cd8efeeac9e3a9efe818dca544bb0b692f6003799c713d2e965a78b50e112760

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PROGRAMFILES/OnlineInstal/TTK_7160010020140313_v142.exe
Size

1.3MB
MD5

c16810b408101624dd321c5928dc4ad7
SHA1

5708db9d835aeee0615347d743c00574703f30ca
SHA256

d3f07cf241add089b2343d3f41b21612eaa34fc4051dad8c5fb3f3af2eb1f1d2
SHA512

bb7d0f03fd64f9d61c7ba7e6f042cce4066928d50fe859077bf07b7a8e55d1f5fe73a53a3d7444b9580858bb4ddb7e0f24a047cb2e4ffa4d23833fe2352df2be
SSDEEP

24576:p2XuaQW2H2V++KzvW3oPROy1q34SYOrko8IBRRlUNEDIb:UXB2p+hNyIVcIBQEcb

Score

7^/10

adware bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

TTKMonitor.exeTaotaosou.exe

pid process

2452 TTKMonitor.exe
2256 Taotaosou.exe

pid	process
2452	TTKMonitor.exe
2256	Taotaosou.exe

Loads dropped DLL 30 IoCs

Processes:

TTK_7160010020140313_v142.exeregsvr32.exeregsvr32.exeTaotaosou.exe

pid	process
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2092	regsvr32.exe
2092	regsvr32.exe
1260	regsvr32.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2256	Taotaosou.exe
2256	Taotaosou.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Taotaosou.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Taotaosou.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taotaosou.exe

Drops Chrome extension 1 IoCs

Processes:

TTK_7160010020140313_v142.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\manifest.json	TTK_7160010020140313_v142.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeTTK_7160010020140313_v142.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	TTK_7160010020140313_v142.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\NoExplorer = "1"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "TTSIEBHO"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

TTK_7160010020140313_v142.exe

description ioc process

File opened for modification \??\PhysicalDrive0 TTK_7160010020140313_v142.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	TTK_7160010020140313_v142.exe

Drops file in Windows directory 2 IoCs

Processes:

TTKMonitor.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe
File created	C:\Windows\Tasks\TaoTongKuanUpdateTask.job	TTKMonitor.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2444 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2444	sc.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe	nsis_installer_1
\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

Taotaosou.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	Taotaosou.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Taotaosou.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeTTK_7160010020140313_v142.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\Version = "1.0"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ProxyStubClsid32	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\ = "ÌÔÌÔËÑ±È¼Û(ÌÔÍ¬¿î)"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\FLAGS\ = "0"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\ = "TTSIEPlugin 1.2 Type Library"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\TypeLib	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin.dll"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL\AppID = "{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}\ = "ITTSIEBHO"	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}\ = "TTSIEPlugin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BECB3B22-289A-45C1-B704-F27172FF7E20}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\ProgID\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\TypeLib\ = "{AFB37209-747D-48B7-98A8-682371F2C841}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO.1\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CurVer\ = "TTSIEPlugin.TTSIEBHO.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL\AppID = "{ADCF888E-D1CB-4B41-A065-33EDAB7A1DF9}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID\ = "TTSIEPlugin.TTSIEBHO"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TTSIEPlugin.DLL	TTK_7160010020140313_v142.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TTSIEPlugin.TTSIEBHO\CLSID\ = "{E1022531-9301-4071-A07A-F7237D0DE741}"	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1022531-9301-4071-A07A-F7237D0DE741}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFB37209-747D-48B7-98A8-682371F2C841}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\TaoTaoSou\\TTK\\TTSIEPlugin_64.dll"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Taotaosou.exeTTK_7160010020140313_v142.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Taotaosou.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	TTK_7160010020140313_v142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	TTK_7160010020140313_v142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	TTK_7160010020140313_v142.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	TTK_7160010020140313_v142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Taotaosou.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

TTK_7160010020140313_v142.exe

pid	process
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe
2868	TTK_7160010020140313_v142.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

TTK_7160010020140313_v142.exeTaotaosou.exe

pid	process
2868	TTK_7160010020140313_v142.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taotaosou.exe

pid	process
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe
2256	Taotaosou.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Taotaosou.exe

pid process

2256 Taotaosou.exe
2256 Taotaosou.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

TTK_7160010020140313_v142.exeTTKMonitor.execmd.execmd.exenet.execmd.exeregsvr32.exe

description	pid	process	target process
PID 2868 wrote to memory of 2452	2868	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2868 wrote to memory of 2452	2868	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2868 wrote to memory of 2452	2868	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2868 wrote to memory of 2452	2868	TTK_7160010020140313_v142.exe	TTKMonitor.exe
PID 2452 wrote to memory of 2828	2452	TTKMonitor.exe	cmd.exe
PID 2452 wrote to memory of 2828	2452	TTKMonitor.exe	cmd.exe
PID 2452 wrote to memory of 2828	2452	TTKMonitor.exe	cmd.exe
PID 2452 wrote to memory of 2828	2452	TTKMonitor.exe	cmd.exe
PID 2452 wrote to memory of 2896	2452	TTKMonitor.exe	cmd.exe
PID 2452 wrote to memory of 2896	2452	TTKMonitor.exe	cmd.exe
PID 2452 wrote to memory of 2896	2452	TTKMonitor.exe	cmd.exe
PID 2452 wrote to memory of 2896	2452	TTKMonitor.exe	cmd.exe
PID 2896 wrote to memory of 1924	2896	cmd.exe	net.exe
PID 2896 wrote to memory of 1924	2896	cmd.exe	net.exe
PID 2896 wrote to memory of 1924	2896	cmd.exe	net.exe
PID 2896 wrote to memory of 1924	2896	cmd.exe	net.exe
PID 2828 wrote to memory of 2444	2828	cmd.exe	sc.exe
PID 2828 wrote to memory of 2444	2828	cmd.exe	sc.exe
PID 2828 wrote to memory of 2444	2828	cmd.exe	sc.exe
PID 2828 wrote to memory of 2444	2828	cmd.exe	sc.exe
PID 1924 wrote to memory of 2296	1924	net.exe	net1.exe
PID 1924 wrote to memory of 2296	1924	net.exe	net1.exe
PID 1924 wrote to memory of 2296	1924	net.exe	net1.exe
PID 1924 wrote to memory of 2296	1924	net.exe	net1.exe
PID 2868 wrote to memory of 2224	2868	TTK_7160010020140313_v142.exe	cmd.exe
PID 2868 wrote to memory of 2224	2868	TTK_7160010020140313_v142.exe	cmd.exe
PID 2868 wrote to memory of 2224	2868	TTK_7160010020140313_v142.exe	cmd.exe
PID 2868 wrote to memory of 2224	2868	TTK_7160010020140313_v142.exe	cmd.exe
PID 2224 wrote to memory of 2092	2224	cmd.exe	regsvr32.exe
PID 2224 wrote to memory of 2092	2224	cmd.exe	regsvr32.exe
PID 2224 wrote to memory of 2092	2224	cmd.exe	regsvr32.exe
PID 2224 wrote to memory of 2092	2224	cmd.exe	regsvr32.exe
PID 2224 wrote to memory of 2092	2224	cmd.exe	regsvr32.exe
PID 2224 wrote to memory of 2092	2224	cmd.exe	regsvr32.exe
PID 2224 wrote to memory of 2092	2224	cmd.exe	regsvr32.exe
PID 2092 wrote to memory of 1260	2092	regsvr32.exe	regsvr32.exe
PID 2092 wrote to memory of 1260	2092	regsvr32.exe	regsvr32.exe
PID 2092 wrote to memory of 1260	2092	regsvr32.exe	regsvr32.exe
PID 2092 wrote to memory of 1260	2092	regsvr32.exe	regsvr32.exe
PID 2092 wrote to memory of 1260	2092	regsvr32.exe	regsvr32.exe
PID 2092 wrote to memory of 1260	2092	regsvr32.exe	regsvr32.exe
PID 2092 wrote to memory of 1260	2092	regsvr32.exe	regsvr32.exe
PID 2868 wrote to memory of 2256	2868	TTK_7160010020140313_v142.exe	Taotaosou.exe
PID 2868 wrote to memory of 2256	2868	TTK_7160010020140313_v142.exe	Taotaosou.exe
PID 2868 wrote to memory of 2256	2868	TTK_7160010020140313_v142.exe	Taotaosou.exe
PID 2868 wrote to memory of 2256	2868	TTK_7160010020140313_v142.exe	Taotaosou.exe

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\OnlineInstal\TTK_7160010020140313_v142.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\OnlineInstal\TTK_7160010020140313_v142.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe
  "C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c sc config Schedule start= auto
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\sc.exe
      sc config Schedule start= auto
      4⤵
      Launches sc.exe
      PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c net start Schedule
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\net.exe
      net start Schedule
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Schedule
        5⤵
        
        PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSRegPlugin.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s .\TTSIEPlugin_64.dll
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\regsvr32.exe
      /s .\TTSIEPlugin_64.dll
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Installs/modifies Browser Helper Object
      Modifies registry class
      PID:1260
- C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe
  "C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\Taotaosou.exe" -hide
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e95804bb42a0a9fd42d99b1c951abee4

SHA1
f20082768975e061929b3f06a152fe5a109a153a

SHA256
8ca261ce196b766790edc98d6c96e1ba1a4be6a4e41e48ae90bf96b899eeb570

SHA512
1d56ce38c6bca97c54cc8aaadc96c37d3f7a9a7742e1e7f717dacbd51a40a5e42c82f51fb2446798548d55244f8f3e0eff04112b25b503c44ce62fee526515c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
30ba3fa5bd616b44779e493121953876

SHA1
ff936cff5b78e8ed602ad0a54b094db5579941d9

SHA256
be7155e2045e1cf52a263362cc9ceb3850615dfe34cd2fe44e209d5d5a783e41

SHA512
4c58efc593300a952928d4d3b2e0351d1caa2f0eb22fd5952110e529b628591535729f7c8aa7996b8f8f5560662b611bfbd2260676905e79259ac9f73672efff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\css\popup.css

Filesize
2KB

MD5
bd7e1817e61004bda3b62871950760ac

SHA1
9ed5506546c5088445990e404b39b69fc68698a1

SHA256
598e5dc8939df74a74c2ec1716fb90ac01c0cee69c7f8b3cfadbaf05fbf8f63b

SHA512
a32ebd64e1bbaf64654032429d7ab5d7bb9d33ae2c569b9d59f8182e6642e331a5ce22186f8e1f3c29777c236d9a1315286877ea825ee89e61352b29be7dfa33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\html\background.html

Filesize
521B

MD5
d6a1dbc91e4cd9dd1c1137de4eeab815

SHA1
9976b7d283668fd459cbf194be396d5d2314175b

SHA256
fd3252572d2915586370469f8105d9b3bed084dac0d197f35b8412a61c96f0ea

SHA512
d68cdcf12d6481254e7fac9b4cb2d462616148de85bd0b09e2c2b32091144d73cb7070b0e57849e5cd62a6d5f07bf7514a64c7380c21e5538b5ffbf3e61aca50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\html\popup.html

Filesize
570B

MD5
92150132a7c261e70f1341db3996570c

SHA1
0467f2f605f1c4cbb12621dd0bbbdf1ca3188e11

SHA256
b2eaeb4a6e2b4f958a7258ed5db463c09986707be543319106c346389cd0de9c

SHA512
8a7ba6ccb2670f62cd83fb60e0d8f24a82524ce968667778e95aced9d90d7b8ef36f587731a8716d55c82235b117dfc224e3113312b456d946013b0041299b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\img\icon-128.png

Filesize
10KB

MD5
562718c63e4f81d1a3094d3d441e2515

SHA1
42ecd4729a9269a088f442cccb3c1f39adf6a598

SHA256
cd6af6e1a76cff5f859b72ca793c3637169b8d82ac2227c70a08e44d5ef2b7b4

SHA512
23901f2da13b245014ede00f2c90c07abd14a6440cec6d3b2c975c2bd1204685959c6b4bd2eb8053fc2f414d2bf988271026d5ee9a17a7703c23bb521c183fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\img\icon.png

Filesize
3KB

MD5
15babbf6a90ea5a97d78570326880c02

SHA1
0e6c7f6ed19628863cc52247bd4bfaf17f450cdf

SHA256
ac62106fe8c1282f1d7be2ec3c37d9372181a1a0b9c6c75cf689015c886bc43d

SHA512
76636d1a59939a0cfaf0981fd7cdfb8316102ed4dadcea6dd8e9786e637a69323aa4e1ddfc6f7dc4d1b889232125a1b3fa78408ebfcfe9c99acea1fee414151b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js

Filesize
6KB

MD5
a8c8fcfbad960d9df13903f605a64d88

SHA1
03341f1adf41ecc141a8d7435b681de6807ca288

SHA256
3baa4e32ca8427f8e7e6263b2e3669ae4d8433a424ec0df1e12c1510a925ce8d

SHA512
7cecc25047a782aa8d5d3a7db385129eb6e54cf03532c1ad53ab73481709490e4b85036f35decf9bb05c0c075f108a589c7962097d4c1d003919615c8af0b044

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js

Filesize
6KB

MD5
1f838cafc6101e228140c20ba0b5fe90

SHA1
e1c22d29834120441d34c25c758d0390a6278e51

SHA256
4848bf7d2eb19e21f425a67eda4f42efda7555b855486e4387b057cebb29a18f

SHA512
f54ce03f9cc68a92a3e16cc77ee70f26dfbcc73fd36bf11de36ab7f745cbe69264ed7ab2ea5f66de19bed054267ed001615fbd357c31a67c6e9a5a1b636e0493

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js

Filesize
6KB

MD5
a4a77e7e8ba0a52e2e12b4b4a09dac6b

SHA1
bef74a20a4249cf4c2e7a4a0b626a8c871561c46

SHA256
f04a63ee3afdc08ae9f2524b6629e064d9b907d80f9dd0cc05fd499cc7ca547e

SHA512
3a3349ca8111dd09c2db74c7ae4cf52802b3b6a2484f400ee33104d2e3aaa43810d27fa0c0868ae619e5aee1c0ce5618b2b0c5a1ed37b60f4b0f5bb569807590

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\background.js

Filesize
6KB

MD5
e4bb576c1a784d796e0729c89f8ac60e

SHA1
cd45c2a34e79f1bbbb79cb5823e4aa66aa4c337d

SHA256
653be2e7998e76392b9a01ffbbf1119eb1c9ab5246161e332115ae8304bfeb16

SHA512
6ba4e67a11c51f9a4cdd6fee52655532d62926613fcacc6e3ce3fb805ef863054914674043e521bcb2b2bb263f164feaf95f1519aa295f7e294b1bbd14c140ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\content.js

Filesize
1KB

MD5
8770047694090f88fca3d693e6db8e18

SHA1
db87d21676c203a547b382af47d0b91daabeae42

SHA256
400fd1eb674b327c84770ede89451d57bd09486eb8bd2e0a7f162649724d6bbc

SHA512
5e9e8c9c848d558de907418bc2e06a72a665165e8187dd9b298330a7d35d9ef016fc388fb5da7a1e4e7934ab7642732c49b2d1bfd5e62124122f59ac577341c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\jquery.js

Filesize
91KB

MD5
e1288116312e4728f98923c79b034b67

SHA1
8b6babff47b8a9793f37036fd1b1a3ad41d38423

SHA256
ba6eda7945ab8d7e57b34cc5a3dd292fa2e4c60a5ced79236ecf1a9e0f0c2d32

SHA512
bf28a9a446e50639a9592d7651f89511fc4e583e213f20a0dff3a44e1a7d73ceefdb6597db121c7742bde92410a27d83d92e2e86466858a19803e72a168e5656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\swfobject.js

Filesize
9KB

MD5
84e07fa8222e5bf3f356cd7cec454b61

SHA1
9c4605fbe1c44c12791e498ed307840c15da702a

SHA256
a2d68e4530bbf55b595085ad00ef6999cb64574eb58b44b53ef0516fa7fa4aed

SHA512
b6a9df92c90a33dd5578580c2a7c0ede7deb08f1d747f6ce191c57e46f1fd816d58d61ab17e7edb77728124b6c3dd7e72f9a44b650d48d58a6218e62698b4ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\lib\web_socket.js

Filesize
13KB

MD5
16cc6f1dbe8a9936dade0386314dc1db

SHA1
b07256433a0fb22ca05d1b9c40ccb1cbf550f692

SHA256
7069345bae712c607c200730e5bb395fd82457f20051ecf651ab727e1079833d

SHA512
05784d66f98da839a41f8705884569c8148fb060a256a1fe72582bdc411656e693bf9e56d5c332cd5209af9c9f845459fa0cda982a7de3432435172b90577c23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\login\login.js

Filesize
656B

MD5
01125d49e4716645cafea1da101cc15b

SHA1
d9bfa09eef23318866f3d8864677231fba4148ea

SHA256
eee8d557370f3118d284532c2773232166a1f3dc405189f914d705ae713860ba

SHA512
e695d0cb729942a44bfda97f03ca9a4f13d76a0a296aa02728bee6e66291f91fcb632626ba96cb90cf7bcc7a7454a21d1d5c42ecaf441e7eca88c6476375d357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\login\loginFrame.js

Filesize
402B

MD5
de94740069de39fa8300ae286d7c40fc

SHA1
12d47257f128dcef53cf4107f3ed1d5742d3edcb

SHA256
0e39dd7984cdc818ba572c487c2999826b41fe2ae3f801216b5f53d9838c75c8

SHA512
b9120dc0c9e848a55238e7331c7b2abe7be9c494409877f809045cde3079955ffec26872dddd9cfd904a978cb70b429705f5a55fe4eb92064e64223d27caf3ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\js\popup.js

Filesize
294B

MD5
58f48ef3e43ddf4f753c2d796cee76f1

SHA1
2a57a9c5669d26ec47d8cc4a70fe280df5344414

SHA256
cf69807550b028264cb9857a0e46c8b1cb54b708efb3a43016f264fd36467c31

SHA512
68d2f1c65525bb5d8acd83f7e0f035384faa021b7ffc55f3811410e20eb75bc6b5267ad0ec4bcefe9e073f9fd3f33ccbeea93845917bdc0fbb2e547029374d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\manifest.json

Filesize
1KB

MD5
80f31d22d3f79159727c0ca63dbda9a1

SHA1
6db303e1c6c541d7ea5f4301c3e075174514f70a

SHA256
2cc2f6d9d0b4652e30fe4bc5b6ac5917b09fd6263ebdfdbfcf91fc409db95d68

SHA512
5c2bf8910799f0567529d79459b1ccdb85e21e038a2abc440a042c88ff47c879d758309a3712f6919906640091fffe9365a139a646d94f1ee44c2762e7591b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\himpndahomhakmdeloiancmkppmblfia\1.4.2_0\plugin\nptaotaosouplugin.dll

Filesize
72KB

MD5
8aa48ee17987e101ba6e9b2ceb027f47

SHA1
44f62c7121e2791b3e8148959e1d275609338cec

SHA256
f7a5c4d01b9f7da81dfd28944e2a6de723bc87d02c9d991b86d7a59465d8c28b

SHA512
8484be3d076176cc3898d3b9e2bb1090becfe63f7f051cd1994b2647b15e311f26b782b1f9c2341da6c479d881caaf39c5f2ae9f7eee5852b06d03195ef0aecb

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSRegPlugin.bat

Filesize
73B

MD5
c7e8d764bb3afd9d90122c1e67ab04ad

SHA1
4992549ce2c208c804a0b053b798b07dd5e102a1

SHA256
92d0cfb9d06cd867d169f4b9f9eb9ccf82ef7d72605a5066e4c2415b667254a8

SHA512
89fcc9989ad422b3bb7be906c19a8b42ccddc842def42075aba53203564eaef6ea991162a78f264b819c881927ad4dbbf1b6cf69ca9e2e67d729b0a039ddf08e

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\localpage\images\client_bg.png

Filesize
3KB

MD5
b21c0def71d2351f4f3f7ff6ebe5b78d

SHA1
5a7a65fefc9ce48f21b91c8efbdd209062093736

SHA256
9e597437bf47896c4df48ee26e9f8eb01e65b0bd024e063859c8df7cf40bf3e6

SHA512
ab2dd7bdc1d6f74012ca154bfdcd521b631c1ef9e680df36294e15d66d5fa15d0dac20d6ae6274dbe36099bb4ec1c5c80e701d7ae91693dc580d868dd0155ad5

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\localpage\images\network.png

Filesize
4KB

MD5
4c5f67d73328b93905937d55d37885fa

SHA1
67a5c0ecf8dd8aa106ec25a0b58b39d73d38d6d4

SHA256
6cdd2df7eb68625f16b6f6e13f8160da3e713112f8ba1161fdb741be619c5fee

SHA512
711ab0b2667550a52545835c45948d2172edf70d12f0930ced05b4c8811d84c11f5c3dd92578c20f4ede1f2e25b7f598faa61e3dcea6ac03be99ee67c07f934d

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\localpage\mustache\network.html

Filesize
757B

MD5
9dee1e52e0d02970b79c5dad6d5a41ed

SHA1
f350d633a66e170985c75b538426ef1b27c5317d

SHA256
fdbe850c703e4879aef5b00c26a63b282d8787df4da060518b96533620519971

SHA512
17e2a8ad141f8768f35c6ffdde31ab8df2229e714e811a038159c6d62f940d6f94febae962d3b470c69b25200e8cba8be783f78a5abd36f22beb0e0ca05537eb

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\localpage\scripts\network.js

Filesize
94KB

MD5
90393dc92e0ea4666c0e6315099ed076

SHA1
a98e1f400515956e14a813e9a928de7e6e47c2dc

SHA256
5a9b2222055041c16e743e2f49051ad91d5645796c819a8fe586fbe31c6658b3

SHA512
683a72630aafafc4c25801803a61664374ee81c69020f53c0d1898f3cb29af1158a2351e3a3d051ea3bd29ad9420a4d58a7f9112ff82e2400b51ded9e8075f2a

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\localpage\styles\network.css

Filesize
2KB

MD5
f61287c31ca7beb5447934dcf2802c0d

SHA1
ef72c44910a4725668b95023d0f0be09ff05c74b

SHA256
d8647181d279c1ce9f7d1e343b434f5d18dfd6cc05790d8170e595cbd0ba1c25

SHA512
3d143aa3c724b7b701c788698de123abdb3cb1a8ea8e8a7a94a5db8bf5940728bbc610be208945ecca5c68adfa403b7c122d279eafd09967f9f690e24eeae7d0

Download Submit
C:\Users\Admin\AppData\Local\TaoTaoSou\TTK\ttk_icon.ico

Filesize
47KB

MD5
642290fe65f540ed7b1b0ffdda78bb66

SHA1
c988450c86bc4dd70ab5c1b520f80270845c92a6

SHA256
59f9c6a2a09097fbdf45df570cdd92547abaa553eb9284aa159cd658d2337e72

SHA512
d7169e32d0c95efedacd6e809a6d7c812ecd5c1be881deedd9ea99feaa839b590a03f2f6586a66cb5ac534d23def83ff895253432008fc3a14bfc442660c246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar847C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Taotaosou\ttsusign

Filesize
32B

MD5
b43ea5cf6c1cd5bcf59b2fefc0c9ccfa

SHA1
7b797833f12c77321307d0ce8cd865c87b66514c

SHA256
05358ce7b8c8970a5f4d247c7e71531e9ac3c0740bc91e0728d365eb83bde05e

SHA512
aec771e84225db4e083bd0d2ab9d1cd1de24bf578c6e1ccfd2a9d129d02b379b0af60daacd50958138a59641f0dd542f0d8f69c2588102cc4d96e24aa97e7f78

Download Submit
\Users\Admin\AppData\Local\TaoTaoSou\TTK\DuiLib.dll

Filesize
845KB

MD5
11e11c8d831597f41188d94461e3508b

SHA1
01b0e937e8f208da7ba273955834eeccf681a8ee

SHA256
720681c694d86be9bc944a9b000d1dc05175c254ac5e7b0b0ac6998b9da3def4

SHA512
e0ca855dbf319d3be00df26b65cdc281389ae1e03a49632c6e885ec6b01036a1cf57694eee67cc11efcbaf1af4d55c7d2348d7fed0e571a184fedbb380bc9f23

Download Submit
\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTKMonitor.exe

Filesize
301KB

MD5
3a878be98303a33c1766bde4f3cd6980

SHA1
43bb78bb96f13e2776c9a6b8dd5f0c85c28beab7

SHA256
d3c9a5db83eef71756ca0acb10270477f1a0cb553f3723af50fb6145ff341989

SHA512
9e572ed40f20321d80fb51871af6b61390892d93688c69c6cc292e9a374c82c24fe020d71784ac0a2b96bba1db5ead74bd2fa6e55b218a36854c982d63b83a3f

Download Submit
\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin.dll

Filesize
120KB

MD5
ac16704c77593786c65b273e0719400f

SHA1
6d2f5c0f4cdf9c8326b87232627d1eb9699efdab

SHA256
07e95ec9e72347f83e1fde63812fb85b36c0f8770effc34bbb574b259cb3ba97

SHA512
9f763b192a909d0fa9a38e540fe5a8de0bcc5fc7e621b69d1d254f62820dde3b72c81a69ea70ac44f10ec0fd421d076d7f299370d7af1f55e1a00ad7570b7501

Download Submit
\Users\Admin\AppData\Local\TaoTaoSou\TTK\TTSIEPlugin_64.dll

Filesize
145KB

MD5
40063a55aa8438de2b5aba42218cd81d

SHA1
864961262feea4014b5b359cef099778b4cc3e98

SHA256
2de26cb75e41daabc16dcb917aa37507e0b334e2d5c5b44763fcf85f0cec48d9

SHA512
d406c77aa1377f82c1a4d1426158637fe8d4f1915939006fde4d5fb623b18c3969c45404b92287b9c4701bafb27b5a9a664cee8a5027882156c8b14a65a719d6

Download Submit
\Users\Admin\AppData\Local\TaoTaoSou\TTK\TaoTaoSou.exe

Filesize
621KB

MD5
6c4a5a299c5c40aa34a3b63d0d8be3eb

SHA1
57e5a70e3d1622e8219d0aded90702cb84afa153

SHA256
7f2fd7821d726dfb4e293b48b6c9e1a3d4e61b4d1f7626a09a4860935add3dd1

SHA512
d402589a184311a9e9b620e4ceaec987871ae7668be89b94b025b7fac46ebc83e8a667ed3264c3ca9df88afbb3aba7bc815b96d8f7c02c7c0f7dd58885373186

Download Submit
\Users\Admin\AppData\Local\TaoTaoSou\TTK\Uninstall.exe

Filesize
116KB

MD5
2ad341c67ade9725f1e60db8909badd8

SHA1
bd8a0209798ae7ff762586d74192409c1ea2764d

SHA256
c1608d2a39390eaaef90488f3303c3d59ae6842f87af567f24b914d78956f648

SHA512
02bbe08f03581fdb36d6a6e9aa0c10db906ff6a8d1979eba2091d17e10b7317d64273966582e18d37508d6e90f41651cb70f725c53784e2932d3601d0a9fa9bf

Download Submit
\Users\Admin\AppData\Local\TaoTaoSou\TTK\dump.dll

Filesize
87KB

MD5
6794f6b5903c44a4cc89e0ba3b301458

SHA1
7d16b7e883e3fcb3d9f099613e713d4d9162dd17

SHA256
759ef0c21ea6af4d2310790f1bbf83e66408dc6de2e945d4bc9085e6d0894d43

SHA512
10b53a6cb94c433ec34931d9e03ca4e25372f9eae8ae06bc72930fe6e89dc449480029b14c98a830510595040aa339e18b156b9b1d79d9b27c09aa905a31bb40

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1566.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1566.tmp\Internet.dll

Filesize
4KB

MD5
78d026611a970fe14e983a6b9490ea34

SHA1
cbf63f3aade515f3fc3fbbcc4e12913f1a472d49

SHA256
96100f4ba9563ced97add567f4461541cbe9a085ab5276754bee38dc060a6867

SHA512
efbb6bcca88dae073babac2dcf1ad8444c209792cd82820a00483fa365cb899f4979ca29d6ca22de4b975eae2dab8e736a83bc574265925cafcdcfae9cb7915f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1566.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1566.tmp\TTKInsAssistant.dll

Filesize
525KB

MD5
fb68e5c27265be945468aae0828c0831

SHA1
c386266e6755273bf69e45072b55afe5bfec2947

SHA256
3e2a5aec6416ac6c1a597240203c11cfad7eecf9dc7dfb5584ebeb590dead6c4

SHA512
eda06d197ce8520c11bc8da118a729064843b1b28ffb90083be61b33b4f62516415a80d3edc5b42b85de364a28b7f24894bb9971af0b3baff7b1365e1bbb9b78

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1566.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1566.tmp\md5dll.dll

Filesize
6KB

MD5
62d8907081163ac876b635b034fcac80

SHA1
242741234ae35d02a6ab2aacbbe50a34985537e3

SHA256
eb55c822401ae1f5b1db987583e2abc4fe149a3d4b1564b1335ebd39c863f0d0

SHA512
b6e1bc57ad58489c82c59ddf7030d3a42fd44db3d569d4101bc2dc27835323a4b2517403682755bd086dba9d83aa84a45f81ca8388755890c8b4cafab6f67a49

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1566.tmp\textreplace.dll

Filesize
5KB

MD5
72d1177bad86f4df8eaee2a8afe50e6f

SHA1
c36019dfa2ff5c90c9da31c89dfcda08f93df68d

SHA256
c058f4439617bdb2019c90abd9920070a23f751b9349051d0744280cd5d9c5d7

SHA512
e0e764fcafa833f94ad2d5ae2a407f3e35bd27efa078625d5a2c9372ea28d7889c4b339e457d6fd7c3c90475b2d1603142a8c46a23f59b5784478860b06ee1b3

Download Submit
memory/2868-199-0x0000000004180000-0x00000000041AD000-memory.dmp

Filesize
180KB

Download
memory/2868-10-0x0000000002850000-0x00000000028D9000-memory.dmp

Filesize
548KB

Download
memory/2868-17-0x0000000002970000-0x000000000297B000-memory.dmp

Filesize
44KB

Download