cd8efeeac9e3a9efe818dca544bb0b692f6003799c713d2e965a78b50e112760

Analysis

max time kernel
131s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
Size

1.9MB
MD5

74c54f6cccb6d924bba618c68031d411
SHA1

1a85dea4001ec2de1bba0cd04eb09e74a261ca64
SHA256

cd8efeeac9e3a9efe818dca544bb0b692f6003799c713d2e965a78b50e112760
SHA512

978c724f2e7b5bb324b45b229c4e23232a304bf97851add67b7b32842ff0f280b82069550429385cdfc566adb78e4c3746349e6a74bfbf2f90cc474beb6f24f9
SSDEEP

49152:s+VH+OIpKO8+0IMS6iOMryKrA7bRmtjHBZjL:nVHN6KO83gfDyKrA3Rmtjfn

Score

8^/10

adware bootkit discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TTK_7160010020140313_v142.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	TTK_7160010020140313_v142.exe

Executes dropped EXE 6 IoCs

Processes:

pczh_107_306.exeTTK_7160010020140313_v142.exeAinqngz4.4.exewarmth.exeTTKMonitor.exeTaotaosou.exe

pid process

2412 pczh_107_306.exe
1044 TTK_7160010020140313_v142.exe
1400 Ainqngz4.4.exe
1356 warmth.exe
100 TTKMonitor.exe
60 Taotaosou.exe

pid	process
2412	pczh_107_306.exe
1044	TTK_7160010020140313_v142.exe
1400	Ainqngz4.4.exe
1356	warmth.exe
100	TTKMonitor.exe
60	Taotaosou.exe

Loads dropped DLL 64 IoCs

Processes:

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exeTTK_7160010020140313_v142.exepczh_107_306.exe

pid	process
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Taotaosou.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taotaosou.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taotaosou.exe

Drops Chrome extension 1 IoCs

Processes:

TTK_7160010020140313_v142.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\manifest.json	TTK_7160010020140313_v142.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeTTK_7160010020140313_v142.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	TTK_7160010020140313_v142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	TTK_7160010020140313_v142.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

TTK_7160010020140313_v142.exe

description ioc process

File opened for modification \??\PhysicalDrive0 TTK_7160010020140313_v142.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	TTK_7160010020140313_v142.exe

Drops file in Program Files directory 13 IoCs

Processes:

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exepczh_107_306.exe

description	ioc	process
File created	C:\Program Files (x86)\OnlineInstal\ie.ico	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\2345µ¼º½.url	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\ËÑ¹·µ¼º½.url	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\OnlineInstal\uboskin\config.ini	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\360.ico	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\OnlineInstal\tj.txt	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\ainqngz4.4\uninstall.exe	pczh_107_306.exe
File created	C:\Program Files (x86)\OnlineInstal\uboskin\config.ini	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
File created	C:\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe	pczh_107_306.exe
File created	C:\Program Files (x86)\ainqngz4.4\warmth.exe	pczh_107_306.exe
File created	C:\Program Files (x86)\ainqngz4.4\Enthu.exe	pczh_107_306.exe

Drops file in Windows directory 2 IoCs

Processes:

TTKMonitor.exe

description	ioc	process
File created	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe
File opened for modification	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2708 sc.exe
3588 sc.exe
1240 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2708	sc.exe
3588	sc.exe
1240	sc.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe	nsis_installer_1
C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe	nsis_installer_2
C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe	nsis_installer_1
C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe	nsis_installer_2
C:\Program Files (x86)\ainqngz4.4\uninstall.exe	nsis_installer_1
C:\Program Files (x86)\ainqngz4.4\uninstall.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe	nsis_installer_2

Modifies registry class 64 IoCs

Processes:

regsvr32.exeTTK_7160010020140313_v142.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\ = "TTSIEPlugin 1.2 Type Library"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL\AppID = "{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

TTK_7160010020140313_v142.exepczh_107_306.exe

pid	process
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
1044	TTK_7160010020140313_v142.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe
2412	pczh_107_306.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

warmth.exe

description pid process

Token: 33 1356 warmth.exe
Token: SeIncBasePriorityPrivilege 1356 warmth.exe

description	pid	process
Token: 33	1356	warmth.exe
Token: SeIncBasePriorityPrivilege	1356	warmth.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

Ainqngz4.4.exewarmth.exeTTK_7160010020140313_v142.exeTaotaosou.exe

pid	process
1400	Ainqngz4.4.exe
1356	warmth.exe
1044	TTK_7160010020140313_v142.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Taotaosou.exe

pid	process
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe
60	Taotaosou.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Ainqngz4.4.exewarmth.exeTaotaosou.exe

pid process

1400 Ainqngz4.4.exe
1356 warmth.exe
1356 warmth.exe
1356 warmth.exe
1400 Ainqngz4.4.exe
1400 Ainqngz4.4.exe
60 Taotaosou.exe
60 Taotaosou.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exepczh_107_306.exeTTK_7160010020140313_v142.exeTTKMonitor.execmd.execmd.exenet.execmd.exeregsvr32.exe

description	pid	process	target process
PID 2280 wrote to memory of 2412	2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2280 wrote to memory of 2412	2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2280 wrote to memory of 2412	2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	pczh_107_306.exe
PID 2280 wrote to memory of 1044	2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2280 wrote to memory of 1044	2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2280 wrote to memory of 1044	2280	74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe	TTK_7160010020140313_v142.exe
PID 2412 wrote to memory of 2708	2412	pczh_107_306.exe	sc.exe
PID 2412 wrote to memory of 2708	2412	pczh_107_306.exe	sc.exe
PID 2412 wrote to memory of 2708	2412	pczh_107_306.exe	sc.exe
PID 2412 wrote to memory of 3588	2412	pczh_107_306.exe	sc.exe
PID 2412 wrote to memory of 3588	2412	pczh_107_306.exe	sc.exe
PID 2412 wrote to memory of 3588	2412	pczh_107_306.exe	sc.exe
PID 2412 wrote to memory of 1400	2412	pczh_107_306.exe	Ainqngz4.4.exe
PID 2412 wrote to memory of 1400	2412	pczh_107_306.exe	Ainqngz4.4.exe
PID 2412 wrote to memory of 1400	2412	pczh_107_306.exe	Ainqngz4.4.exe
PID 2412 wrote to memory of 1356	2412	pczh_107_306.exe	warmth.exe
PID 2412 wrote to memory of 1356	2412	pczh_107_306.exe	warmth.exe
PID 2412 wrote to memory of 1356	2412	pczh_107_306.exe	warmth.exe
PID 1044 wrote to memory of 100	1044	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 1044 wrote to memory of 100	1044	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 1044 wrote to memory of 100	1044	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 100 wrote to memory of 3428	100	TTKMonitor.exe	cmd.exe
PID 100 wrote to memory of 3428	100	TTKMonitor.exe	cmd.exe
PID 100 wrote to memory of 3428	100	TTKMonitor.exe	cmd.exe
PID 100 wrote to memory of 2840	100	TTKMonitor.exe	cmd.exe
PID 100 wrote to memory of 2840	100	TTKMonitor.exe	cmd.exe
PID 100 wrote to memory of 2840	100	TTKMonitor.exe	cmd.exe
PID 3428 wrote to memory of 1240	3428	cmd.exe	sc.exe
PID 3428 wrote to memory of 1240	3428	cmd.exe	sc.exe
PID 3428 wrote to memory of 1240	3428	cmd.exe	sc.exe
PID 2840 wrote to memory of 3036	2840	cmd.exe	net.exe
PID 2840 wrote to memory of 3036	2840	cmd.exe	net.exe
PID 2840 wrote to memory of 3036	2840	cmd.exe	net.exe
PID 3036 wrote to memory of 3568	3036	net.exe	net1.exe
PID 3036 wrote to memory of 3568	3036	net.exe	net1.exe
PID 3036 wrote to memory of 3568	3036	net.exe	net1.exe
PID 1044 wrote to memory of 2092	1044	TTK_7160010020140313_v142.exe	cmd.exe
PID 1044 wrote to memory of 2092	1044	TTK_7160010020140313_v142.exe	cmd.exe
PID 1044 wrote to memory of 2092	1044	TTK_7160010020140313_v142.exe	cmd.exe
PID 2092 wrote to memory of 2840	2092	cmd.exe	regsvr32.exe
PID 2092 wrote to memory of 2840	2092	cmd.exe	regsvr32.exe
PID 2092 wrote to memory of 2840	2092	cmd.exe	regsvr32.exe
PID 2840 wrote to memory of 4208	2840	regsvr32.exe	regsvr32.exe
PID 2840 wrote to memory of 4208	2840	regsvr32.exe	regsvr32.exe
PID 1044 wrote to memory of 60	1044	TTK_7160010020140313_v142.exe	Taotaosou.exe
PID 1044 wrote to memory of 60	1044	TTK_7160010020140313_v142.exe	Taotaosou.exe
PID 1044 wrote to memory of 60	1044	TTK_7160010020140313_v142.exe	Taotaosou.exe

C:\Users\Admin\AppData\Local\Temp\74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74c54f6cccb6d924bba618c68031d411_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe
  "C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\sc.exe
    sc create "Entshu Service1262024574011999" displayname= "2262024574011999" binPath= "C:\Program Files (x86)\ainqngz4.4\Enthu.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:2708
- - C:\Windows\SysWOW64\sc.exe
    sc description "Entshu Service1262024574011999" "Entshu Service3262024574011999"
    3⤵
    - Launches sc.exe
    PID:3588
- - C:\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe
    "C:\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1400
- - C:\Program Files (x86)\ainqngz4.4\warmth.exe
    "C:\Program Files (x86)\ainqngz4.4\warmth.exe" /s/s
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1356
- C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe
  "C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe
    "C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe" -install
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c sc config Schedule start= auto
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config Schedule start= auto
        5⤵
        Launches sc.exe
        
        PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net start Schedule
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\net.exe
        
        net start Schedule
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Schedule
        6⤵
        
        PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSRegPlugin.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s .\TTSIEPlugin_64.dll
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\system32\regsvr32.exe
        
        /s .\TTSIEPlugin_64.dll
        5⤵
        Registers COM server for autorun
        Installs/modifies Browser Helper Object
        Modifies registry class
        
        PID:4208
- - C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe
    "C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe" -hide
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OnlineInstal\TTK_7160010020140313_v142.exe

Filesize
1.3MB

MD5
c16810b408101624dd321c5928dc4ad7

SHA1
5708db9d835aeee0615347d743c00574703f30ca

SHA256
d3f07cf241add089b2343d3f41b21612eaa34fc4051dad8c5fb3f3af2eb1f1d2

SHA512
bb7d0f03fd64f9d61c7ba7e6f042cce4066928d50fe859077bf07b7a8e55d1f5fe73a53a3d7444b9580858bb4ddb7e0f24a047cb2e4ffa4d23833fe2352df2be

Download Submit
C:\Program Files (x86)\OnlineInstal\pczh_107_306.exe

Filesize
405KB

MD5
3ad6b8cc19fc60345072b86a547da041

SHA1
191c1c212a9398f2e518167ee4c48938ff1a678b

SHA256
93414578c5cae88f06c542576c3255c39dfddd3b53feb72fdb5cfcf5bc65e62e

SHA512
3b37ae194d37992232570dac468d20cff37f6aff8677fe68ee624960134822b529cb1f79644311f39777a0c701f5886b796c4c88846e12be7f6e12414d73a4fb

Download Submit
C:\Program Files (x86)\ainqngz4.4\Ainqngz4.4.exe

Filesize
124KB

MD5
d147c7786eb72b44414e78fbe11762fe

SHA1
27d3af59f58f98504a24f3ae14a92ee762dcf8f9

SHA256
0d015e7f55de910ff39970fde2608d5a25338c57a843a5bf69d8f9d578a068bb

SHA512
8982a8815933d00f1b1ac6d932aeaa879e2cf564ea0349e656f62cf4633dc21eb930327f80d88898fc585fe15570a371bf31f57ab90b6c2f5db68b0c908f3446

Download Submit
C:\Program Files (x86)\ainqngz4.4\uninstall.exe

Filesize
130KB

MD5
01fcfcee365d74b3fb9a742813e99b32

SHA1
42ef86ba1e791b2c9d6c80c52336f118d50302ce

SHA256
fa92d5aafbfe3f3d8bc1cf96f23855b14a9540c4440747b7672c95a47507b2eb

SHA512
0ebe0ecdf38a4030eb82dd20d66983657b094c9e794ee460cf45203c1ca32c789b8160fa909f2036c4913258a2c71323a6e162a7e77216f0eef92921a9432281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\css\popup.css

Filesize
2KB

MD5
bd7e1817e61004bda3b62871950760ac

SHA1
9ed5506546c5088445990e404b39b69fc68698a1

SHA256
598e5dc8939df74a74c2ec1716fb90ac01c0cee69c7f8b3cfadbaf05fbf8f63b

SHA512
a32ebd64e1bbaf64654032429d7ab5d7bb9d33ae2c569b9d59f8182e6642e331a5ce22186f8e1f3c29777c236d9a1315286877ea825ee89e61352b29be7dfa33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\html\background.html

Filesize
521B

MD5
d6a1dbc91e4cd9dd1c1137de4eeab815

SHA1
9976b7d283668fd459cbf194be396d5d2314175b

SHA256
fd3252572d2915586370469f8105d9b3bed084dac0d197f35b8412a61c96f0ea

SHA512
d68cdcf12d6481254e7fac9b4cb2d462616148de85bd0b09e2c2b32091144d73cb7070b0e57849e5cd62a6d5f07bf7514a64c7380c21e5538b5ffbf3e61aca50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\html\popup.html

Filesize
570B

MD5
92150132a7c261e70f1341db3996570c

SHA1
0467f2f605f1c4cbb12621dd0bbbdf1ca3188e11

SHA256
b2eaeb4a6e2b4f958a7258ed5db463c09986707be543319106c346389cd0de9c

SHA512
8a7ba6ccb2670f62cd83fb60e0d8f24a82524ce968667778e95aced9d90d7b8ef36f587731a8716d55c82235b117dfc224e3113312b456d946013b0041299b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\img\icon-128.png

Filesize
10KB

MD5
562718c63e4f81d1a3094d3d441e2515

SHA1
42ecd4729a9269a088f442cccb3c1f39adf6a598

SHA256
cd6af6e1a76cff5f859b72ca793c3637169b8d82ac2227c70a08e44d5ef2b7b4

SHA512
23901f2da13b245014ede00f2c90c07abd14a6440cec6d3b2c975c2bd1204685959c6b4bd2eb8053fc2f414d2bf988271026d5ee9a17a7703c23bb521c183fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\img\icon.png

Filesize
3KB

MD5
15babbf6a90ea5a97d78570326880c02

SHA1
0e6c7f6ed19628863cc52247bd4bfaf17f450cdf

SHA256
ac62106fe8c1282f1d7be2ec3c37d9372181a1a0b9c6c75cf689015c886bc43d

SHA512
76636d1a59939a0cfaf0981fd7cdfb8316102ed4dadcea6dd8e9786e637a69323aa4e1ddfc6f7dc4d1b889232125a1b3fa78408ebfcfe9c99acea1fee414151b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js

Filesize
6KB

MD5
aa658d05cdffd2837dd52432c712dc82

SHA1
0da3125a1b1260ae69cd4e388cc78f6553a43ab7

SHA256
a527d3f984ecbebc5c946b636bde1eb2b5d6eac8b8d501929aaf97ee7d70bf41

SHA512
b38aedf07fbac16f38e97644f3ed20162868ce1b03066c751a340eb616199f85eac901b33facf6c272bfc2b3ba14cc8443e4ba14c0d3f67ed044864031a189ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js

Filesize
6KB

MD5
1f838cafc6101e228140c20ba0b5fe90

SHA1
e1c22d29834120441d34c25c758d0390a6278e51

SHA256
4848bf7d2eb19e21f425a67eda4f42efda7555b855486e4387b057cebb29a18f

SHA512
f54ce03f9cc68a92a3e16cc77ee70f26dfbcc73fd36bf11de36ab7f745cbe69264ed7ab2ea5f66de19bed054267ed001615fbd357c31a67c6e9a5a1b636e0493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\content.js

Filesize
1KB

MD5
8770047694090f88fca3d693e6db8e18

SHA1
db87d21676c203a547b382af47d0b91daabeae42

SHA256
400fd1eb674b327c84770ede89451d57bd09486eb8bd2e0a7f162649724d6bbc

SHA512
5e9e8c9c848d558de907418bc2e06a72a665165e8187dd9b298330a7d35d9ef016fc388fb5da7a1e4e7934ab7642732c49b2d1bfd5e62124122f59ac577341c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\jquery.js

Filesize
91KB

MD5
e1288116312e4728f98923c79b034b67

SHA1
8b6babff47b8a9793f37036fd1b1a3ad41d38423

SHA256
ba6eda7945ab8d7e57b34cc5a3dd292fa2e4c60a5ced79236ecf1a9e0f0c2d32

SHA512
bf28a9a446e50639a9592d7651f89511fc4e583e213f20a0dff3a44e1a7d73ceefdb6597db121c7742bde92410a27d83d92e2e86466858a19803e72a168e5656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\swfobject.js

Filesize
9KB

MD5
84e07fa8222e5bf3f356cd7cec454b61

SHA1
9c4605fbe1c44c12791e498ed307840c15da702a

SHA256
a2d68e4530bbf55b595085ad00ef6999cb64574eb58b44b53ef0516fa7fa4aed

SHA512
b6a9df92c90a33dd5578580c2a7c0ede7deb08f1d747f6ce191c57e46f1fd816d58d61ab17e7edb77728124b6c3dd7e72f9a44b650d48d58a6218e62698b4ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\web_socket.js

Filesize
13KB

MD5
16cc6f1dbe8a9936dade0386314dc1db

SHA1
b07256433a0fb22ca05d1b9c40ccb1cbf550f692

SHA256
7069345bae712c607c200730e5bb395fd82457f20051ecf651ab727e1079833d

SHA512
05784d66f98da839a41f8705884569c8148fb060a256a1fe72582bdc411656e693bf9e56d5c332cd5209af9c9f845459fa0cda982a7de3432435172b90577c23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\login\login.js

Filesize
656B

MD5
01125d49e4716645cafea1da101cc15b

SHA1
d9bfa09eef23318866f3d8864677231fba4148ea

SHA256
eee8d557370f3118d284532c2773232166a1f3dc405189f914d705ae713860ba

SHA512
e695d0cb729942a44bfda97f03ca9a4f13d76a0a296aa02728bee6e66291f91fcb632626ba96cb90cf7bcc7a7454a21d1d5c42ecaf441e7eca88c6476375d357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\login\loginFrame.js

Filesize
402B

MD5
de94740069de39fa8300ae286d7c40fc

SHA1
12d47257f128dcef53cf4107f3ed1d5742d3edcb

SHA256
0e39dd7984cdc818ba572c487c2999826b41fe2ae3f801216b5f53d9838c75c8

SHA512
b9120dc0c9e848a55238e7331c7b2abe7be9c494409877f809045cde3079955ffec26872dddd9cfd904a978cb70b429705f5a55fe4eb92064e64223d27caf3ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\popup.js

Filesize
294B

MD5
58f48ef3e43ddf4f753c2d796cee76f1

SHA1
2a57a9c5669d26ec47d8cc4a70fe280df5344414

SHA256
cf69807550b028264cb9857a0e46c8b1cb54b708efb3a43016f264fd36467c31

SHA512
68d2f1c65525bb5d8acd83f7e0f035384faa021b7ffc55f3811410e20eb75bc6b5267ad0ec4bcefe9e073f9fd3f33ccbeea93845917bdc0fbb2e547029374d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\manifest.json

Filesize
1KB

MD5
80f31d22d3f79159727c0ca63dbda9a1

SHA1
6db303e1c6c541d7ea5f4301c3e075174514f70a

SHA256
2cc2f6d9d0b4652e30fe4bc5b6ac5917b09fd6263ebdfdbfcf91fc409db95d68

SHA512
5c2bf8910799f0567529d79459b1ccdb85e21e038a2abc440a042c88ff47c879d758309a3712f6919906640091fffe9365a139a646d94f1ee44c2762e7591b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\plugin\nptaotaosouplugin.dll

Filesize
72KB

MD5
8aa48ee17987e101ba6e9b2ceb027f47

SHA1
44f62c7121e2791b3e8148959e1d275609338cec

SHA256
f7a5c4d01b9f7da81dfd28944e2a6de723bc87d02c9d991b86d7a59465d8c28b

SHA512
8484be3d076176cc3898d3b9e2bb1090becfe63f7f051cd1994b2647b15e311f26b782b1f9c2341da6c479d881caaf39c5f2ae9f7eee5852b06d03195ef0aecb

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Preferences.Chrome

Filesize
9KB

MD5
1674eb9cbe193ddd5a232ff5eff2cd72

SHA1
edf4e517877c5f08543ad9d1aa685c6648ac2fb4

SHA256
4f35e885583a558424f12b02741772f858a4703e14077c5c1c2307151a8f51fd

SHA512
01c8a40fb46420f38ddffc105018e83667f5d0411fdde2fc44a599f1008563c8996ab58aac1792c45de2034a928b433e773c01de0a1ef4f3adb2c089846724a5

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin.dll

Filesize
120KB

MD5
ac16704c77593786c65b273e0719400f

SHA1
6d2f5c0f4cdf9c8326b87232627d1eb9699efdab

SHA256
07e95ec9e72347f83e1fde63812fb85b36c0f8770effc34bbb574b259cb3ba97

SHA512
9f763b192a909d0fa9a38e540fe5a8de0bcc5fc7e621b69d1d254f62820dde3b72c81a69ea70ac44f10ec0fd421d076d7f299370d7af1f55e1a00ad7570b7501

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TaoTaoSou.exe

Filesize
621KB

MD5
6c4a5a299c5c40aa34a3b63d0d8be3eb

SHA1
57e5a70e3d1622e8219d0aded90702cb84afa153

SHA256
7f2fd7821d726dfb4e293b48b6c9e1a3d4e61b4d1f7626a09a4860935add3dd1

SHA512
d402589a184311a9e9b620e4ceaec987871ae7668be89b94b025b7fac46ebc83e8a667ed3264c3ca9df88afbb3aba7bc815b96d8f7c02c7c0f7dd58885373186

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe

Filesize
116KB

MD5
2ad341c67ade9725f1e60db8909badd8

SHA1
bd8a0209798ae7ff762586d74192409c1ea2764d

SHA256
c1608d2a39390eaaef90488f3303c3d59ae6842f87af567f24b914d78956f648

SHA512
02bbe08f03581fdb36d6a6e9aa0c10db906ff6a8d1979eba2091d17e10b7317d64273966582e18d37508d6e90f41651cb70f725c53784e2932d3601d0a9fa9bf

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\ttk_icon.ico

Filesize
47KB

MD5
642290fe65f540ed7b1b0ffdda78bb66

SHA1
c988450c86bc4dd70ab5c1b520f80270845c92a6

SHA256
59f9c6a2a09097fbdf45df570cdd92547abaa553eb9284aa159cd658d2337e72

SHA512
d7169e32d0c95efedacd6e809a6d7c812ecd5c1be881deedd9ea99feaa839b590a03f2f6586a66cb5ac534d23def83ff895253432008fc3a14bfc442660c246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc5892.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc5892.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5A86.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5A86.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5A86.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5A86.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5A86.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5A86.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5A86.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5A47.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5A47.tmp\Internet.dll

Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5A47.tmp\TTKInsAssistant.dll

Filesize
525KB

MD5
fb68e5c27265be945468aae0828c0831

SHA1
c386266e6755273bf69e45072b55afe5bfec2947

SHA256
3e2a5aec6416ac6c1a597240203c11cfad7eecf9dc7dfb5584ebeb590dead6c4

SHA512
eda06d197ce8520c11bc8da118a729064843b1b28ffb90083be61b33b4f62516415a80d3edc5b42b85de364a28b7f24894bb9971af0b3baff7b1365e1bbb9b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5A47.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5A47.tmp\md5dll.dll

Filesize
6KB

MD5
62d8907081163ac876b635b034fcac80

SHA1
242741234ae35d02a6ab2aacbbe50a34985537e3

SHA256
eb55c822401ae1f5b1db987583e2abc4fe149a3d4b1564b1335ebd39c863f0d0

SHA512
b6e1bc57ad58489c82c59ddf7030d3a42fd44db3d569d4101bc2dc27835323a4b2517403682755bd086dba9d83aa84a45f81ca8388755890c8b4cafab6f67a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5A47.tmp\textreplace.dll

Filesize
5KB

MD5
72d1177bad86f4df8eaee2a8afe50e6f

SHA1
c36019dfa2ff5c90c9da31c89dfcda08f93df68d

SHA256
c058f4439617bdb2019c90abd9920070a23f751b9349051d0744280cd5d9c5d7

SHA512
e0e764fcafa833f94ad2d5ae2a407f3e35bd27efa078625d5a2c9372ea28d7889c4b339e457d6fd7c3c90475b2d1603142a8c46a23f59b5784478860b06ee1b3

Download Submit
memory/1044-210-0x0000000003290000-0x000000000329B000-memory.dmp

Filesize
44KB

Download
memory/1044-150-0x0000000003030000-0x00000000030B9000-memory.dmp

Filesize
548KB

Download
memory/1044-458-0x0000000003810000-0x000000000383D000-memory.dmp

Filesize
180KB

Download
memory/2412-329-0x0000000004740000-0x000000000475A000-memory.dmp

Filesize
104KB

Download