cd8efeeac9e3a9efe818dca544bb0b692f6003799c713d2e965a78b50e112760

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
Size

1.9MB
MD5

74c54f6cccb6d924bba618c68031d411
SHA1

1a85dea4001ec2de1bba0cd04eb09e74a261ca64
SHA256

cd8efeeac9e3a9efe818dca544bb0b692f6003799c713d2e965a78b50e112760
SHA512

978c724f2e7b5bb324b45b229c4e23232a304bf97851add67b7b32842ff0f280b82069550429385cdfc566adb78e4c3746349e6a74bfbf2f90cc474beb6f24f9
SSDEEP

49152:s+VH+OIpKO8+0IMS6iOMryKrA7bRmtjHBZjL:nVHN6KO83gfDyKrA3Rmtjfn

Score

8^/10

adware bootkit discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Executes dropped EXE 6 IoCs

Processes:

pczh_107_306.exeTTK_7160010020140313_v142.exeAinqngz4.4.exewarmth.exeTTKMonitor.exeTaotaosou.exe

pid process

2680 pczh_107_306.exe
2620 TTK_7160010020140313_v142.exe
616 Ainqngz4.4.exe
920 warmth.exe
2744 TTKMonitor.exe
2956 Taotaosou.exe

pid	process
2680	pczh_107_306.exe
2620	TTK_7160010020140313_v142.exe
616	Ainqngz4.4.exe
920	warmth.exe
2744	TTKMonitor.exe
2956	Taotaosou.exe

Loads dropped DLL 64 IoCs

Processes:

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exepczh_107_306.exeTTK_7160010020140313_v142.exeAinqngz4.4.exewarmth.exe

pid	process
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2680	pczh_107_306.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2620	TTK_7160010020140313_v142.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2620	TTK_7160010020140313_v142.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2680	pczh_107_306.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2620	TTK_7160010020140313_v142.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe
616	Ainqngz4.4.exe
616	Ainqngz4.4.exe
616	Ainqngz4.4.exe
920	warmth.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Taotaosou.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taotaosou.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taotaosou.exe

Drops Chrome extension 1 IoCs

Processes:

TTK_7160010020140313_v142.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\manifest.json	TTK_7160010020140313_v142.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeTTK_7160010020140313_v142.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	TTK_7160010020140313_v142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	TTK_7160010020140313_v142.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

TTK_7160010020140313_v142.exe

description ioc process

File opened for modification \??\PhysicalDrive0 TTK_7160010020140313_v142.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	TTK_7160010020140313_v142.exe

Drops file in Program Files directory 13 IoCs

Processes:

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exepczh_107_306.exe

description	ioc	process
File created	C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\uboskin\config.ini	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe	pczh_107_306.exe
File created	C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\ie.ico	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\ËÑ¹·µ¼º½.url	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\OnlineInstal\uboskin\config.ini	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\ainqngz4.4\uninstall.exe	pczh_107_306.exe
File created	C:\Program Files (x86)\ainqngz4.4\Enthu.exe	pczh_107_306.exe
File created	C:\Program Files (x86)\OnlineInstal\tj.txt	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\360.ico	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\ainqngz4.4\warmth.exe	pczh_107_306.exe
File created	C:\Program Files (x86)\OnlineInstal\2345µ¼º½.url	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

TTKMonitor.exe

description	ioc	process
File created	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe
File opened for modification	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

1344 sc.exe
2804 sc.exe
1372 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1344	sc.exe
2804	sc.exe
1372	sc.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\OnlineInstal\pczh_107_306.exe	nsis_installer_1
\Program Files (x86)\OnlineInstal\pczh_107_306.exe	nsis_installer_2
\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe	nsis_installer_1
\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe	nsis_installer_2
C:\Program Files (x86)\ainqngz4.4\uninstall.exe	nsis_installer_1
C:\Program Files (x86)\ainqngz4.4\uninstall.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

warmth.exeTaotaosou.exeAinqngz4.4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	warmth.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Taotaosou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Ainqngz4.4.exe

Modifies registry class 64 IoCs

Processes:

TTK_7160010020140313_v142.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\ = "TTSIEPlugin 1.2 Type Library"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS\ = "0"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL\AppID = "{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Taotaosou.exeTTK_7160010020140313_v142.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	TTK_7160010020140313_v142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	TTK_7160010020140313_v142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	TTK_7160010020140313_v142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Taotaosou.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

TTK_7160010020140313_v142.exepczh_107_306.exe

pid	process
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2620	TTK_7160010020140313_v142.exe
2680	pczh_107_306.exe
2680	pczh_107_306.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

warmth.exe

description	pid	process
Token: 33	920	warmth.exe
Token: SeIncBasePriorityPrivilege	920	warmth.exe
Token: 33	920	warmth.exe
Token: SeIncBasePriorityPrivilege	920	warmth.exe
Token: 33	920	warmth.exe
Token: SeIncBasePriorityPrivilege	920	warmth.exe
Token: 33	920	warmth.exe
Token: SeIncBasePriorityPrivilege	920	warmth.exe
Token: 33	920	warmth.exe
Token: SeIncBasePriorityPrivilege	920	warmth.exe
Token: 33	920	warmth.exe
Token: SeIncBasePriorityPrivilege	920	warmth.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

warmth.exeAinqngz4.4.exeTTK_7160010020140313_v142.exeTaotaosou.exe

pid	process
920	warmth.exe
616	Ainqngz4.4.exe
2620	TTK_7160010020140313_v142.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taotaosou.exe

pid	process
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe
2956	Taotaosou.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Ainqngz4.4.exewarmth.exeTaotaosou.exe

pid process

616 Ainqngz4.4.exe
920 warmth.exe
920 warmth.exe
920 warmth.exe
616 Ainqngz4.4.exe
616 Ainqngz4.4.exe
2956 Taotaosou.exe
2956 Taotaosou.exe

pid	process
616	Ainqngz4.4.exe
920	warmth.exe
920	warmth.exe
920	warmth.exe
616	Ainqngz4.4.exe
616	Ainqngz4.4.exe
2956	Taotaosou.exe
2956	Taotaosou.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exepczh_107_306.exeTTK_7160010020140313_v142.exeTTKMonitor.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 2680	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2656 wrote to memory of 2680	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2656 wrote to memory of 2680	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2656 wrote to memory of 2680	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2656 wrote to memory of 2680	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2656 wrote to memory of 2680	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2656 wrote to memory of 2680	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2656 wrote to memory of 2620	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2656 wrote to memory of 2620	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2656 wrote to memory of 2620	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2656 wrote to memory of 2620	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2656 wrote to memory of 2620	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2656 wrote to memory of 2620	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2656 wrote to memory of 2620	2656	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2680 wrote to memory of 1372	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1372	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1372	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1372	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1372	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1372	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1372	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1344	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1344	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1344	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1344	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1344	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1344	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 1344	2680	pczh_107_306.exe	sc.exe
PID 2680 wrote to memory of 616	2680	pczh_107_306.exe	Ainqngz4.4.exe
PID 2680 wrote to memory of 616	2680	pczh_107_306.exe	Ainqngz4.4.exe
PID 2680 wrote to memory of 616	2680	pczh_107_306.exe	Ainqngz4.4.exe
PID 2680 wrote to memory of 616	2680	pczh_107_306.exe	Ainqngz4.4.exe
PID 2680 wrote to memory of 616	2680	pczh_107_306.exe	Ainqngz4.4.exe
PID 2680 wrote to memory of 616	2680	pczh_107_306.exe	Ainqngz4.4.exe
PID 2680 wrote to memory of 616	2680	pczh_107_306.exe	Ainqngz4.4.exe
PID 2680 wrote to memory of 920	2680	pczh_107_306.exe	warmth.exe
PID 2680 wrote to memory of 920	2680	pczh_107_306.exe	warmth.exe
PID 2680 wrote to memory of 920	2680	pczh_107_306.exe	warmth.exe
PID 2680 wrote to memory of 920	2680	pczh_107_306.exe	warmth.exe
PID 2680 wrote to memory of 920	2680	pczh_107_306.exe	warmth.exe
PID 2680 wrote to memory of 920	2680	pczh_107_306.exe	warmth.exe
PID 2680 wrote to memory of 920	2680	pczh_107_306.exe	warmth.exe
PID 2620 wrote to memory of 2744	2620	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2620 wrote to memory of 2744	2620	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2620 wrote to memory of 2744	2620	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2620 wrote to memory of 2744	2620	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2620 wrote to memory of 2744	2620	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2620 wrote to memory of 2744	2620	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2620 wrote to memory of 2744	2620	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2744 wrote to memory of 2364	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2364	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2364	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2364	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2364	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2364	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2364	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2532	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2532	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2532	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2532	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2532	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2532	2744	TTKMonitor.exe	cmd.exe
PID 2744 wrote to memory of 2532	2744	TTKMonitor.exe	cmd.exe
PID 2364 wrote to memory of 2804	2364	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe
"C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\sc.exe
sc create "Entshu Service1262024574013743" displayname= "2262024574013743" binPath= "C:\Program Files (x86)\ainqngz4.4\Enthu.exe" start= auto
3⤵
- Launches sc.exe
PID:1372

C:\Windows\SysWOW64\sc.exe
sc description "Entshu Service1262024574013743" "Entshu Service3262024574013743"
3⤵
- Launches sc.exe
PID:1344

C:\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe
"C:\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:616

C:\Program Files (x86)\ainqngz4.4\warmth.exe
"C:\Program Files (x86)\ainqngz4.4\warmth.exe" /s/s
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:920

C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe
"C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe
"C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe" -install
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c sc config Schedule start= auto
4⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\sc.exe
sc config Schedule start= auto
5⤵
- Launches sc.exe
PID:2804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c net start Schedule
4⤵
PID:2532

C:\Windows\SysWOW64\net.exe
net start Schedule
5⤵
PID:2960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Schedule
6⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSRegPlugin.bat" "
3⤵
PID:2840

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s .\TTSIEPlugin_64.dll
4⤵
PID:1976

C:\Windows\system32\regsvr32.exe
/s .\TTSIEPlugin_64.dll
5⤵
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1776

C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe
"C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe" -hide
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ainqngz4.4\uninstall.exe
Filesize
130KB

MD5
01fcfcee365d74b3fb9a742813e99b32

SHA1
42ef86ba1e791b2c9d6c80c52336f118d50302ce

SHA256
fa92d5aafbfe3f3d8bc1cf96f23855b14a9540c4440747b7672c95a47507b2eb

SHA512
0ebe0ecdf38a4030eb82dd20d66983657b094c9e794ee460cf45203c1ca32c789b8160fa909f2036c4913258a2c71323a6e162a7e77216f0eef92921a9432281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\css\popup.css
Filesize
2KB

MD5
bd7e1817e61004bda3b62871950760ac

SHA1
9ed5506546c5088445990e404b39b69fc68698a1

SHA256
598e5dc8939df74a74c2ec1716fb90ac01c0cee69c7f8b3cfadbaf05fbf8f63b

SHA512
a32ebd64e1bbaf64654032429d7ab5d7bb9d33ae2c569b9d59f8182e6642e331a5ce22186f8e1f3c29777c236d9a1315286877ea825ee89e61352b29be7dfa33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\html\background.html
Filesize
521B

MD5
d6a1dbc91e4cd9dd1c1137de4eeab815

SHA1
9976b7d283668fd459cbf194be396d5d2314175b

SHA256
fd3252572d2915586370469f8105d9b3bed084dac0d197f35b8412a61c96f0ea

SHA512
d68cdcf12d6481254e7fac9b4cb2d462616148de85bd0b09e2c2b32091144d73cb7070b0e57849e5cd62a6d5f07bf7514a64c7380c21e5538b5ffbf3e61aca50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\html\popup.html
Filesize
570B

MD5
92150132a7c261e70f1341db3996570c

SHA1
0467f2f605f1c4cbb12621dd0bbbdf1ca3188e11

SHA256
b2eaeb4a6e2b4f958a7258ed5db463c09986707be543319106c346389cd0de9c

SHA512
8a7ba6ccb2670f62cd83fb60e0d8f24a82524ce968667778e95aced9d90d7b8ef36f587731a8716d55c82235b117dfc224e3113312b456d946013b0041299b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\img\icon-128.png
Filesize
10KB

MD5
562718c63e4f81d1a3094d3d441e2515

SHA1
42ecd4729a9269a088f442cccb3c1f39adf6a598

SHA256
cd6af6e1a76cff5f859b72ca793c3637169b8d82ac2227c70a08e44d5ef2b7b4

SHA512
23901f2da13b245014ede00f2c90c07abd14a6440cec6d3b2c975c2bd1204685959c6b4bd2eb8053fc2f414d2bf988271026d5ee9a17a7703c23bb521c183fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\img\icon.png
Filesize
3KB

MD5
15babbf6a90ea5a97d78570326880c02

SHA1
0e6c7f6ed19628863cc52247bd4bfaf17f450cdf

SHA256
ac62106fe8c1282f1d7be2ec3c37d9372181a1a0b9c6c75cf689015c886bc43d

SHA512
76636d1a59939a0cfaf0981fd7cdfb8316102ed4dadcea6dd8e9786e637a69323aa4e1ddfc6f7dc4d1b889232125a1b3fa78408ebfcfe9c99acea1fee414151b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js
Filesize
6KB

MD5
aa658d05cdffd2837dd52432c712dc82

SHA1
0da3125a1b1260ae69cd4e388cc78f6553a43ab7

SHA256
a527d3f984ecbebc5c946b636bde1eb2b5d6eac8b8d501929aaf97ee7d70bf41

SHA512
b38aedf07fbac16f38e97644f3ed20162868ce1b03066c751a340eb616199f85eac901b33facf6c272bfc2b3ba14cc8443e4ba14c0d3f67ed044864031a189ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\content.js
Filesize
1KB

MD5
8770047694090f88fca3d693e6db8e18

SHA1
db87d21676c203a547b382af47d0b91daabeae42

SHA256
400fd1eb674b327c84770ede89451d57bd09486eb8bd2e0a7f162649724d6bbc

SHA512
5e9e8c9c848d558de907418bc2e06a72a665165e8187dd9b298330a7d35d9ef016fc388fb5da7a1e4e7934ab7642732c49b2d1bfd5e62124122f59ac577341c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\jquery.js
Filesize
91KB

MD5
e1288116312e4728f98923c79b034b67

SHA1
8b6babff47b8a9793f37036fd1b1a3ad41d38423

SHA256
ba6eda7945ab8d7e57b34cc5a3dd292fa2e4c60a5ced79236ecf1a9e0f0c2d32

SHA512
bf28a9a446e50639a9592d7651f89511fc4e583e213f20a0dff3a44e1a7d73ceefdb6597db121c7742bde92410a27d83d92e2e86466858a19803e72a168e5656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\swfobject.js
Filesize
9KB

MD5
84e07fa8222e5bf3f356cd7cec454b61

SHA1
9c4605fbe1c44c12791e498ed307840c15da702a

SHA256
a2d68e4530bbf55b595085ad00ef6999cb64574eb58b44b53ef0516fa7fa4aed

SHA512
b6a9df92c90a33dd5578580c2a7c0ede7deb08f1d747f6ce191c57e46f1fd816d58d61ab17e7edb77728124b6c3dd7e72f9a44b650d48d58a6218e62698b4ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\web_socket.js
Filesize
13KB

MD5
16cc6f1dbe8a9936dade0386314dc1db

SHA1
b07256433a0fb22ca05d1b9c40ccb1cbf550f692

SHA256
7069345bae712c607c200730e5bb395fd82457f20051ecf651ab727e1079833d

SHA512
05784d66f98da839a41f8705884569c8148fb060a256a1fe72582bdc411656e693bf9e56d5c332cd5209af9c9f845459fa0cda982a7de3432435172b90577c23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\login\login.js
Filesize
656B

MD5
01125d49e4716645cafea1da101cc15b

SHA1
d9bfa09eef23318866f3d8864677231fba4148ea

SHA256
eee8d557370f3118d284532c2773232166a1f3dc405189f914d705ae713860ba

SHA512
e695d0cb729942a44bfda97f03ca9a4f13d76a0a296aa02728bee6e66291f91fcb632626ba96cb90cf7bcc7a7454a21d1d5c42ecaf441e7eca88c6476375d357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\login\loginFrame.js
Filesize
402B

MD5
de94740069de39fa8300ae286d7c40fc

SHA1
12d47257f128dcef53cf4107f3ed1d5742d3edcb

SHA256
0e39dd7984cdc818ba572c487c2999826b41fe2ae3f801216b5f53d9838c75c8

SHA512
b9120dc0c9e848a55238e7331c7b2abe7be9c494409877f809045cde3079955ffec26872dddd9cfd904a978cb70b429705f5a55fe4eb92064e64223d27caf3ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\popup.js
Filesize
294B

MD5
58f48ef3e43ddf4f753c2d796cee76f1

SHA1
2a57a9c5669d26ec47d8cc4a70fe280df5344414

SHA256
cf69807550b028264cb9857a0e46c8b1cb54b708efb3a43016f264fd36467c31

SHA512
68d2f1c65525bb5d8acd83f7e0f035384faa021b7ffc55f3811410e20eb75bc6b5267ad0ec4bcefe9e073f9fd3f33ccbeea93845917bdc0fbb2e547029374d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\manifest.json
Filesize
1KB

MD5
80f31d22d3f79159727c0ca63dbda9a1

SHA1
6db303e1c6c541d7ea5f4301c3e075174514f70a

SHA256
2cc2f6d9d0b4652e30fe4bc5b6ac5917b09fd6263ebdfdbfcf91fc409db95d68

SHA512
5c2bf8910799f0567529d79459b1ccdb85e21e038a2abc440a042c88ff47c879d758309a3712f6919906640091fffe9365a139a646d94f1ee44c2762e7591b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\plugin\nptaotaosouplugin.dll
Filesize
72KB

MD5
8aa48ee17987e101ba6e9b2ceb027f47

SHA1
44f62c7121e2791b3e8148959e1d275609338cec

SHA256
f7a5c4d01b9f7da81dfd28944e2a6de723bc87d02c9d991b86d7a59465d8c28b

SHA512
8484be3d076176cc3898d3b9e2bb1090becfe63f7f051cd1994b2647b15e311f26b782b1f9c2341da6c479d881caaf39c5f2ae9f7eee5852b06d03195ef0aecb

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSRegPlugin.bat
Filesize
73B

MD5
c7e8d764bb3afd9d90122c1e67ab04ad

SHA1
4992549ce2c208c804a0b053b798b07dd5e102a1

SHA256
92d0cfb9d06cd867d169f4b9f9eb9ccf82ef7d72605a5066e4c2415b667254a8

SHA512
89fcc9989ad422b3bb7be906c19a8b42ccddc842def42075aba53203564eaef6ea991162a78f264b819c881927ad4dbbf1b6cf69ca9e2e67d729b0a039ddf08e

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TaoTaoSou.exe
Filesize
621KB

MD5
6c4a5a299c5c40aa34a3b63d0d8be3eb

SHA1
57e5a70e3d1622e8219d0aded90702cb84afa153

SHA256
7f2fd7821d726dfb4e293b48b6c9e1a3d4e61b4d1f7626a09a4860935add3dd1

SHA512
d402589a184311a9e9b620e4ceaec987871ae7668be89b94b025b7fac46ebc83e8a667ed3264c3ca9df88afbb3aba7bc815b96d8f7c02c7c0f7dd58885373186

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe
Filesize
116KB

MD5
2ad341c67ade9725f1e60db8909badd8

SHA1
bd8a0209798ae7ff762586d74192409c1ea2764d

SHA256
c1608d2a39390eaaef90488f3303c3d59ae6842f87af567f24b914d78956f648

SHA512
02bbe08f03581fdb36d6a6e9aa0c10db906ff6a8d1979eba2091d17e10b7317d64273966582e18d37508d6e90f41651cb70f725c53784e2932d3601d0a9fa9bf

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\ttk_icon.ico
Filesize
47KB

MD5
642290fe65f540ed7b1b0ffdda78bb66

SHA1
c988450c86bc4dd70ab5c1b520f80270845c92a6

SHA256
59f9c6a2a09097fbdf45df570cdd92547abaa553eb9284aa159cd658d2337e72

SHA512
d7169e32d0c95efedacd6e809a6d7c812ecd5c1be881deedd9ea99feaa839b590a03f2f6586a66cb5ac534d23def83ff895253432008fc3a14bfc442660c246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar825A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd14AB.tmp\Base64.dll
Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd14AB.tmp\Inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd14AB.tmp\Math.dll
Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd14AB.tmp\md5dll.dll
Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy13F0.tmp\Internet.dll
Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy13F0.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy13F0.tmp\md5dll.dll
Filesize
6KB

MD5
62d8907081163ac876b635b034fcac80

SHA1
242741234ae35d02a6ab2aacbbe50a34985537e3

SHA256
eb55c822401ae1f5b1db987583e2abc4fe149a3d4b1564b1335ebd39c863f0d0

SHA512
b6e1bc57ad58489c82c59ddf7030d3a42fd44db3d569d4101bc2dc27835323a4b2517403682755bd086dba9d83aa84a45f81ca8388755890c8b4cafab6f67a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy13F0.tmp\textreplace.dll
Filesize
5KB

MD5
72d1177bad86f4df8eaee2a8afe50e6f

SHA1
c36019dfa2ff5c90c9da31c89dfcda08f93df68d

SHA256
c058f4439617bdb2019c90abd9920070a23f751b9349051d0744280cd5d9c5d7

SHA512
e0e764fcafa833f94ad2d5ae2a407f3e35bd27efa078625d5a2c9372ea28d7889c4b339e457d6fd7c3c90475b2d1603142a8c46a23f59b5784478860b06ee1b3

Download Submit
\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe
Filesize
1.3MB

MD5
c16810b408101624dd321c5928dc4ad7

SHA1
5708db9d835aeee0615347d743c00574703f30ca

SHA256
d3f07cf241add089b2343d3f41b21612eaa34fc4051dad8c5fb3f3af2eb1f1d2

SHA512
bb7d0f03fd64f9d61c7ba7e6f042cce4066928d50fe859077bf07b7a8e55d1f5fe73a53a3d7444b9580858bb4ddb7e0f24a047cb2e4ffa4d23833fe2352df2be

Download Submit
\Program Files (x86)\OnlineInstal\pczh_107_306.exe
Filesize
405KB

MD5
3ad6b8cc19fc60345072b86a547da041

SHA1
191c1c212a9398f2e518167ee4c48938ff1a678b

SHA256
93414578c5cae88f06c542576c3255c39dfddd3b53feb72fdb5cfcf5bc65e62e

SHA512
3b37ae194d37992232570dac468d20cff37f6aff8677fe68ee624960134822b529cb1f79644311f39777a0c701f5886b796c4c88846e12be7f6e12414d73a4fb

Download Submit
\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe
Filesize
124KB

MD5
d147c7786eb72b44414e78fbe11762fe

SHA1
27d3af59f58f98504a24f3ae14a92ee762dcf8f9

SHA256
0d015e7f55de910ff39970fde2608d5a25338c57a843a5bf69d8f9d578a068bb

SHA512
8982a8815933d00f1b1ac6d932aeaa879e2cf564ea0349e656f62cf4633dc21eb930327f80d88898fc585fe15570a371bf31f57ab90b6c2f5db68b0c908f3446

Download Submit
\Program Files (x86)\ainqngz4.4\warmth.exe
Filesize
148KB

MD5
20d10b54940aba73e069318943c10ac5

SHA1
2bc9f3941db98e91c0e71a009d6402149d91af00

SHA256
b1b3610ed04e42a99e53732c3d51fee94ec6894c5b856d42916659d083d7047a

SHA512
04b3947b1d4222ca1ecc197c8ae2a5880ea068a6525c018542ed86bbdfdf8d9231969b4c9f214fbbcf2bcfb18d4805b02f0a07e32379c0102b0f9b26c7bd2df7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd14AB.tmp\NSISdl.dll
Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsd14AB.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd87B.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd87B.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsy13F0.tmp\FindProcDLL.dll
Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy13F0.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy13F0.tmp\TTKInsAssistant.dll
Filesize
525KB

MD5
fb68e5c27265be945468aae0828c0831

SHA1
c386266e6755273bf69e45072b55afe5bfec2947

SHA256
3e2a5aec6416ac6c1a597240203c11cfad7eecf9dc7dfb5584ebeb590dead6c4

SHA512
eda06d197ce8520c11bc8da118a729064843b1b28ffb90083be61b33b4f62516415a80d3edc5b42b85de364a28b7f24894bb9971af0b3baff7b1365e1bbb9b78

Download Submit
memory/616-317-0x0000000003E30000-0x0000000004E92000-memory.dmp

Filesize
16.4MB

Download
memory/920-316-0x0000000004750000-0x00000000057B2000-memory.dmp

Filesize
16.4MB

Download
memory/2620-459-0x0000000004150000-0x000000000417D000-memory.dmp

Filesize
180KB

Download
memory/2620-122-0x00000000028F0000-0x0000000002979000-memory.dmp

Filesize
548KB

Download
memory/2620-133-0x0000000002A80000-0x0000000002A8B000-memory.dmp

Filesize
44KB

Download
memory/2680-287-0x0000000002820000-0x000000000283A000-memory.dmp

Filesize
104KB

Download