Malware Analysis Report

2024-10-10 12:08

Sample ID 240613-rn459aseje
Target a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118
SHA256 e9662c3fd38d0cb02c47b7c1003e65ea925d3649e95ce15e584fb038ef88bf47
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e9662c3fd38d0cb02c47b7c1003e65ea925d3649e95ce15e584fb038ef88bf47

Threat Level: Shows suspicious behavior

The file a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Registers COM server for autorun

Checks installed software on the system

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240611-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQMicroGameBoxTray = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\QQMicroGameBox\\Launch.exe\" -/autorun" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7 C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_Logging\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_USE_LEGACY_JSCRIPT C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_BEHAVIORS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QQMicroGameBox.exe = "9000" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\tencentwebgame\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ALIGNED_TIMERS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_HIGHFREQ_TIMERS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_DISABLE_ISO_2022_JP_SNIFFING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_ISO_2022_JP_SNIFFING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ZONE_ELEVATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\Feature_Enable_Compat_Logging C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\Policy = "3" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_MIME_SNIFFING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_LAYOUT9_QUIRKS_EMULATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\AppName = "Launcher.exe" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_MIME_HANDLING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_OBJECT_CACHING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_XSSFILTER C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_WINDOW_RESTRICTIONS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ALLOW_HIGHFREQ_TIMERS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_DISABLE_MK_PROTOCOL C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_LEGACY_JSCRIPT\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WEBOC_OMNAVIGATOR_IMPLEMENTATION\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\tencentwebgame C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader.1\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader\CLSID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\ = "0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader.1\CLSID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ = "IDownloader" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\AppID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version\ = "1.0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\AppID\TXWGameIeHelper.DLL C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID\ = "TXWGameIeHelper.Downloader" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\AppID\TXWGameIeHelper.DLL\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader.1 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader\CurVer C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader.1\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll, 102" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TXWGameIeHelper.Downloader\CurVer\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\ = "TXWGameIeHelper 1.0 Type Library" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe
PID 2176 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe
PID 2176 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe
PID 2176 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe
PID 2176 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe
PID 2176 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe
PID 2176 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe
PID 2176 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe
PID 2176 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 2176 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 2176 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 2176 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 2176 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 2176 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 2176 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 1956 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 756 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 756 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 756 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 756 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 756 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 756 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 756 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe" /appid=100698537 /pid=22

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe" \Pin "C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\英魂之刃.lnk"

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe" -/appid:100698537

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe" -/appid:100698537 -tray_startupby_game

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe" -action:newbin_check -uin:346668791

Network

Country Destination Domain Proto
US 8.8.8.8:53 apps.game.qq.com udp
CN 101.227.134.49:80 apps.game.qq.com tcp
CN 101.227.134.27:80 apps.game.qq.com tcp
CN 101.227.134.49:80 apps.game.qq.com tcp
CN 101.227.134.27:80 apps.game.qq.com tcp
CN 101.227.134.49:80 apps.game.qq.com tcp
CN 101.227.134.27:80 apps.game.qq.com tcp
US 8.8.8.8:53 apps.game.qq.com udp
CN 101.227.134.49:80 apps.game.qq.com tcp
CN 101.227.134.27:80 apps.game.qq.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy7264.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Local\Temp\nsy7264.tmp\nsisFirewallW.dll

MD5 f5bf81a102de52a4add21b8a367e54e0
SHA1 cf1e76ffe4a3ecd4dad453112afd33624f16751c
SHA256 53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2
SHA512 6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe

MD5 2ced752334d86db514bacfa7ec8620e2
SHA1 953be96eb015a06f037d10d145adc370406142e4
SHA256 2c5ad631ab961b2e89b94f49216b3fde08af727f6814c2688b904747d20aca4e
SHA512 727b33fc2973d5989dcc7f070fada974fbb809a2610aba4c3a4bbc4652a744811f598282a79656df76b92882bbb482ec943abf928c8c24b78a1d1a16334690d3

\Users\Admin\AppData\Roaming\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll

MD5 412b08c23bc4e78e9aabb9f2527ab012
SHA1 66e57245b23354f17ea4f1486af9b9f1b5852e3d
SHA256 539cbd9a37643849695a2dad6501c8d8ced660448526eb24e4a9ed2169d1ece6
SHA512 e5f3bd19afd51b4f1549295b70f90729b111368b3a1ba704e2901c707ce1da9e5b2ce91187a924ad0ab879a62c440f7af3887b0f8f4514b9693e98e581b7ca24

\Users\Admin\AppData\Local\Temp\nsd7A21.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe

MD5 72202879129c965570bc5a0996c2799a
SHA1 c7fe0656f20789ca11aa9627e000ece325cd0d3e
SHA256 5364d74ce2e4d2a6819cced7986943e61cc5ea88b1559fb1e4dbdbce29462a67
SHA512 ebbddc86c43308db2733d1c2bce5cccd3533c944e31dfd2b96ffa40bb279fb620a7455e127b1d8ceebfbb5414c3d0b2dc30afc0b38d43e13b9eb806f6b80487c

C:\Users\Admin\AppData\Local\Temp\nsy7264.tmp\applicationid.dll

MD5 439928666a6baa4f9d2a1b0fb92265ec
SHA1 82807d9b401074ae53f1bc14b002c8f6aec78b95
SHA256 d43896c0c02bec598b7513b9a8815bb301c6b73da0fb2e0aee99146b4bd5e287
SHA512 ed0f69758281ca1e7144d431bfed52734b1b86c6a3d42cb3bd1634c72b9bc57cb7c73d57904cc053be131601867896d4536e7d39d128082bf6d9c91090b548ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯游戏\英魂之刃\英魂之刃.lnk

MD5 499741608d49e556f997ee60db137ce0
SHA1 c7f69d84d8fc8e75f28aa8061048814944b3eaab
SHA256 fa4107d22fa29182ef9eed2252df309e35ede8c2c39b8681c02a082664f5d7b4
SHA512 13d367a68d5669e957b5716fc57eb46766be8a998180ff720c8d069d58e24b0dc092c71fb8937af4421226ff37dd929894ddab34c7d720c2228470d16b19e5f4

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\英魂之刃.lnk

MD5 0d8d267ad1d42c27491e0f8dcb84ea90
SHA1 fdc48e39f300b2b589a1c1d90df16ee95444a184
SHA256 40d955c037f0c2b260cfa625f416b674b94a964c07f1a96f0f57bc18cb012948
SHA512 c26a094e6032f951603cce987169287aba4c31cc3a913d8ec83bf1027d34713b814f9bd15419cbb75a7370d3a722d8f6613a792fcced21ae856598f81d22e6ed

C:\Users\Admin\Desktop\英魂之刃.lnk

MD5 49d536a72db9ad24dea977828e695d7a
SHA1 e16f6710615163b47ccc8e778748f3113cf77dd9
SHA256 70492855a8a927ff6b3b3c9880416481d69ca6df3656262c6ffc25a50734e67f
SHA512 071553e4062154149b4b31e1540bf4e072946ceca529a0922a488f517628a050ec25141a7e55efcd1faf2991ee61f6be0f885b60b86383e0f8172648364ebea5

\Users\Admin\AppData\Local\Temp\nsy7264.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe

MD5 f462fde662913b7bee2563c3784ba263
SHA1 3cf8b7c73efe13b882965e7b83f3757ce15df306
SHA256 175239a5614fb27c2f914d07930984534b77ffa3c3ed98c3f8954134c92481d6
SHA512 abd61fadba1be03b1ce0c0a3170bbeb03b13407a358072583b3162e141890aa9e1b4b4d5e4b9ef0186a094dfcc6f0031f0f9e6c8a2a48108a2e32a81f553c9d7

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe

MD5 7e09e748cdf068a1ced6344ed032c9c7
SHA1 b01631b9a3715f21404784bfc2d61f7ee6e30e32
SHA256 630ae627b470b5273df9671aa55b4ec543df4996844f18935af8bcde5d580b47
SHA512 58dd75c88803de9c9edf78341335c08a15f4093517f9e8e3cd75f58cdf18a2673f0b502718e949c400f959a083e97ecbe5c468d0e221cad812080156171a2981

\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll

MD5 5eab6935527b89555ec556fd65c4c092
SHA1 604df3faa212b4474cc279b26e2213f0210d4240
SHA256 201032351afa68f293944b41795def684a83e87c31970c2828c80c48f9db5ba3
SHA512 b5e15ae1c4a00022d285e70d10072f4e4034dbe07ced3a4ff2656c22a8c09615f93a3b4494c2beea2e19662cb83df81ff752ace4131dc4adcd313f8a729cced9

\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Control.dll

MD5 42a956f63027412fa5847c83eb2d0ff0
SHA1 b6048c3ffc21851b2bc27e8d4793b059e0ab9b50
SHA256 2d5a8f0dabb8d9a3ac2f016007b7ef2a5618c3fe53c5826db25c16f6fff1a67e
SHA512 ddbd7b29df746a426a76e825b2b2c9598f41a55459edcc8d3784e60f028c1a1ffd307bc4cc8dd1ab739d4bb5096de2ca12cde4319d2a8dcaa5e70b58bc9de134

\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Utility.dll

MD5 fb84ce762c7650d0b47cb1c100d88482
SHA1 316804e073cfe4a35f773385b951a7c48dacd78f
SHA256 7aba80d421ce409206a266f6d9bc1fdb26cf3967769c02741bc4f7d57080da91
SHA512 a1f9dcb8607d62f130ee6507423c9a40d23c7da5c4e8d3c2423e67fa156c47b165e9d4a2acba7ca02456abd9a91e031f86ef4fa3bf55a6bcf84487cc1a7f0eda

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe

MD5 14dc67bafa60cdf6415a5129cb228d82
SHA1 5127369c63b43947e4936342fda50735add3fba5
SHA256 ed3328cc7ca24e64f1951e1207c628ab5a14d9382414db8c99a3e51c72deddce
SHA512 879a1ed1622085407844be862b58169e7e3c2456dc7c06ab7c4b95a029c172331bb10fe61e87391a65b0a20eed18eabef9e1b207b1088b62437cc945481b90f9

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Log.dll

MD5 28879f65f0da646053ebbafeffc718b8
SHA1 3f357703c422e746e942c88f587786314cac1a67
SHA256 17cb2ee6b59772b64442fdf07e28a8b01bdde276d01434127a6e81c381dc2dc6
SHA512 91e04d452731501081fc9e48829a9ce7208cd0f396527b28a7d6e0e39e520af3202735c46fb18b4c7546d80b06fad8164b039448e030298b5ae85c23589bfa41

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\skin\Update\bg.png

MD5 49463e573ed612471b3b7b1edb14c9d4
SHA1 07a96ce6d27ec2d68f420d78e5846d30cd489b40
SHA256 9e88b5e73aab3475451a3bf043bf0992abc44586f3884cb6b78c1a535e2507a0
SHA512 c951902927131e12f30cd203528022099460ae56c25bcd2ee0c677179935df19dceef62fef7154a1fd45a46befd2504ee870fd49962b648240c5e4ff1bd6cdd4

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\skin\Update\textbg.png

MD5 1d06dcf7b69c592ddc1b89581577d1de
SHA1 d81dca65d09323f96ba9b7e9653d58530d50e9a6
SHA256 e176a418950131fac7244c16f4425762e70ccb539fc69d8a90ddeecc6e3ef63a
SHA512 67d27c8626a9b1c9d792c112d6a7580499c110bfcf85fe2c76f8413c722376b81d71ebf2ae462567b1e3ea8b8ac1e1aa0f6070cef4700bcaed24312bb9ec0f4c

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\skin\Update\gb.png

MD5 46fef561ffc8b7ae20b5027dac3d119e
SHA1 5b9e4f02d784600652592fe33bbfb3b55729934e
SHA256 addca0696a5b900cc8ccc9da9a99028a1f5cf83d0c6b48c4f4b2a40bd7b139fc
SHA512 65ccc3092ed2ed4c2a0cc3b9d3d943e637359f3aa9d7e40cc41f6ec5a43b206eb165c81cce98deb3c194f0a8a5a728351febbddc40d6964e3700cb25dbef2b02

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Control.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Control.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Control.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 228

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4332 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4332 wrote to memory of 388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll,#1

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240419-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Ipc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1148 wrote to memory of 2256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Ipc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Ipc.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Login.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Login.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Login.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 244

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240611-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Main.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Main.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Main.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MemDefrag.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 3632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4360 wrote to memory of 3632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4360 wrote to memory of 3632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MemDefrag.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MemDefrag.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 131.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:23

Platform

win7-20240419-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2012 wrote to memory of 1240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\PluginManager.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 3784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 3784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1140 wrote to memory of 3784 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\PluginManager.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\PluginManager.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorderUI.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2972 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorderUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorderUI.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:23

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\HttpDownloader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 4856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2944 wrote to memory of 4856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2944 wrote to memory of 4856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\HttpDownloader.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\HttpDownloader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:23

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\Launcher.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\Launcher.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:23

Platform

win10v2004-20240611-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\Launcher.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\Launcher.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.131:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 131.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\PluginManager.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3020 wrote to memory of 3048 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\PluginManager.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\PluginManager.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:23

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\HttpDownloader.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2932 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\HttpDownloader.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\HttpDownloader.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Ipc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4580 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4580 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Ipc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Ipc.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Main.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3184 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3184 wrote to memory of 4996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Main.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Main.dll,#1

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:23

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe"

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\AppName = "Launcher.exe" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\AppID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader\CLSID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader.1\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader.1\CLSID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader.1\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\AppID\TXWGameIeHelper.DLL C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\AppID\TXWGameIeHelper.DLL\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ = "IDownloader" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID\ = "TXWGameIeHelper.Downloader" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader.1 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader\CurVer C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TXWGameIeHelper.Downloader\CurVer\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll, 102" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\ = "TXWGameIeHelper 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 apps.game.qq.com udp
CN 101.227.134.49:80 apps.game.qq.com tcp
CN 101.227.134.27:80 apps.game.qq.com tcp
CN 101.227.134.49:80 apps.game.qq.com tcp
CN 101.227.134.27:80 apps.game.qq.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsdEE1.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

\Users\Admin\AppData\Roaming\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll

MD5 412b08c23bc4e78e9aabb9f2527ab012
SHA1 66e57245b23354f17ea4f1486af9b9f1b5852e3d
SHA256 539cbd9a37643849695a2dad6501c8d8ced660448526eb24e4a9ed2169d1ece6
SHA512 e5f3bd19afd51b4f1549295b70f90729b111368b3a1ba704e2901c707ce1da9e5b2ce91187a924ad0ab879a62c440f7af3887b0f8f4514b9693e98e581b7ca24

\Users\Admin\AppData\Local\Temp\nsdEE1.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\InstallHelper.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\InstallHelper.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240611-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorder.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorder.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorder.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20231129-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe"

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240220-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MemDefrag.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MemDefrag.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MemDefrag.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\InstallHelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1564 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1564 wrote to memory of 212 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\InstallHelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\InstallHelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 640

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240611-en

Max time kernel

109s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorderUI.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4948 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4948 wrote to memory of 1388 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorderUI.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorderUI.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQMicroGameBoxTray = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\QQMicroGameBox\\Launch.exe\" -/autorun" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_OBJECT_CACHING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_XSSFILTER C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_VALIDATE_NAVIGATE_URL C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WEBOC_OMNAVIGATOR_IMPLEMENTATION\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_HIGHFREQ_TIMERS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_DISABLE_MK_PROTOCOL C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_LEGACY_JSCRIPT\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_TABBED_BROWSING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ZONE_ELEVATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ALIGNED_TIMERS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_SCRIPTURL_MITIGATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\tencentwebgame C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LAYOUT9_QUIRKS_EMULATION\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_ISO_2022_JP_SNIFFING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_USE_WEBOC_OMNAVIGATOR_IMPLEMENTATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\Feature_Enable_Compat_Logging C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_Logging\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_ALLOW_HIGHFREQ_TIMERS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QQMicroGameBox.exe = "9000" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\tencentwebgame\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_LAYOUT9_QUIRKS_EMULATION C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_MIME_SNIFFING C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS\QQMicroGameBox.exe = "0" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_SECURITYBAND C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\AppName = "Launcher.exe" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_USE_LEGACY_JSCRIPT C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7 C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND\QQMicroGameBox.exe = "1" C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\\FEATURE_WINDOW_RESTRICTIONS C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\AppID\TXWGameIeHelper.DLL C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ = "IDownloader" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader.1\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version\ = "1.0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader.1 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader\CLSID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID\ = "TXWGameIeHelper.Downloader" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader\CurVer\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\ = "TXWGameIeHelper 1.0 Type Library" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll, 102" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader\CurVer C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader.1\CLSID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\AppID\TXWGameIeHelper.DLL\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TXWGameIeHelper.Downloader.1\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA} C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\ = "0" C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe
PID 3068 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe
PID 3068 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe
PID 3068 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe
PID 3068 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe
PID 3068 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe
PID 448 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 448 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 448 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 3068 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 3068 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 3068 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe
PID 2172 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 2172 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 2172 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 4924 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 4924 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 4924 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe
PID 2708 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 2708 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe
PID 2708 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5fde8e07093f846f45684f97ea3d1e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe" /appid=100698537 /pid=22

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe" \Pin "C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\英魂之刃.lnk"

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe" -/appid:100698537

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe" -/appid:100698537

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe" -/appid:100698537 -tray_startupby_game

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe" -/appid:100698537 -tray_startupby_game

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe

"C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe" -action:newbin_check -uin:346668791

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 apps.game.qq.com udp
US 8.8.8.8:53 apps.game.qq.com udp
US 8.8.8.8:53 apps.game.qq.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsyE774.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Local\Temp\nsyE774.tmp\nsisFirewallW.dll

MD5 f5bf81a102de52a4add21b8a367e54e0
SHA1 cf1e76ffe4a3ecd4dad453112afd33624f16751c
SHA256 53be5716ad80945cb99681d5dbda60492f5dfb206fbfdb776b769b3eeb18d2c2
SHA512 6e280a75f706474ad31b2ce770fa34f54cb598528fac4477c466200a608b79c0f9b84011545595d9ba94331ad08e2f51bd42de91f92379db27686a28ba351256

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe

MD5 2ced752334d86db514bacfa7ec8620e2
SHA1 953be96eb015a06f037d10d145adc370406142e4
SHA256 2c5ad631ab961b2e89b94f49216b3fde08af727f6814c2688b904747d20aca4e
SHA512 727b33fc2973d5989dcc7f070fada974fbb809a2610aba4c3a4bbc4652a744811f598282a79656df76b92882bbb482ec943abf928c8c24b78a1d1a16334690d3

C:\Users\Admin\AppData\Roaming\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll

MD5 412b08c23bc4e78e9aabb9f2527ab012
SHA1 66e57245b23354f17ea4f1486af9b9f1b5852e3d
SHA256 539cbd9a37643849695a2dad6501c8d8ced660448526eb24e4a9ed2169d1ece6
SHA512 e5f3bd19afd51b4f1549295b70f90729b111368b3a1ba704e2901c707ce1da9e5b2ce91187a924ad0ab879a62c440f7af3887b0f8f4514b9693e98e581b7ca24

C:\Users\Admin\AppData\Local\Temp\nskEAC0.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\Launch.exe

MD5 72202879129c965570bc5a0996c2799a
SHA1 c7fe0656f20789ca11aa9627e000ece325cd0d3e
SHA256 5364d74ce2e4d2a6819cced7986943e61cc5ea88b1559fb1e4dbdbce29462a67
SHA512 ebbddc86c43308db2733d1c2bce5cccd3533c944e31dfd2b96ffa40bb279fb620a7455e127b1d8ceebfbb5414c3d0b2dc30afc0b38d43e13b9eb806f6b80487c

C:\Users\Admin\AppData\Local\Temp\nsyE774.tmp\applicationid.dll

MD5 439928666a6baa4f9d2a1b0fb92265ec
SHA1 82807d9b401074ae53f1bc14b002c8f6aec78b95
SHA256 d43896c0c02bec598b7513b9a8815bb301c6b73da0fb2e0aee99146b4bd5e287
SHA512 ed0f69758281ca1e7144d431bfed52734b1b86c6a3d42cb3bd1634c72b9bc57cb7c73d57904cc053be131601867896d4536e7d39d128082bf6d9c91090b548ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯游戏\英魂之刃\英魂之刃.lnk~RFe584a23.TMP

MD5 c69d60452b1c9ce493c72d483d217e53
SHA1 c71d4e5d1ad2db013d78688ce8ffdf1fbfcb98af
SHA256 cf3a498f67024f3a1436684b70b0240f3ade2a045f1c4491919562166c356b1e
SHA512 6b3377cb4ef82ab07005186f4a597ad9360e44726f44e2018479c7d1d6d2359160497b5bb3b79b53b673db7f7db3e111fc5d2004c769d47375fc0edc4d0a45df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯游戏\英魂之刃\英魂之刃.lnk

MD5 b2eb83f1fecbaea4c1daabe5a883fb17
SHA1 129f34bc623b6f2b38706d18d22dc40cc658a495
SHA256 d38300c3315e821fb399bc3b2a59aec9f5e9192889ece7372a4aabc4430ee063
SHA512 b2026ca4377867b51d9d118c0a3473d6c389b12ef6912e42b1014f5b2d58fd590902ee835e088daf60830c83eb0bff7abd7ef44e7746ae9102cb768a0ff4c350

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\英魂之刃.lnk~RFe584a33.TMP

MD5 034043479f433ac86c29c4c98a4ea43c
SHA1 11895ab94ca2a2c04df2803230dd437b2144b40d
SHA256 d8dd969afc3820ef4b1f3db23fc335b1b69c21c66c4329a83ddf101526c14b8c
SHA512 143a82e6c0c6084c4f6aac5e60bf6d5fab38f941d29b3c43a505fe06cde58ae6f4846e645f030c69a02690d9c79130a03014a9f6e18b6576dd51c39e3ae09097

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\英魂之刃.lnk

MD5 6e924cffa68ca39c0f50570cf50ad781
SHA1 e4012d3ac6df1b7c199d2f6c890991ea7f324c4a
SHA256 1a99910c8bf99887e9c2cf74d194db70ef5ac4361527bad779d2bc2fc4a54fd7
SHA512 574b1295256fcc29b5470ccdded44b9178ee34569dec07a65fbe9a8459d40629c31659ffda1ff7041dc151cea00c3eb7ea4801773ab233cbb54706f9fd459f38

C:\Users\Admin\Desktop\英魂之刃.lnk~RFe584a72.TMP

MD5 2d3f85861c0df5e3218adcd9cb6c0183
SHA1 d2d9e2a69f4e8e423c278faaeec83355e1b86551
SHA256 dea5b6905aafc1f52cc5bdedf2bed2f6d2ae68622a38a23598ad20919544fd60
SHA512 003cfce9bac37f90c726be970a23136acc26b28231c24aec55094535e6ca8e2388e4f4131ca5582bb0014d823868ae04dc1f22a579ed4eda537dcf238bbf1abb

C:\Users\Admin\Desktop\英魂之刃.lnk

MD5 d94a2eabb31d9f9701bf72f21ded3b21
SHA1 1f9d06cd26c86e1c9344281c525c4b564e3e5b39
SHA256 8f0531f55758d6f9c6f88227283c80b1d9a73243270c5a8f66ff4e52ce1c4f12
SHA512 aab426ad2de95cda9ccc505eba18ac65c854d64109c5d4e683c415e08d49e7ffb9b9df115ae5d99af097bfe58f74c8a5a7fbf5b3ca929baedcba42a1fd151457

C:\Users\Admin\AppData\Local\Temp\nsyE774.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\PinToTaskbar.exe

MD5 f462fde662913b7bee2563c3784ba263
SHA1 3cf8b7c73efe13b882965e7b83f3757ce15df306
SHA256 175239a5614fb27c2f914d07930984534b77ffa3c3ed98c3f8954134c92481d6
SHA512 abd61fadba1be03b1ce0c0a3170bbeb03b13407a358072583b3162e141890aa9e1b4b4d5e4b9ef0186a094dfcc6f0031f0f9e6c8a2a48108a2e32a81f553c9d7

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMicroGameBoxTray.exe

MD5 7e09e748cdf068a1ced6344ed032c9c7
SHA1 b01631b9a3715f21404784bfc2d61f7ee6e30e32
SHA256 630ae627b470b5273df9671aa55b4ec543df4996844f18935af8bcde5d580b47
SHA512 58dd75c88803de9c9edf78341335c08a15f4093517f9e8e3cd75f58cdf18a2673f0b502718e949c400f959a083e97ecbe5c468d0e221cad812080156171a2981

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Control.dll

MD5 42a956f63027412fa5847c83eb2d0ff0
SHA1 b6048c3ffc21851b2bc27e8d4793b059e0ab9b50
SHA256 2d5a8f0dabb8d9a3ac2f016007b7ef2a5618c3fe53c5826db25c16f6fff1a67e
SHA512 ddbd7b29df746a426a76e825b2b2c9598f41a55459edcc8d3784e60f028c1a1ffd307bc4cc8dd1ab739d4bb5096de2ca12cde4319d2a8dcaa5e70b58bc9de134

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll

MD5 5eab6935527b89555ec556fd65c4c092
SHA1 604df3faa212b4474cc279b26e2213f0210d4240
SHA256 201032351afa68f293944b41795def684a83e87c31970c2828c80c48f9db5ba3
SHA512 b5e15ae1c4a00022d285e70d10072f4e4034dbe07ced3a4ff2656c22a8c09615f93a3b4494c2beea2e19662cb83df81ff752ace4131dc4adcd313f8a729cced9

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Utility.dll

MD5 fb84ce762c7650d0b47cb1c100d88482
SHA1 316804e073cfe4a35f773385b951a7c48dacd78f
SHA256 7aba80d421ce409206a266f6d9bc1fdb26cf3967769c02741bc4f7d57080da91
SHA512 a1f9dcb8607d62f130ee6507423c9a40d23c7da5c4e8d3c2423e67fa156c47b165e9d4a2acba7ca02456abd9a91e031f86ef4fa3bf55a6bcf84487cc1a7f0eda

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\QQMGameBoxUpdater.exe

MD5 14dc67bafa60cdf6415a5129cb228d82
SHA1 5127369c63b43947e4936342fda50735add3fba5
SHA256 ed3328cc7ca24e64f1951e1207c628ab5a14d9382414db8c99a3e51c72deddce
SHA512 879a1ed1622085407844be862b58169e7e3c2456dc7c06ab7c4b95a029c172331bb10fe61e87391a65b0a20eed18eabef9e1b207b1088b62437cc945481b90f9

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\Log.dll

MD5 28879f65f0da646053ebbafeffc718b8
SHA1 3f357703c422e746e942c88f587786314cac1a67
SHA256 17cb2ee6b59772b64442fdf07e28a8b01bdde276d01434127a6e81c381dc2dc6
SHA512 91e04d452731501081fc9e48829a9ce7208cd0f396527b28a7d6e0e39e520af3202735c46fb18b4c7546d80b06fad8164b039448e030298b5ae85c23589bfa41

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\skin\Update\bg.png

MD5 49463e573ed612471b3b7b1edb14c9d4
SHA1 07a96ce6d27ec2d68f420d78e5846d30cd489b40
SHA256 9e88b5e73aab3475451a3bf043bf0992abc44586f3884cb6b78c1a535e2507a0
SHA512 c951902927131e12f30cd203528022099460ae56c25bcd2ee0c677179935df19dceef62fef7154a1fd45a46befd2504ee870fd49962b648240c5e4ff1bd6cdd4

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\skin\Update\textbg.png

MD5 1d06dcf7b69c592ddc1b89581577d1de
SHA1 d81dca65d09323f96ba9b7e9653d58530d50e9a6
SHA256 e176a418950131fac7244c16f4425762e70ccb539fc69d8a90ddeecc6e3ef63a
SHA512 67d27c8626a9b1c9d792c112d6a7580499c110bfcf85fe2c76f8413c722376b81d71ebf2ae462567b1e3ea8b8ac1e1aa0f6070cef4700bcaed24312bb9ec0f4c

C:\Users\Admin\AppData\Roaming\Tencent\QQMicroGameBox\1.0.8.7\skin\Update\gb.png

MD5 46fef561ffc8b7ae20b5027dac3d119e
SHA1 5b9e4f02d784600652592fe33bbfb3b55729934e
SHA256 addca0696a5b900cc8ccc9da9a99028a1f5cf83d0c6b48c4f4b2a40bd7b139fc
SHA512 65ccc3092ed2ed4c2a0cc3b9d3d943e637359f3aa9d7e40cc41f6ec5a43b206eb165c81cce98deb3c194f0a8a5a728351febbddc40d6964e3700cb25dbef2b02

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2384 wrote to memory of 1156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\DuiLib.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Login.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 2652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 2652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1568 wrote to memory of 2652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Login.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Login.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2652 -ip 2652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4292,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorder.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 3768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1396 wrote to memory of 3768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1396 wrote to memory of 3768 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorder.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\MouseRecorder.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe"

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\AppName = "Launcher.exe" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6796F670-BE24-4540-9D38-33A512C30F4A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll, 102" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ProgID\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\1\ = "131473" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader.1\CLSID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\TypeLib\ = "{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\ = "IDownloader" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader.1\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA} C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\WebGamePlugin\\1.0.3.9\\TXWGameIeHelper.dll" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\ = "TXWGameIeHelper 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader.1\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader\CLSID\ = "{3C703AE7-8973-4700-B362-26185B404A6A}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\AppID\TXWGameIeHelper.DLL C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\VersionIndependentProgID\ = "TXWGameIeHelper.Downloader" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\Interface\{DE198DA0-407C-4405-8973-B6215A8A5785}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader.1 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader\CurVer\ = "TXWGameIeHelper.Downloader.1" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TypeLib\{FDEC87F9-D13B-4ECD-B6A3-6C439D1001AA}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\AppID\TXWGameIeHelper.DLL\AppID = "{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader\CLSID C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader\CurVer C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\AppID\{3C7D97DF-1EFF-4888-86EE-3296F86AC0FF}\ = "TXWGameIeHelper" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\TXWGameIeHelper.Downloader C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\MiscStatus\ = "0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{3C703AE7-8973-4700-B362-26185B404A6A}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe

"C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Plugin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 apps.game.qq.com udp
US 8.8.8.8:53 apps.game.qq.com udp
US 52.111.229.43:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsh33D3.tmp\System.dll

MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA512 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

C:\Users\Admin\AppData\Roaming\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll

MD5 412b08c23bc4e78e9aabb9f2527ab012
SHA1 66e57245b23354f17ea4f1486af9b9f1b5852e3d
SHA256 539cbd9a37643849695a2dad6501c8d8ced660448526eb24e4a9ed2169d1ece6
SHA512 e5f3bd19afd51b4f1549295b70f90729b111368b3a1ba704e2901c707ce1da9e5b2ce91187a924ad0ab879a62c440f7af3887b0f8f4514b9693e98e581b7ca24

C:\Users\Admin\AppData\Local\Temp\nsh33D3.tmp\inetc.dll

MD5 5da9df435ff20853a2c45026e7681cef
SHA1 39b1d70a7a03e7c791cb21a53d82fd949706a4b4
SHA256 9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2
SHA512 4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:23

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4440 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4440 wrote to memory of 1328 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\WebGamePlugin\1.0.3.9\InstallerToolkit.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 14:21

Reported

2024-06-13 14:24

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Control.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 3840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 3840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2844 wrote to memory of 3840 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Control.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$APPDATA\Tencent\QQMicroGameBox\1.0.8.7\Control.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 3840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 656

Network

Country Destination Domain Proto
BE 2.17.107.203:80 tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.240:443 www.bing.com tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.83.221.88.in-addr.arpa udp
N/A 52.165.164.15:443 tcp

Files

N/A