Malware Analysis Report

2025-01-22 12:58

Sample ID 240626-e57lgsvfmb
Target 10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118
SHA256 30bc3b02a9694b1c61ee17929b2c4d6ac74ba6d175f4b0b8e7e993cd0696a040
Tags
persistence upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

30bc3b02a9694b1c61ee17929b2c4d6ac74ba6d175f4b0b8e7e993cd0696a040

Threat Level: Shows suspicious behavior

The file 10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx vmprotect

UPX packed file

Loads dropped DLL

Executes dropped EXE

VMProtect packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 04:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 04:32

Reported

2024-06-26 04:35

Platform

win7-20240611-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
N/A N/A C:\Program Files\Common Files\Services\csboyDVD.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyDVD.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyDVD.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyDVD.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyDVD.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
N/A N/A C:\Program Files\Common Files\Tencent\services.exe N/A
N/A N/A C:\Program Files\Common Files\Tencent\services.exe N/A
N/A N/A C:\Program Files\Common Files\Tencent\services.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
N/A N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Tencent\services.exe N/A
N/A N/A C:\Program Files\Common Files\Tencent\services.exe N/A
N/A N/A C:\Program Files\Common Files\Tencent\services.exe N/A
N/A N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
N/A N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
N/A N/A C:\Program Files\Common Files\Services\csboyTT.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyTT.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyTT.dll N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe" C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files\Common Files\Tencent\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Services\csboyTT.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\tuziboyDw.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\rprtpv26pack.ini C:\Program Files\Common Files\Tencent\services.exe N/A
File created C:\Program Files\Common Files\Services\csboybind.au C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Services\csboyTT.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\services.exe C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Tencent\services.exe C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\rprtpv26pack.ini C:\Program Files\Common Files\Tencent\services.exe N/A
File created C:\Program Files\Common Files\Services\csboyDvd.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\tuziboyAuTo.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Services\csboyTj.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecisionReason = "1" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecisionTime = d02202e581c7da01 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadNetworkName = "Network 3" C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F} C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecision = "0" C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\62-f0-86-1c-8e-87 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecision = "0" C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecisionTime = d02202e581c7da01 C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecisionTime = f0c8b8e081c7da01 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDecisionReason = "1" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87\WpadDetectedUrl C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-f0-86-1c-8e-87 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A3CA6B5-6332-482D-91DE-7AE134EF319F}\WpadDecisionTime = f0c8b8e081c7da01 C:\Program Files\Common Files\Tencent\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Tencent\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Tencent\services.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Services\csboyTT.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyTT.dll N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2392 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2392 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2392 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2392 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2392 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2392 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 328 wrote to memory of 2056 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 328 wrote to memory of 2056 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 328 wrote to memory of 2056 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 328 wrote to memory of 2056 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 328 wrote to memory of 2056 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 328 wrote to memory of 2056 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 328 wrote to memory of 2056 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 2392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2392 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2616 wrote to memory of 2648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2616 wrote to memory of 2648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 1968 wrote to memory of 2524 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 1968 wrote to memory of 2524 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 1968 wrote to memory of 2524 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 1968 wrote to memory of 2524 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2392 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2392 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2392 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2392 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2392 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2392 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2392 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll

Processes

C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe"

C:\Program Files\Common Files\Services\csboyDVD.dll

"C:\Program Files\Common Files\Services\csboyDVD.dll"

C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe

"C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe"

C:\Program Files\Common Files\Tencent\services.exe

"C:\Program Files\Common Files\Tencent\services.exe"

C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"

C:\Program Files\Common Files\Tencent\services.exe

"C:\Program Files\Common Files\Tencent\services.exe"

C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"

C:\Program Files\Common Files\Tencent\services.exe

"C:\Program Files\Common Files\Tencent\services.exe"

C:\Program Files\Common Files\Services\csboyTT.dll

"C:\Program Files\Common Files\Services\csboyTT.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 stun.qvod.com udp
US 8.8.8.8:53 y0.vayl49k0.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 xx.vamg49o1.info udp
US 8.8.8.8:53 j0.vajj49i0.com udp
US 8.8.8.8:53 stun01.sipphone.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 jj.vajr49p1.info udp
US 8.8.8.8:53 agent.qvod.com udp
CN 61.139.219.200:80 udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp

Files

memory/2392-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2392-2-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2392-1-0x0000000000230000-0x0000000000294000-memory.dmp

\Program Files\Common Files\Services\csboyDVD.dll

MD5 d8b959990d3888ffc50ecd89156a3204
SHA1 3ceafcf6b10748dae5f713bede1f622be939dfe3
SHA256 1cadded557baee6bb6298969624b716c8f0ee21a185115d64f17f20d0aece81f
SHA512 01c016a736b2667c5b3fac7273b734904e5426fad9dc159cff825c4dafa9f2815f5d5b4b9c16275fc60bcf49151c769ecdae55a9e8031a624b865218e77022ad

memory/2392-8-0x0000000000260000-0x00000000002AE000-memory.dmp

memory/328-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/328-16-0x0000000000230000-0x000000000027E000-memory.dmp

memory/328-15-0x0000000000230000-0x000000000027E000-memory.dmp

memory/328-20-0x0000000000400000-0x000000000044E000-memory.dmp

\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe

MD5 9b07dfe42e631f6fe905affe27b816a1
SHA1 6505ce70d718f2125a4eac57f9a4aca5137f99dd
SHA256 2b5331308dfff885d62e3da03a32570b347ade8c4678214bab55af32f4167f2f
SHA512 a61986926655e4d98916d904f301a5ff9c4d8ae7c633904705d2da3f4f162a637e78efb0e5e93af4a5e2e638ab018f951881d0fb9a51773b5d520d12bc78b5c2

memory/2056-29-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2056-35-0x0000000003280000-0x0000000003484000-memory.dmp

memory/2056-36-0x0000000003280000-0x0000000003484000-memory.dmp

\Program Files\Common Files\Tencent\services.exe

MD5 bb2b7321edb97525d61c355db5761500
SHA1 c5965a66dcdb25af52d4289a4dce3bfd36a5a8c7
SHA256 0b7f4bf0eb742c20b2852ee7bfcc7e1b963d686f26c32f43c65986d7caa58d73
SHA512 311e4b861555d73751817014e3f4db2c22f8838a6936c372630ecdbcc34f3164932adc1730d5f9bbed6372215ae191ce6944db333fc4a5f2d5ea804745dd5f62

memory/2392-42-0x0000000000260000-0x0000000000297000-memory.dmp

memory/2932-54-0x00000000002C0000-0x00000000002F7000-memory.dmp

memory/2932-55-0x0000000000400000-0x0000000000437000-memory.dmp

\Program Files\Common Files\Tencent\tuziboyAuTo.dll

MD5 b78e85d6b895835e46f24c6c0345a82f
SHA1 6b346205b3cac35b71b9ce90ac4d45aa1ab753d0
SHA256 cd31faea7ea2a14145122551da93e50e00acc2f6700054a3b6039a28f84540db
SHA512 e945884a81ba575f42636a76052ae819e9e02dfde1687bf2547ad5f669200b55a22e4fb1bdae3d5ff8a4807941d9341b98dd74676ff76094f92885d99fa20859

memory/2392-62-0x0000000000260000-0x0000000000272000-memory.dmp

memory/2392-61-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2616-68-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2616-77-0x0000000000020000-0x0000000000032000-memory.dmp

memory/2616-76-0x0000000000020000-0x0000000000032000-memory.dmp

memory/2616-75-0x0000000000020000-0x0000000000032000-memory.dmp

memory/2648-88-0x0000000000400000-0x0000000000437000-memory.dmp

memory/328-81-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2616-82-0x00000000002B0000-0x00000000002E7000-memory.dmp

memory/2392-96-0x0000000000260000-0x0000000000297000-memory.dmp

memory/1968-95-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1968-94-0x0000000000250000-0x0000000000287000-memory.dmp

\Program Files\Common Files\Services\csboyTT.dll

MD5 feadf79836b0be6ac61c193fdbd406a3
SHA1 b190bb7d502fb8ac72496d5cc121c84fbf336f9f
SHA256 d428633aa54912ea33bab395d3694b6617b9b9af33d501f523a9ffaf54f5517e
SHA512 8b173081f0cf95a966367e60a13472f8c0139a53b9736a1e5f6841dd535c08e698b852630d925e8252be2d8dcf26576743f63392320fe1280d3118898885afa5

memory/280-116-0x00000000003D0000-0x00000000003E8000-memory.dmp

memory/280-115-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2392-114-0x0000000000260000-0x0000000000278000-memory.dmp

memory/2392-113-0x0000000000260000-0x0000000000278000-memory.dmp

memory/2392-112-0x0000000000260000-0x0000000000297000-memory.dmp

memory/280-111-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2392-118-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2616-120-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2616-122-0x0000000000020000-0x0000000000032000-memory.dmp

memory/2616-123-0x0000000000020000-0x0000000000032000-memory.dmp

memory/2616-124-0x0000000000020000-0x0000000000032000-memory.dmp

memory/2616-126-0x00000000002B0000-0x00000000002E7000-memory.dmp

memory/280-129-0x00000000003D0000-0x00000000003E8000-memory.dmp

memory/2616-133-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 04:32

Reported

2024-06-26 04:35

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe" C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ttplay = "C:\\Program Files\\Common Files\\Tencent\\services.exe" C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Services\csboyDvd.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\rprtpv26pack.ini C:\Program Files\Common Files\Tencent\services.exe N/A
File opened for modification C:\Program Files\Common Files\rprtpv26pack.ini C:\Program Files\Common Files\Tencent\services.exe N/A
File created C:\Program Files\Common Files\Services\csboyTT.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Tencent\services.exe C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\tuziboyDw.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\tuziboyAuTo.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\Services\csboyTT.dll C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Tencent\services.exe C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Services\csboybind.au C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\Services\csboyTj.ocx C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Tencent\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Tencent\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Tencent\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Tencent\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Tencent\services.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Services\csboyTT.dll N/A
N/A N/A C:\Program Files\Common Files\Services\csboyTT.dll N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2420 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 2420 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyDVD.dll
PID 4808 wrote to memory of 4240 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 4808 wrote to memory of 4240 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 4808 wrote to memory of 4240 N/A C:\Program Files\Common Files\Services\csboyDVD.dll C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe
PID 2420 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2420 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2420 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\services.exe
PID 2420 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2420 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2420 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll
PID 2656 wrote to memory of 4500 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2656 wrote to memory of 4500 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2656 wrote to memory of 4500 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 4508 wrote to memory of 4648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 4508 wrote to memory of 4648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 4508 wrote to memory of 4648 N/A C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll C:\Program Files\Common Files\Tencent\services.exe
PID 2420 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2420 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll
PID 2420 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe C:\Program Files\Common Files\Services\csboyTT.dll

Processes

C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\10ba72154cb73ba1ec4758095b2313a0_JaffaCakes118.exe"

C:\Program Files\Common Files\Services\csboyDVD.dll

"C:\Program Files\Common Files\Services\csboyDVD.dll"

C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe

"C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe"

C:\Program Files\Common Files\Tencent\services.exe

"C:\Program Files\Common Files\Tencent\services.exe"

C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"

C:\Program Files\Common Files\Tencent\services.exe

"C:\Program Files\Common Files\Tencent\services.exe"

C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

"C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll"

C:\Program Files\Common Files\Tencent\services.exe

"C:\Program Files\Common Files\Tencent\services.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3912,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8

C:\Program Files\Common Files\Services\csboyTT.dll

"C:\Program Files\Common Files\Services\csboyTT.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 stun.qvod.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 127.0.0.1.in-addr.arpa udp
US 8.8.8.8:53 y0.vayl49k0.com udp
US 8.8.8.8:53 xx.vamg49o1.info udp
US 8.8.8.8:53 j0.vajj49i0.com udp
US 8.8.8.8:53 jj.vajr49p1.info udp
US 8.8.8.8:53 stun01.sipphone.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 agent.qvod.com udp
CN 61.139.219.200:80 udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 200.219.139.61.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 agent.qvod.com udp
CN 221.194.134.216:80 tcp

Files

memory/2420-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2420-0-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Program Files\Common Files\Services\csboyDVD.dll

MD5 b2cfdc2c11d4bf13d0f0b3b4949b518d
SHA1 d01861f4d7c54052466c822374ac0d78ecbef9a2
SHA256 9b6420ccadcef72175e59a88309560ae33fd2bbd1c2a8aef6736171286c0094c
SHA512 481b62798cc2630d8abdbee0319d14067ee4d507cdeedb2595c27f6e547d2ac89f9e625f0cadb84b4d8c6069f7370648a894b465e33a66a379b972923ee8efe0

memory/4808-8-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-9-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/4808-10-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\new_400ai.exe_0CD25E66B4D3F39A0F8EE29AEF7F96A9296E865D.exe

MD5 9b07dfe42e631f6fe905affe27b816a1
SHA1 6505ce70d718f2125a4eac57f9a4aca5137f99dd
SHA256 2b5331308dfff885d62e3da03a32570b347ade8c4678214bab55af32f4167f2f
SHA512 a61986926655e4d98916d904f301a5ff9c4d8ae7c633904705d2da3f4f162a637e78efb0e5e93af4a5e2e638ab018f951881d0fb9a51773b5d520d12bc78b5c2

memory/4240-17-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Program Files\Common Files\Tencent\services.exe

MD5 041a51bd3e4ff3e1f057f5ca9bc2cfb0
SHA1 d7c35641e2cad0904aeaa366a8530847ef4be439
SHA256 3c340ecb11b5aaab3107bc5d478e6cc518610435cedd0c921ec8a5d5f8521669
SHA512 9ad35cf99e72f78390b490f04bfdb571ad9c2a6984d38441025308477deed2be89e901c9bbdc82c7aac2502af483c97977157d1f3aa5d93e916cfc223979ef22

memory/2340-24-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2340-27-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Program Files\Common Files\Tencent\tuziboyAuTo.dll

MD5 7b0ed92880c55b16bcb556730bbff855
SHA1 fc11fe51af4821e016e4671a2daaa061bdcde1ac
SHA256 d6f0e3b6a259c1d42db36fc392118b35e5b30fc0eb38ea48b4c46752b24d32b8
SHA512 03a2317e1ee1ba29d8fa8be82533a4e3b02c0a9a1ad03eead709e074aa0dfb83a478d35886602a95cc1fe3f324c76ced5eb6a491f6106777885a57fa08a58e25

memory/2656-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4508-39-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4500-38-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4508-41-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2656-46-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4500-44-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Program Files\Common Files\Services\csboyTT.dll

MD5 c716c7f4b2e18b4e48bd69cd5b223f67
SHA1 f5e232986cc3e9f334675498032660e844f7a0cf
SHA256 9197e1b71f8a47c251d5a3ab2b414c1b73298f6f1e0a859efc28b4703bf94293
SHA512 48fdac4708cde1b64a1b56362533fd636aded709c6662d642268c149a0703cb5d0de3995af26d812a80a3845ac9a44be1fadd733c4f56cc375531d882694cf0a

memory/3756-55-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3756-56-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2420-58-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4808-59-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4808-60-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/3756-62-0x0000000000400000-0x0000000000418000-memory.dmp