Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 10:46
Static task
static1
Behavioral task
behavioral1
Sample
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe
-
Size
44.5MB
-
MD5
a0608ce5cd4af06a045bf5b21750f6f4
-
SHA1
4fa026e39e2398e26f10eebe9bfb8b86adeb21b5
-
SHA256
8a439272ef0ef203b12ab97ee534bdbb0e5d181a9b37c0a2ff8de2e324837528
-
SHA512
45cec17b70c88938dd67e919f0a18c1563625c99f237a8611a4ad279b904842ca2bccf091190e92031fcb1e224e2848fbf2f0262d2ef937b4d436d5cb8427f21
-
SSDEEP
786432:ODhquvbM1BKEJVpWjL9FZDWp1+jBpR5v4to/oqBsClkuH/si:eHKBK66jL9rS1mBiyKEV
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exedescription ioc process File created C:\Windows\system32\drivers\TsQBDrv.sys a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
QQBrowser.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TsQBDrv\ImagePath = "\\??\\C:\\Windows\\system32\\drivers\\TsQBDrv.sys" QQBrowser.exe -
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQBrowser.exe\DisableExceptionChainValidation = "0" a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQBrowser.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exeTsService.exeTsService.exedescription ioc process File opened for modification \??\PhysicalDrive0 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 TsService.exe File opened for modification \??\PhysicalDrive0 TsService.exe -
Drops file in System32 directory 11 IoCs
Processes:
TsService.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_50D51644471C9172D5F1E80FE0CC310E TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6 TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F TsService.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_50D51644471C9172D5F1E80FE0CC310E TsService.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exeQQBrowser.exedescription ioc process File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\libexif.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\locales\en-US.pak a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\ModuleDll\{0508DF1F-2AB6-4fac-A99E-45BBBF24E1E6}.qrx a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\PrScrn.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\tsurllib.dat a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\webp\WebpDecodeFilter.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\chrome_elf.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\F1Frame.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\snapshot_blob_.bin a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\Downloader.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\navi.ico a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\QQBrowserConfig.dat QQBrowser.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\driver\TsQBDrvDll.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\locales\qb\en-US.pak a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\locales\zh-CN.pak a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\QRCode.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\video.ico a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\manifest.json a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\ModuleDll\{0508DF1F-2AB6-4fac-A99E-45BBBF24E1E6}_1\manifest.json a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\app.ico a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe.new a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\QBFixerPlugin.crx a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\libGLESv2.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\nsis_skin.gt a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\compat.xml a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\natives_blob.bin a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\PepperFlash\manifest.json a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\PepperFlash\pepflashplayer.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\qb_100_percent.pak a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\BugReport.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\navi.ico a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\QBSafe.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\icudtl.dat a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\qbroker\qbroker.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\QQBrowserLiveup.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\uninst.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\PrScrn.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\ModuleDll\{0508DF1F-2AB6-4fac-A99E-45BBBF24E1E6}_1\QBSafe.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\driver\amd64\tsqbdrv.sys a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\libEGL.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\locales\qb\zh-CN.pak a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\driver\i386\tsqbdrv.sys a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\resources.pak a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\service\TsService.exe.new a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\switch_core a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\1.47.163.400.manifest a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\d3dcompiler_47.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\qbroker\qbroker64.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\chrome_100_percent.pak a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\commenExtension.crx a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\chrome.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\video_box.crx a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\uninst.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\BugReport.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\ExportFavHtml.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\History a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\qqbrowser.exe a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\NetService.crx a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\QBDExtend.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\snapshot_blob.bin a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\driver\TsQBDrvDll.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe File created C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\chrome_child.dll a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
QQBrowser.exedescription ioc process File created C:\Windows\Tasks\QQBrowser Updater Task(Core).job QQBrowser.exe File created C:\Windows\Tasks\QQBrowser Updater Task.job QQBrowser.exe -
Executes dropped EXE 8 IoCs
Processes:
QQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeTsService.exeQQBrowser.exeTsService.exepid process 1448 QQBrowser.exe 600 QQBrowser.exe 2404 QQBrowser.exe 1412 QQBrowser.exe 2988 QQBrowser.exe 1740 TsService.exe 1528 QQBrowser.exe 2192 TsService.exe -
Loads dropped DLL 26 IoCs
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exeQQBrowser.exeQQBrowser.exeregsvr32.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exepid process 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 600 QQBrowser.exe 1448 QQBrowser.exe 1128 regsvr32.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2404 QQBrowser.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 1412 QQBrowser.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2988 QQBrowser.exe 2988 QQBrowser.exe 1528 QQBrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
QQBrowser.exeQQBrowser.exeTsService.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exea0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQBrowser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz QQBrowser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz QQBrowser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TsService.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQBrowser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz QQBrowser.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQBrowser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz QQBrowser.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQBrowser.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQBrowser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz QQBrowser.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TsService.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 QQBrowser.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz QQBrowser.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
TsService.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople TsService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecision = "0" TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\WpadDecisionTime = 703b02dbb5bcda01 TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings TsService.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecisionTime = b0d989fcb5bcda01 TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ TsService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111} TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecisionTime = 306ddad4b5bcda01 TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 TsService.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecisionTime = 703b02dbb5bcda01 TsService.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDetectedUrl TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\WpadDecisionTime = 306ddad4b5bcda01 TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs TsService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" TsService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\WpadDecision = "0" TsService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates TsService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" TsService.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecisionReason = "1" TsService.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 TsService.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" TsService.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates TsService.exe -
Modifies registry class 64 IoCs
Processes:
QQBrowser.exeQQBrowser.exeregsvr32.exeQQBrowser.exea0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\xht\OpenWithProgIds\xhtmlfile QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\UserChoice\Hash = "MRqnJxyt1mo=" QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" -- \"%1\"" QQBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WEBPFilter.CoWEBPFilter\CLSID regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" QQBrowser.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithProgIds\mhtmlfile QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mhtml\Content Type = "message/rfc822" QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\html\OpenWithProgIds QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\shtml QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\shell\ = "open" QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\ = "open" QQBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WEBPFilter.CoWEBPFilter.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD70451-714E-495A-9F17-450AEF3AA35E}\1.0\ = "webpdecodefilter 1.0 Type Library" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Microsoft Excel\shell\edit QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\shtml\ = "shtmlfile" QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WEBPFilter.CoWEBPFilter\ = "WEBPFilter CoWEBPFilter" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/webp\Image Filter CLSID = "{A981255C-6123-4487-B21A-9CF468EB3FC7}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\Microsoft Excel QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\xht QQBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\ = "IWebpImageDecodeFilter" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\html\ = "htmlfile" QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ftp\DefaultIcon\ = "C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe,0" QQBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell\open a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Microsoft Word\shell\edit\command QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\UserChoice\ProgId = "QQBrowser.File" QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Excel.exe\shell\edit\command QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\progid\https\UserChoice\ProgId = "QQBrowser.Protocol" QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mhtml\ = "QQBrowser.File" QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht QQBrowser.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\ = "QQBrowser HTML Document" QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebpDecodeFilter.WebpImageDecodeFilt.1\ = "WebpImageDecodeFilter Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WebpDecodeFilter.WebpImageDecodeFilter\ = "WebpImageDecodeFilter Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\TypeLib\ = "{5FD70451-714E-495A-9F17-450AEF3AA35E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\ = "IWebpImageDecodeFilter" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\MSPub.exe\shell QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell\run\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" %*" a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WEBPFilter.CoWEBPFilter.1\ = "WEBPFilter CoWEBPFilter" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\progid\https QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\http\shell QQBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Tencent.QQBrowser.Default\.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" %*" a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\PersistentHandler\ = "{eec97550-47a9-11cf-b952-00aa0051fe20}" QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\WinWord.exe\shell QQBrowser.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\ProgID\ = "WEBPFilter.CoWEBPFilter.1" regsvr32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 QQBrowser.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mht\OpenWithList\Microsoft Word\shell\edit QQBrowser.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\file\mhtml QQBrowser.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Software\Tencent\QQBrowser\progid\http\Hash = "2Wt0kbHDnFk=" QQBrowser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WebpDecodeFilter.WebpImageDecodeFilter regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\TypeLib\ = "{5FD70451-714E-495A-9F17-450AEF3AA35E}" regsvr32.exe -
Processes:
TsService.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 TsService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a TsService.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a TsService.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exeQQBrowser.exeQQBrowser.exeTsService.exepid process 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2988 QQBrowser.exe 2988 QQBrowser.exe 1528 QQBrowser.exe 1528 QQBrowser.exe 2192 TsService.exe 2192 TsService.exe 2192 TsService.exe 1528 QQBrowser.exe 1528 QQBrowser.exe 1528 QQBrowser.exe 1528 QQBrowser.exe 1528 QQBrowser.exe 1528 QQBrowser.exe 2192 TsService.exe 2192 TsService.exe 2192 TsService.exe 2192 TsService.exe 2192 TsService.exe 2192 TsService.exe 2192 TsService.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 484 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exedescription pid process Token: SeSecurityPrivilege 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Token: SeSecurityPrivilege 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe Token: SeSecurityPrivilege 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exeQQBrowser.exedescription pid process target process PID 2152 wrote to memory of 1448 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1448 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1448 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1448 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 600 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 600 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 600 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 600 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1128 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe regsvr32.exe PID 2152 wrote to memory of 1128 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe regsvr32.exe PID 2152 wrote to memory of 1128 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe regsvr32.exe PID 2152 wrote to memory of 1128 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe regsvr32.exe PID 2152 wrote to memory of 1128 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe regsvr32.exe PID 2152 wrote to memory of 1128 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe regsvr32.exe PID 2152 wrote to memory of 1128 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe regsvr32.exe PID 2152 wrote to memory of 2404 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 2404 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 2404 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 2404 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1412 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1412 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1412 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1412 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 2988 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 2988 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 2988 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 2988 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2988 wrote to memory of 1740 2988 QQBrowser.exe TsService.exe PID 2988 wrote to memory of 1740 2988 QQBrowser.exe TsService.exe PID 2988 wrote to memory of 1740 2988 QQBrowser.exe TsService.exe PID 2988 wrote to memory of 1740 2988 QQBrowser.exe TsService.exe PID 2152 wrote to memory of 1528 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1528 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1528 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe PID 2152 wrote to memory of 1528 2152 a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe QQBrowser.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0608ce5cd4af06a045bf5b21750f6f4_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Sets file execution options in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\webp\WebpDecodeFilter.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" --type=assistant --install-browser --silent2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
-
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" --type=assistant --install-crx="C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\NetService.crx";"C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\commenExtension.crx";"C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\video_box.crx";"C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\extensions\QBFixerPlugin.crx"; --overwrite-extension2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" --type=assistant --install-scheduletask2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" --type=assistant --install-driver2⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
-
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" --type=assistant --install-service2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe"C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe" -installandrun3⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
-
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -make-default-browser --silent2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe"C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\BugReport.exeFilesize
435KB
MD55eab02dbe532a55e0b8917c56ce2e362
SHA1091cc3a7c45a4ac0b884154b780442b0460e7ca8
SHA2565be5f2f1d16d1473e9c096f4063ff01797a80e6f533b258c96a373584584eafd
SHA5128fef3a03fd755c59005962a1461c43da63543ed474602f48b8458a9cf9fbd1a36b36a947dac71330844faf5d0e0235bcb379a44bdd8fa4f70cd2bfd167b965bd
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\ModuleDll\{0508DF1F-2AB6-4fac-A99E-45BBBF24E1E6}.qrxFilesize
195KB
MD5bc35dd8db0134a9a4d72b6b641d4c3d2
SHA1daa4adcbbe450edd3feeddde617a99ceef7abe01
SHA25669652a0d072eeab53df690c901672741ac47e5177b3db097be60946ebb19706f
SHA512b65b7432ba08a1e39052a1b58d4a4cddf212012dd2877a65118baeba527134bca4305600af86dc35a4679a263444cce5f7f77dfaa48445cf78f131ae8e0f0fd7
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\chrome.dllFilesize
30.7MB
MD5e72fe85d406843af9cff53044291bb14
SHA15512971045d88dfed1673016cbbb332821441653
SHA25640dc8b1bd35a6f78f800f8d8fe3ce3fd40c6dd98d38a10628277d4870f757f51
SHA512a2209d4f1841d026a7e7b828b87e0aecbb32324cbe80ed0cd00151651a8809aa7bacde0d02f4fff01e9c57c2a61050ad31cdf15ec93eaeaeb56add257c568b91
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\chrome_child.dllFilesize
36.4MB
MD5c6876f0faad1989ee8406b6b6edba00b
SHA181400b8735881643f7002fe19d816c726a28dbf0
SHA2564b6466df99d4709513bfb7cc9e1a0419606f4d0b34ce35f502beffb1ec21c889
SHA512540c0051807024cd5ccfed6521649950d7c4793c70998ac5c4ad51f6b89fd74333f23c7342e09e3ae8ab3c66b36ed11be32e1ba1266c09bb82090078dc897e1d
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\driver\TsQBDrvDll.dllFilesize
107KB
MD5fa8c9e95d8131746021981204bb24c03
SHA19376312d76750816597d92c8b36e57d41937bff5
SHA25644353e1a7e8aaa564e53daa0285c5784b4707636c34da28e0c8d8a219279b529
SHA512e0d2ee6cd34bcce44c30cae9fdda9ef962179449fb68a12a49caed92c97a7ea075517bbc2d91ddf81121bbed08e1e614adc67e0ae925923261eadf8d8907888c
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\driver\amd64\tsqbdrv.sysFilesize
87KB
MD5b532e6c5bd4ed4932cf4eee3723d01d5
SHA1475f5f098ed9df549d59185faa33c91f0c351fb0
SHA2568b7cd3bb7c7c57dfe35a4f01a7007198439b6dc81a3b081e77e675fb53cd7c86
SHA51234da35d6798a59ba2d0dd0b8e42aff25012f18102a5bbda77ac67cd75de3ea50dd98d75d2713ae6ad35b4985f34d2274bad40b2583e6fb20aede0534d1941e9d
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\natives_blob_.binFilesize
429KB
MD5d0645f36f5d0fdf9e8502908cb7096aa
SHA1d2442b26c40e45a00c1c3f5a88e9798606aad71e
SHA256bb6a54a7414519312130fc364128d9464c3d0763e42b018ed29db22a2e389dd8
SHA51273d14a588d9fed22e6109a0043cdb1cb75c665ac802555e8903679274e505d36d5d1e3e032e890311c88053a30029ce76eefd97b09211faaad6834fafb677e98
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\service\TsService.exe.newFilesize
979KB
MD5cdacc4c6291e558d3a8f2da158e9c3c5
SHA182a70615b901cdc0f8e75888c741875da4855bee
SHA2569eeee667becc54cc67c2f96631e4abe88e582795a5a361c327e67b5ad665bf0a
SHA51272b1700b55009b20491a831ad6fba059ab07da95fc7078b1618590a82d483c24d42595a6bc061144267b4ca6406fdd81f857d8434ecb41220bca4eb6771fe9cd
-
C:\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\snapshot_blob_.binFilesize
502KB
MD5af2242ad79aae7cd9922d4e6f634f5fb
SHA112be71aea2a9c043d01e87bf8fc52d02f3c8ec3c
SHA256e2712545a56e648005f0945579472a6ac8ea14959503e9199cf1ee0e7fabdede
SHA512f17bce35378071c85bc0b986c22e2f606307603ea8f6b0c313632e84be931cd0aa5ec764b9c9a2c4021ff0b0a97628c210f30cadd0970d7d358bb56d69728f3c
-
C:\Program Files (x86)\Tencent\QQBrowser\PrScrn.dllFilesize
911KB
MD55b32ab8b61c19ba40d1cb93ab3c31917
SHA1d05f572399d4ba0606db705207656cbe549a9f68
SHA256e64d6ac64cfb1dcc2cf062bd2fa4cef1e01f6f9ef5d7534f8e95e195a48dca50
SHA512f5b07ee841043a9c7100e206cfeb57dd316bdfc5f1fcbeb9dece1e2badf6d59b27fde7353096e2a8cc159df7ff156d09a625659513694a87cb701b869816c0cb
-
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exeFilesize
371KB
MD532cebf22bf1b0a89b4e81b917e5c7683
SHA16f05de39211a271a31b07d9fea8f3874b20c3e7d
SHA25646fd7ef6d1c2c4e82d4df3218b55dae2e6ca2cdd04bdc009d19f38dd6337b54e
SHA5128a846fbf8b552bc8db72a435a7a32f3563d1cba3e1799969e049c521f1e073b69c87a3135ae9349777f32d2ac10c5999285645ce68fe3705768c0aa80299145f
-
C:\Program Files (x86)\Tencent\QQBrowser\navi.icoFilesize
101KB
MD59a20e850981bb21d880808137f3eb010
SHA187f8b703f49aa85d4e09e0ec622cc474bf6d1659
SHA2562066385679089ac2483795e73a4e492b5d875232bc971bb22f0951866b56de00
SHA512570179ae9859ecc49096f10a42b22e66909126afbdccfa0112a76db11abfa2654ed6b500e8ce21a465f404d03c76122ebfda11d78f6f5acafda6194ce233b946
-
C:\Program Files (x86)\Tencent\QQBrowser\uninst.exeFilesize
328KB
MD56692f41cd02e839a491996b43a312d5f
SHA1ba746167cb1a67b6e77aaedcbb5a29b225113ff7
SHA256223e5b801f347022d9aa42010a36961e10e7440ed99d7712661841e64e2323ed
SHA51221bde796bfdf8e6df91290631f9ee7d63b37f179fe24a11178475cccf89d1d9604a8515afc7825757cfb8bec3f0607508d30efc4dd2f0936599306e39108cfbd
-
C:\Users\Admin\AppData\Local\Temp\1F26.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Temp\UserPinnedTemp\QQ浏览器.lnkFilesize
2KB
MD51355c7213cb39456c4c997d126fd63f9
SHA15cbd63044a60da8c45d01e31c609387a9fd3916f
SHA256a1f0bb39479d0c55c641aba400b380a82a6848afde3281b1e34208581904499b
SHA512381056143b6f9d1437d5adb5d022e5dcd89a8246ba64fa1f1777d862e8622b0046a6a473830e88aa20f2123b3076b67c01b0daa833e9978f9c34997d1d732360
-
C:\Users\Admin\AppData\Local\Temp\UserPinnedTemp\QQ浏览器.lnkFilesize
2KB
MD5c4bf3f58dba76399923683fea855c4ab
SHA1ce88f6a99d92066411f6e7e68f9f72b645a8a820
SHA25607b9184edcdace4f613fb557153e2154e5982794f055e1a368c126188542df50
SHA5126b0ce22ca03e93e8dcaa5d9685973181b7f7e0425b1f12fc16fa9fe2375462e47eed1502e2bb613edf3e9bb9ac3f86c183eed01b07743b0f81dbabaa2869192f
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_600_12296\video_box.crxFilesize
65KB
MD56ec058cbe9a865cb8fc39697803771b4
SHA1e93439676848e04a6bd3987e605d08f15617fd5c
SHA2561afba1d1746e2fb3ea0bc8ec06f78cd468085f747054944b7613787328a6213d
SHA5128ed5a4a847356195611b9dfa438eed0099f28f511e9eef1734707f86ceec4c6350ff8199a63c9aa9092b8fb0761b3e5d2518143937b4d3d9b6666a67ffbcfe7c
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_600_16409\commenExtension.crxFilesize
23KB
MD5ef2e23b5d3a7afcdc15f096454aff823
SHA11c5f567c2e37107c35f48dd3bc0e1b5ab6d5703f
SHA2565fcb04f2c7eddfd26094c7e2ecdf4fdcf534ee534ee7419ded4a9980b7417920
SHA51242fa87061ecdbfb3967c0594d2510d7b84dbbad46120b17e7b90cf2a4766d9aa11ab7edc4caa400156e5067ec711543287df992d221bd1f605df7586e8a19d37
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_600_22438\QBFixerPlugin.crxFilesize
352KB
MD53cd510e82067a5aa6fbd5bc9cc90e941
SHA1a5e0d0a0bd646d397e73b96a9fc7c85384492d20
SHA256d8cffdca848ebdd79e5d12128363e31c7a8982c4a97c3239c0a114aeac28533d
SHA5120050c668347c10c2344bd3f61c1b9ce5559f24b9b7ad1ddda63063428296ca818599de2fe48812a442c2916cccb0120b606b31c3f302ba3cad03e09f4c70a26d
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir_600_23147\NetService.crxFilesize
953KB
MD58fa18bac4d634e866db77b20567cfb94
SHA176b7a7fef39133eb9b7c1c7291308c2411e143c2
SHA256ef8176f0291a9568142503f70bb27dbd44a0c887218b5cbc2f79f1ad8add2eaf
SHA512facfa6dd453ca9bdbaf71db46977474fc581e18e5268c08c9d5eaca319e4e56b1ffa1713244da342b2d894d20a1ea44415ce0ca1d2cd7b72b54cb788134153a0
-
C:\Users\Admin\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\fpbdfpimimonlkoapobdbldphmiplmml\9.3.0_0\manifest.jsonFilesize
1KB
MD59d061a95aa0a91ceb6ea56bae71551d9
SHA125095f4ae70e1e3da3daecfef0a97e44582f852b
SHA2564615c32d49123a9057199601a9c12537d1ab25d1d8ac7849bc9ba33964441389
SHA512ff5a1a258db5aae7d9df408fae979b0ec0a46464b3502622ffed57e5ba3fe43902b399dfd15be40de1737aee02599e4db6d2f3ea57c45914d2fbbcf2f29e818b
-
C:\Users\Admin\AppData\Local\Tencent\QQBrowser\User Data\Liveup\Temp\QQBrowserLiveup.exeFilesize
762KB
MD5615878bb4b3e98caf6b3e25c199573fb
SHA1d88bb05e57ec805c3837ca2bec4b238a0d92847b
SHA256fa2212f08b4232252024cb3430fd82373cb1f8a95b3f0eb1133714125ded367f
SHA5123fc479974026001090efd2498066636a4fff9200f0210af4c9bbde82e8d3ed2a61db14ba187f7c21214106a6d9c8fd623521c14e73d38bb6a5edff529cd6227a
-
C:\Users\Admin\AppData\Local\Tencent\QQBrowser\User Data\ModuleDll\{0508DF1F-2AB6-4fac-A99E-45BBBF24E1E6}\9.0.0.103\QBSafe.dllFilesize
368KB
MD5cbad84f42aa44031511f8d1dff5297c9
SHA1b7a1d30392fb29a0aef425e2afdfd6126ded4203
SHA2564f06ecd993de1a299a52ba59388966bdad19c52c4e7c21564153be05c7381f28
SHA512d471f4c0bb6f8b4a83f4f2c47866b7a3e342f3adbcd190b2d8cd4a6d16842fc9cf2da5d1a663c9135916f9ae48381b6ea77bb4bfe151c3e670baf266f638cd51
-
C:\Users\Admin\AppData\Local\Tencent\QQBrowser\User Data\ModuleDll\{0508DF1F-2AB6-4fac-A99E-45BBBF24E1E6}\9.0.0.103\manifest.jsonFilesize
270B
MD5052b4574459359dad6219da8f690243e
SHA1776db69df5690415e566a65814d4df3cec5e838d
SHA256bef816cf2b5611e343b490e31494168feda0e01d5abede3675c2678284445349
SHA5121ef217e48cd7f46299a6796965e4f2e731bcc247a8dfe3c25e4344dc57fc46779e0ddbeb0b58b9b943934cafe4bc95c8e642e15d03f5fa125dab7830828441ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\QQ浏览器.lnkFilesize
2KB
MD5bfe1681a2f03b3c9aa63909f6edabef0
SHA194475fe1695fdcf8dd855aa3ebd4013aa28178e9
SHA256e3a4e5ca7d2cdb9e47763439221b74350dff0041e15a9025b8c7c3d74280207f
SHA5124e17c35809146d3fd587690d9276e68b5af65f73085af778623b02197a8936499299f0b99e9e38fe41028fcd146092dbb62f6948b92d13f824c306cf367a7713
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件\QQ浏览器\QQ浏览器.lnkFilesize
2KB
MD58feb5d7fe8b327a5d3033ceb9c92f512
SHA1ef4f628f65d570bd1c2c27a4961f4cab137840ae
SHA256f2840340dc784453c87deff9662190d3632fd1a132cd137083816c9c4fdee136
SHA512c61821b6034dc6cc5fa0054720a4db77a7e957704372763bb9c7c1f81f70453ac45e807536b31b077db6234cfe1b3b281f0dc0f00de7f0c0ae9fab1ebc737e01
-
C:\Users\Admin\Desktop\QQ浏览器.lnkFilesize
2KB
MD522520a7296b0e5f4e8f32b41945201c4
SHA1bd5bb3b6aaacfc4d677771ce5596edd64590e5aa
SHA256eb0ea1f38791c8f071bb7a207bc79f60229224e99c86c2328869c30099ac1872
SHA5124e57e74e62453b8759d3b845fd558ef7ea78ae003bc21c975ac1964dc5227b0dc4f3197faa25bff3ebb9e13caf6146e53cced1d3c4b8756157b81edbf33564bf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Windows\Temp\Tar349D.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\F1Frame.dllFilesize
4.0MB
MD5a912a3a846b7f5a480a8e9d91382cd35
SHA1f53b3631eced69da79fce1508974d49511666a3a
SHA256ab3b482cf7f146595153b8b3b4be2820f06825e71128bb42c5f1fcbaa4b787f8
SHA512c26e6c8054f1921391c428553edae24bfd1afea7eaf2c0dae699997165edb4b821fd0e45075c8524c838e5da5b36b7dd9a1744053a66a72b952bdab072ed4231
-
\Program Files (x86)\Tencent\QQBrowser\9.3.7080.400\webp\WebpDecodeFilter.dllFilesize
185KB
MD56f069180da502b676d0b5c3cb0f5d09d
SHA15e8219473af1347a2a7c756fa5641d1f57f7262c
SHA256cf3232a4e7fee0279ee7b6a6086393282cb7ec9ed3088832777336bcac380bd0
SHA51207a8e8e84b9954b5e6241bdb42d7cacd6101c9b1a0b9dfd505b2e2dd80b234132d59bd8841bbf0ae003cefb19fccb0f4978dd4c269751a974841c2ebfd1216f3
-
\Users\Admin\AppData\Local\Temp\12auf7611cc\QBInstaller.dllFilesize
847KB
MD510682bc530feb4b73955233e5fb1acd3
SHA13aca6f9337af75f4e57e12e088deaf34b85282bf
SHA256950d2a8194c71fa5cf629499c2a53ddcc981546a0aad4e73e301b37c31f4fc35
SHA5126663a0c0faa306df1a3810846e629a8f58d46a45eb51fb3faf9c21a9e2bfdf505946d266b6c4e303562e886be70ab5dc26785ddd0218b38ddab5b469c7ec875f
-
\Users\Admin\AppData\Local\Temp\Tencent\QQBrowser\F1Assistant.dllFilesize
2.6MB
MD563f70e1c2aa0b6cf8767806e92a6e048
SHA122e48e4e64fa386bb728f43bcd3d9b4210e63516
SHA256aac837c6189cba6a77d0e6902786c70761d112f97d9c367412cc22b0fad94011
SHA512d0eed6608ef9f6ca4c58d6f657f9edc554cada84efa283cc0ccff00a1a493a060092a91328a01a8c75bace977f60c0a7f842631ec1f846e3a59b3495cd25c9bb
-
memory/600-260-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/600-258-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/600-259-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1528-690-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1528-691-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1528-701-0x000000006FFE0000-0x000000006FFF0000-memory.dmpFilesize
64KB
-
memory/1528-689-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2152-840-0x0000000004FE0000-0x0000000004FFA000-memory.dmpFilesize
104KB
-
memory/2152-1-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2152-841-0x0000000004FE0000-0x0000000004FFA000-memory.dmpFilesize
104KB
-
memory/2152-649-0x0000000004FE0000-0x0000000004FFA000-memory.dmpFilesize
104KB
-
memory/2152-2-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2152-0-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2152-648-0x0000000004FE0000-0x0000000004FFA000-memory.dmpFilesize
104KB
-
memory/2192-700-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2192-698-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2192-699-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2404-625-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2404-624-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/2404-623-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB