7a2e904438f97a63dee8d0d62fd4ed77709eb80ca3bdba6510

SHA512
4a00a0d8d0dd4fa3774722c5dad647e86127f1a1abe83df7b80388c6ef1aa69089402fc12a06a3fc4f800335db5ca99345b8d75b584a2b467f9a43254c303817

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\skin\vipdl.ico

Filesize
4KB

MD5
6452dfa63b39c446cadfd8758573e358

SHA1
4702f1c126d5ba80d8e7b557f55cca4d27afc28d

SHA256
664fa34dcbf3e3e5dbcd1a19b978658b751c9151fe6662873b2ab18d36a8bc3f

SHA512
667cd0429d1ea12ce5916127b90e800e945a0a1ef91f6b92360f2a228cbbe349a7aef0f1e6be779b2701ff8722afbca963ff026ac1e73cf800d09627ea44bbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQVipDownloader\cf_1436384783\tinyxml.dll

Filesize
99KB

MD5
e42fb6e8b70cef85bfaae7cd0e716e21

SHA1
463a423283b5c22056cca0c2bcad1969194e69c2

SHA256
0460e9e03edf807453e66f0332c84a4f8ea8ace16e25b8c2e62abe12a6b7eebc

SHA512
c30105e53c89756eab9d7c92d35e9934ece9ac9ecdec92cb56e63ffdf2b1ec3294dedc4942fd0dfae16367968f697786179534b9b0de7f2962e0c95a406a7056

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\InstTXSSO.exe

Filesize
92KB

MD5
58b88204dec307f6a58c6295d3f29c48

SHA1
20d225e0bf73882603d3e936adb1355fe643226d

SHA256
45c3dfbb89ad4298beb4724776df711d4dccd03f1e636c5ed20fa602e246c7bf

SHA512
cb3186cfe33c5477b1ed3c37064dadc6a5ba10af033f963fd79fcfcb4bb6bbd9079e1cb531bf91217bd118817fa3bc058ad89c7ad04b4a2fa5f89947ea0aea88

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml

Filesize
3KB

MD5
9abdb8aa100a963bee543ef44d194e76

SHA1
a10a879eaf2ad95a2fce534959ad8ff25079a9fb

SHA256
58adbbb6f500699838a417c5d8fbd1ad80e44849dafce453f80bc75f5d90b614

SHA512
5a1a40eccecfaeb4dac7a23f1904861735ab50b52b0e0240e7f34aa7a9c7c627d6867fda16dd3827b2fdb33be2c759b492ff5dd658a23cfa1a161d534172973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5B22.tmp\System.dll

Filesize
11KB

MD5
4cf3a81ab4579b30117c8a39a489d51d

SHA1
61af475e11e4e79e6a11e761fcb540d9c5eec0e9

SHA256
29f4a1c87161643e0ed5c46b46786d9a48437ec5dc6b99f4ff14037429e6e20a

SHA512
885d131304afbe92b9b0a16830b6b34c6b78e44f972c20aad63cf3695a400f2d82cf217753da2a2e5e399fdd5dd3306a257e9501a86884cad853e01ee125a664

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\Logs\regsvr32.tlg

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\Logs\regsvr32.tlg

Filesize
752B

MD5
84f203b1de1ab08a94c275469f79c798

SHA1
95121ef097f005d90394f9dfdece21475913078d

SHA256
e1fc503ee32abc0adb2638f1f2c770dd971b5c159265502315b9a0d938fd4e9b

SHA512
c204339784a1617c1d833ff4552ef5311557a6e7afa869a1bc0495dee8e41b78ec973c37e6a5d447a4f75fec57982bb1619b4d3bb891f562ebaba79eac52cd11

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\TXSSO\SetupLogs\setuplog.log

Filesize
2KB

MD5
9c6367d65b7da1c2f9ef6c9daa4f9e70

SHA1
aea1257624d643801a96c0ffe50f1b61c21caa02

SHA256
fa9f19b52631f50f9c3ffff9e7cacaf32c2515861b7d597552a06bf306cc1a4a

SHA512
4786a8c51c44f5aaa3706a4eae0cb68665cecd21ac0f284793bcbdb3434b1c0c4483893733f51e7c91b711ff26d93dbdad9b396a4165429f8c50466574f7f815

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\TXSSO\SetupLogs\setuplog.log

Filesize
894B

MD5
c586935d261c3e76f8566c9fe181e9d1

SHA1
dd745b40d04465153d4689c3b787b5bb636f3463

SHA256
b86b8807cf9be35c3df3e82baa6b7ce12106b78d557b2910fab44b5c6195cac2

SHA512
6a7d496348061836fc8790fa8c01cb80c09cba5a66f054b00eaf9a99dad7ee9660a7226437d61f0506f3377283905a81bc18ebb6114cec00c4912b91e2fe2c5a

Download Submit
C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe

Filesize
915KB

MD5
7e8dfc56349967d134ccdc9de4cd772f

SHA1
80f9636e5f2b7509d50e3e865b5c0d921348fff0

SHA256
fcaf44a74ec98e9780ddded45729dab1dc292c3a1bfed1c1a7ce56f1fed9b604

SHA512
b25fa86519cc23157f253ab816e8f8dfab54c5eddb72ec2092ece5b33767131f2ebdb4c791a2e28688c3bbbddc0db1e34d046f309592f95bf4665f5f12617010

Download Submit
\??\c:\users\admin\appdata\local\temp\qqvipdownloader\cf_1436384783\dlcore.dll

Filesize
1.9MB

MD5
0ed92ed82d4d1b22fe231c177b45eac5

SHA1
d858a692e6c0a364137c4d0190816809b8c37f7f

SHA256
ad1425b8497cf8b5891adbd51371c3ceb0f977e6e417b6c3f3262e6b6f01e2fc

SHA512
8d7d60e84314ba2b5b1a9248e6ddf1f2723844ebde1953343ee5f825f1d3e30a5a9a504d028c9311f9aa82c17929c4927769b7ae6df986003b2c1aaef0be3aa1

Download Submit
\??\c:\users\admin\appdata\local\temp\qqvipdownloader\cf_1436384783\downloadproxyps.dll

Filesize
67KB

MD5
9c629978377e3edc8d0b001115f93eec

SHA1
c563aad2e04b0e69b3ceeb722f7f7e85dd3cb410

SHA256
1ce25ffc0d8671f5c44573ec190533860cc3bec823d2dcfaf4548a0bd76add50

SHA512
34cb1eafd31385094bc0f2f03da80fb94662a7a966dff7f9be974b5e850e2c588e82546edfaf244b7f20046fd63421495b7a429d50184d074b83208d86dcd619

Download Submit
\??\c:\users\admin\appdata\local\temp\qqvipdownloader\cf_1436384783\extract.dll

Filesize
358KB

MD5
9da51d4506bd094fbfc7d337338fc872

SHA1
1b5799ef6b66ac9471842f17570813e7c42cdb27

SHA256
f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501

SHA512
07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

Download Submit
\??\c:\users\admin\appdata\local\temp\qqvipdownloader\cf_1436384783\tnproxy.dll

Filesize
707KB

MD5
3bad47f1e11387358ba090fbc2682713

SHA1
e7e7843d3fd4f45fdb65ff40936bc28a10651589

SHA256
26c906e83d280f03e021a5730908cc40551f8ef98e048b9ae001354ec83ae736

SHA512
c00f7079746cc0ab961680ca784cac036ad60c2883e032fea9d8ac4791579f5cb952a341efb0068a38f81ab84c6dc870ddd8ae5ddb66d17a812a80fc8e1486eb

Download Submit
memory/468-229-0x0000000003500000-0x0000000003510000-memory.dmp

Filesize
64KB

Download
memory/468-228-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/468-231-0x0000000004D70000-0x0000000004E1F000-memory.dmp

Filesize
700KB

Download
memory/1404-212-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1404-230-0x0000000008E10000-0x0000000008E20000-memory.dmp

Filesize
64KB

Download