dd88df0b6570564db8caa0f7cfd177b018dc6603f7a5fb0216013c5e65e3f242

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Size

22.2MB
MD5

fdb5f8ea398b10d3b4907da065955d99
SHA1

0587078a2bea4bf876255e4d5ea5bdcbe5253fba
SHA256

dd88df0b6570564db8caa0f7cfd177b018dc6603f7a5fb0216013c5e65e3f242
SHA512

9ff7be5366d34abfe183c2a4bb35348c2ebdfe7611548ab480ee32aff2c1d95abe7a0f22caefbbe821487883ec335313a390fe94e2cab50507170210736b905d
SSDEEP

393216:LGxDK3jHvaCJrM2Sppk/DSvfsf1+M020lruCGrrrkNd5zsqHXq5083:LGVKraCSJvfM1WVTGrr+d5xK

Score

6^/10

bootkit discovery evasion persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 9 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	QQMusicService.exe
File opened (read-only)	\??\F:	QQMusicAgent.exe
File opened (read-only)	\??\F:	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File opened (read-only)	\??\F:	QQMusicService.exe
File opened (read-only)	\??\F:	DataTransformex.exe
File opened (read-only)	\??\F:	QQMusicIE.exe
File opened (read-only)	\??\F:	QQMusicAgent.exe
File opened (read-only)	\??\F:	QQMusicService.exe
File opened (read-only)	\??\F:	QQMusicSvr.exe

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4944	Netsh.exe
332	netsh.exe
1664	netsh.exe
3128	Netsh.exe
2628	Netsh.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	QQMusicService.exe
File opened for modification	\??\PhysicalDrive0	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	QQMusicDownloader.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QQMusicService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QQMusicService.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\QQMusic\QQMusicCache\TestCache.dat	QQMusicService.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicCommon.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\vcomp100.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\bin\SSOLUIControl.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\Mole.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\moleplugin\tadb.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\DataTransformex.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\iOSDevice.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\msvcp100.dll	QQMusicHelperSetup.exe
File created	C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\com.qq.qqmusichelper.json	QQMusicHelperSetup.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\arkImage.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\libpng.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TNProxy.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TxUpnp.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\ApdMon.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\StartDesktopProjection64.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\resae\rr.data	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQMusic\QMNetwork.dll	QQMusicService.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\p2pcore.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicInstall\QQMusicMMInstaller.dll	QQMusicDownloader.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.15\InstTXSSO.exe	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQMusic\QQMusicCOM.dll	QQMusicService.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicPlayer.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQLiveDownloader.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAddin\atl100.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QMNetwork.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusic.tpc	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\arkGraphic.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\MusicInst.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicDownloader.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052	InstTXSSO.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\Common.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\AsyncTask.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.15\I18N\2052\SSOStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QMFlashWrapper.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\xGraphic32.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicHelperSetup.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQMusic\QQMusic_Network.dll	QQMusicService.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.15\I18N	InstTXSSO.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusic_DataBaseMgr.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAddin\msvcr100.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QXMatrix.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\moleplugin\AndroidDevice.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\p2papi.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\InstTXSSO.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAddin\qmp_aac.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\msvcr100.dll	QQMusicHelperSetup.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll	InstTXSSO.exe
File created	C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml	InstTXSSO.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAddin\Microsoft.VC90.ATL.manifest	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\moleplugin\extapp.xml	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\atl100.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\arkIOStub.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\I18N\2052\SSOStringBundle.xml	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\bin\SSOCommon.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\auzip.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.15\bin	InstTXSSO.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicIE.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAddin\Microsoft.VC90.CRT.manifest	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\moleplugin\installerror.xml	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\DiagTools.exe	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusic_Win7Feature2.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
File created	C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\msdmo.dll	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe

Executes dropped EXE 12 IoCs

pid	Process
1028	QQMusicService.exe
4916	QQMusicService.exe
5012	InstTXSSO.exe
3948	QQMusicHelperSetup.exe
2004	QQMusicService.exe
1608	QQMusicSvr.exe
2720	QQMusicIE.exe
1224	QQMusicAgent.exe
1572	DataTransformex.exe
2080	QQMusicDownloader.exe
3616	QQMusicAgent.exe
1936	QQMusicMMInstaller.exe

Loads dropped DLL 64 IoCs

pid	Process
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
1028	QQMusicService.exe
1028	QQMusicService.exe
1028	QQMusicService.exe
1028	QQMusicService.exe
1028	QQMusicService.exe
1028	QQMusicService.exe
1028	QQMusicService.exe
4916	QQMusicService.exe
4916	QQMusicService.exe
4916	QQMusicService.exe
4916	QQMusicService.exe
4916	QQMusicService.exe
2004	QQMusicService.exe
2004	QQMusicService.exe
2004	QQMusicService.exe
2004	QQMusicService.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
4380	regsvr32.exe
4380	regsvr32.exe
2004	QQMusicService.exe
3020	regsvr32.exe
664	regsvr32.exe
664	regsvr32.exe
2004	QQMusicService.exe
2004	QQMusicService.exe
1608	QQMusicSvr.exe
1608	QQMusicSvr.exe
1608	QQMusicSvr.exe
1608	QQMusicSvr.exe
1128	regsvr32.exe
1128	regsvr32.exe
1608	QQMusicSvr.exe
1128	regsvr32.exe
1128	regsvr32.exe
1128	regsvr32.exe
1224	QQMusicAgent.exe
1224	QQMusicAgent.exe
1224	QQMusicAgent.exe
1224	QQMusicAgent.exe
1572	DataTransformex.exe
1572	DataTransformex.exe
1572	DataTransformex.exe
1572	DataTransformex.exe
1572	DataTransformex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	Netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstTXSSO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicMMInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DataTransformex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicIE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQMusicHelperSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\QQMusicIE.exe = "1"	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QQMusicIE.exe = "9999"	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\tencent\WarnOnOpen = "0"	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\QQMusic.exe = "1"	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\QQMusicIE.exe = "1"	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QQMusic.exe = "9999"	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\tencent	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\QQMusic.exe = "1"	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Tencent	QQMusicService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Tencent\QQMusic	QQMusicService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Tencent\QQMusic\LogConfig	QQMusicService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	QQMusicService.exe
Key created	\REGISTRY\USER\Tencent	QQMusicService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Tencent\QQMusic\LogConfig	QQMusicService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	QQMusicService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A80B97F-EE30-40AC-A89F-C6604798ADF3}\TypeLib	QQMusicHelperSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.wma\DefaultIcon	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1DD5649-488D-4002-B5A1-F1BD7AE62473}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B8301EE8-5856-491D-BCFB-9AD84FA6EDE2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2660E09E-6EAE-4EC0-9A37-2A5A4EC10C47}\TypeLib\Version = "1.0"	QQMusicIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.tta\Shell\QQMusic.2.Add\ = "加入 QQ音乐播放队列(&E)"	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B07CCA0D-7B19-4921-868C-46B6C837825D}\TypeLib	QQMusicSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE5BCB71-1D17-49AF-9864-54A0706BF406}\TypeLib\ = "{C4549B07-549D-46C4-AAF6-49CC54B99F69}"	QQMusicSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DMPC_HtmlBrowser.HtmlBrowserHost	QQMusicIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5DD8B72-4985-4A2F-A143-B56A791AB9EF}\ = "HtmlBrowserHost Class"	QQMusicIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusicSvr.QQMusicCreator\ = "QQMusicCreator Class"	QQMusicSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEC830CC-0E91-4E05-8418-B9F44AC51631}\ProxyStubClsid32	QQMusicHelperSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib\ = "{29A32150-EA24-42C2-882E-879152560C1E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6BCFAEF8-F221-487B-8E36-9FBB452B79F9}\1.0\ = "QQMusic_Login 1.0 ÀàÐÍ¿â"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.aac\Shell\QQMusic.2.Add	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tac	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ = "ITXSSOArrayRead"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.mp3\Shell\QQMusic.2.Add	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D40E1A4F-5179-4A59-A137-9BCC7F9D035D}\TypeLib	QQMusicIE.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\.aac	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.cue\Shell\open\Command	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.lrc\Shell\open\icon = "\"C:\\Program Files (x86)\\Tencent\\QQMusic\\QQMusic1257.3.28.43\\QQMusic.exe\""	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.caf\DefaultIcon\ = "C:\\Program Files (x86)\\Tencent\\QQMusic\\QQMusic1257.3.28.43\\QQMusic.exe,1"	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26531F78-5FBE-4961-8E0E-46ADE4614A3B}	QQMusicSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\ = "SSOLUIControl 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib\ = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\HELPDIR\ = "C:\\Program Files (x86)\\Common Files\\Tencent\\TXSSO\\1.2.3.15\\Bin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DMPC_HtmlBrowser.HtmlBrowser\CurVer\ = "DMPC_HtmlBrowser.HtmlBrowser.1"	QQMusicIE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13F4A66F-8967-475E-9D97-9CB14ADB4485}\VersionIndependentProgID	QQMusicIE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tta\ = "QQMusic.tta"	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusicSvr.QQMusicLyric.1\ = "QQMusicLyric Class"	QQMusicSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1DD5649-488D-4002-B5A1-F1BD7AE62473}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.qrc\Shell\QQMusic.2.Add\Command	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10126174-A34C-4DA4-9B5A-B71DE87EDD34}\ = "IQQMusicCreator"	QQMusicSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEC830CC-0E91-4E05-8418-B9F44AC51631}\TypeLib\ = "{83F9C1FC-7392-4B29-9798-E28BAD4F2804}"	QQMusicHelperSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1561ABA-04E6-4CCA-9DC1-DE5606A7012E}\TypeLib	QQMusicHelperSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.wav\Shell\open\icon = "\"C:\\Program Files (x86)\\Tencent\\QQMusic\\QQMusic1257.3.28.43\\QQMusic.exe\""	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.lrc\Shell\QQMusic.2.Add\Command\ = "\"C:\\Program Files (x86)\\Tencent\\QQMusic\\QQMusic1257.3.28.43\\QQMusic.exe\" /add \"%1\""	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DECBE69-994F-45BA-B010-FD604F4B1E8A}\Programmable	QQMusicSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dts\QQMusic_Back = "VLC.dts"	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.dts	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.dts\Shell\open\icon = "\"C:\\Program Files (x86)\\Tencent\\QQMusic\\QQMusic1257.3.28.43\\QQMusic.exe\""	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusicSvr.QQMusicPlayer	QQMusicSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A956F47E-83F6-4F72-92EE-679C8687CD19}\ = "SSOAxCtrlForPTLogin"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46A5291F-89E1-4919-827E-0B8CB905FBD9}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.m4a\DefaultIcon\ = "C:\\Program Files (x86)\\Tencent\\QQMusic\\QQMusic1257.3.28.43\\QQMusic.exe,1"	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.tac\Shell\QQMusic.2.Add\ = "加入 QQ音乐播放队列(&E)"	QQMusicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B07CCA0D-7B19-4921-868C-46B6C837825D}\TypeLib\ = "{C4549B07-549D-46C4-AAF6-49CC54B99F69}"	QQMusicSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ = "ITXSSOArray"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\ = "ITXSSOEnumData"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.lrc\Shell\open\Command	QQMusicAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5DECBE69-994F-45BA-B010-FD604F4B1E8A}\ProgID	QQMusicSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6BCFAEF8-F221-487B-8E36-9FBB452B79F9}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQMusic.tta\Shell\open	QQMusicAgent.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
3948	QQMusicHelperSetup.exe
3948	QQMusicHelperSetup.exe
2004	QQMusicService.exe
2004	QQMusicService.exe
1224	QQMusicAgent.exe
1224	QQMusicAgent.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
3616	QQMusicAgent.exe
3616	QQMusicAgent.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2004	QQMusicService.exe
2004	QQMusicService.exe
2004	QQMusicService.exe
2004	QQMusicService.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe
1936	QQMusicMMInstaller.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2628	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	86
PID 2648 wrote to memory of 2628	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	86
PID 2648 wrote to memory of 2628	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	86
PID 2648 wrote to memory of 4944	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	91
PID 2648 wrote to memory of 4944	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	91
PID 2648 wrote to memory of 4944	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	91
PID 2648 wrote to memory of 1028	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	93
PID 2648 wrote to memory of 1028	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	93
PID 2648 wrote to memory of 1028	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	93
PID 2648 wrote to memory of 4916	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	95
PID 2648 wrote to memory of 4916	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	95
PID 2648 wrote to memory of 4916	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	95
PID 2648 wrote to memory of 5012	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	96
PID 2648 wrote to memory of 5012	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	96
PID 2648 wrote to memory of 5012	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	96
PID 2648 wrote to memory of 3948	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	97
PID 2648 wrote to memory of 3948	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	97
PID 2648 wrote to memory of 3948	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	97
PID 5012 wrote to memory of 3020	5012	InstTXSSO.exe	99
PID 5012 wrote to memory of 3020	5012	InstTXSSO.exe	99
PID 5012 wrote to memory of 3020	5012	InstTXSSO.exe	99
PID 5012 wrote to memory of 664	5012	InstTXSSO.exe	100
PID 5012 wrote to memory of 664	5012	InstTXSSO.exe	100
PID 5012 wrote to memory of 664	5012	InstTXSSO.exe	100
PID 5012 wrote to memory of 4380	5012	InstTXSSO.exe	101
PID 5012 wrote to memory of 4380	5012	InstTXSSO.exe	101
PID 5012 wrote to memory of 4380	5012	InstTXSSO.exe	101
PID 3948 wrote to memory of 332	3948	QQMusicHelperSetup.exe	102
PID 3948 wrote to memory of 332	3948	QQMusicHelperSetup.exe	102
PID 3948 wrote to memory of 332	3948	QQMusicHelperSetup.exe	102
PID 2648 wrote to memory of 1128	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	105
PID 2648 wrote to memory of 1128	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	105
PID 2648 wrote to memory of 1128	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	105
PID 2648 wrote to memory of 1608	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	106
PID 2648 wrote to memory of 1608	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	106
PID 2648 wrote to memory of 1608	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	106
PID 2648 wrote to memory of 2720	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	107
PID 2648 wrote to memory of 2720	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	107
PID 2648 wrote to memory of 2720	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	107
PID 2648 wrote to memory of 1224	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	108
PID 2648 wrote to memory of 1224	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	108
PID 2648 wrote to memory of 1224	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	108
PID 2648 wrote to memory of 1572	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	109
PID 2648 wrote to memory of 1572	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	109
PID 2648 wrote to memory of 1572	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	109
PID 3948 wrote to memory of 2892	3948	QQMusicHelperSetup.exe	111
PID 3948 wrote to memory of 2892	3948	QQMusicHelperSetup.exe	111
PID 3948 wrote to memory of 2892	3948	QQMusicHelperSetup.exe	111
PID 2892 wrote to memory of 1664	2892	cmd.exe	113
PID 2892 wrote to memory of 1664	2892	cmd.exe	113
PID 2892 wrote to memory of 1664	2892	cmd.exe	113
PID 2648 wrote to memory of 2080	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	115
PID 2648 wrote to memory of 2080	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	115
PID 2648 wrote to memory of 2080	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	115
PID 2648 wrote to memory of 3616	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	116
PID 2648 wrote to memory of 3616	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	116
PID 2648 wrote to memory of 3616	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	116
PID 2080 wrote to memory of 4720	2080	QQMusicDownloader.exe	117
PID 2080 wrote to memory of 4720	2080	QQMusicDownloader.exe	117
PID 2080 wrote to memory of 4720	2080	QQMusicDownloader.exe	117
PID 2080 wrote to memory of 1936	2080	QQMusicDownloader.exe	118
PID 2080 wrote to memory of 1936	2080	QQMusicDownloader.exe	118
PID 2080 wrote to memory of 1936	2080	QQMusicDownloader.exe	118
PID 2648 wrote to memory of 3128	2648	fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe	119

C:\Users\Admin\AppData\Local\Temp\fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\Netsh.exe
  "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="TencentDownloadProgram" dir=in program="C:\Users\Admin\AppData\Local\Temp\fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\SysWOW64\Netsh.exe
  "C:\Windows\system32\Netsh.exe" advfirewall firewall add rule name="TencentDownloadProgram" dir=in program="C:\Users\Admin\AppData\Local\Temp\fdb5f8ea398b10d3b4907da065955d99_JaffaCakes118.exe" action=allow
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4944
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicService.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicService.exe" /uninstall
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1028
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicService.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicService.exe" /install
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4916
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\InstTXSSO.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\InstTXSSO.exe" "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.15\Bin\\SSOCommon.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3020
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.15\Bin\\npSSOAxCtrlForPTLogin.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:664
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Common Files\Tencent\TXSSO\1.2.3.15\Bin\\SSOLUIControl.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4380
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicHelperSetup.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicHelperSetup.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall Delete rule name="QQMusicDownloader"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netsh advfirewall firewall add rule name="QQMusicDownloader" dir=in action=allow program="C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\QQMusicDownloader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="QQMusicDownloader" dir=in action=allow program="C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\QQMusicDownloader.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1664
- C:\Windows\SysWOW64\regsvr32.exe
  "regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusic_Login.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1128
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicSvr.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicSvr.exe" /RegServer
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1608
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicIE.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicIE.exe" /RegServer
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2720
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAgent.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAgent.exe" /RegMediaFiles
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\DataTransformex.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\DataTransformex.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1572
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicDownloader.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicDownloader.exe" -name WeSingQJTHelper -urloption WeSingQJTHelper -showtray no
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicInstall\QQMusicMMInstaller.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720
- - C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicInstall\QQMusicMMInstaller.exe
    "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicInstall\QQMusicMMInstaller.exe" -product QQMusic2011 -name WeSingQJTHelper -urloption WeSingQJTHelper -showtray no
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1936
- C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAgent.exe
  "C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicAgent.exe" /clearoldinstalldir
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- C:\Windows\SysWOW64\Netsh.exe
  "C:\Windows\system32\Netsh.exe" advfirewall firewall delete rule name="TencentDownloadProgram"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3128

C:\Program Files (x86)\Common Files\Tencent\QQMusic\QQMusicService.exe
"C:\Program Files (x86)\Common Files\Tencent\QQMusic\QQMusicService.exe"
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Tencent\QQMusic\QQMusicCOM.dll

Filesize
359KB

MD5
70094fe62f41c93a46466bb1dbbf331b

SHA1
4a6b5d6a2a0580659ff6a83385af5bcfa829d230

SHA256
c20bcedbdca50ee9ecb569d3231d482d46d280b594fd8ee6e3a159d0221e0065

SHA512
dd2a627bd30f0485100abc3d5d90d039707ebda29478099d141a44f79ba6089aaac9542e47f52f2cfd96342b5957a2a8c5167458e432459fd1fbd7a9118afa59

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll

Filesize
278KB

MD5
a39a3b1039882e38589097bf5d6d2982

SHA1
3b32cbae2e6e127855c4f285f62ca6c734bbc778

SHA256
25248b7edfd6834b72b7675f7aeb8b6c15482213e6fdbc1ecca6388699a01b1b

SHA512
1943dca694fb4ab66ead9f139c0b72d359c69bfac979e6f560cd2e856eb8e5f9b913ecf1625ceb3283b0ed257aacfe4751dc052452600d01f8767e17de7e27b1

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml

Filesize
6KB

MD5
15b8a58b2174cb7766e0e373580265a2

SHA1
c4f707c12e8f798b8b59aac155dd9fac89cd732c

SHA256
673eb178dae8cf3addcbb5d82969ec47a3631ac59a20e6cc806938de5cc3beb6

SHA512
0f8dc202a4eec0e8d66faed1dbbe57e599024f0206bcfc13141ecf56e5873d0278a394ba64794a5a6a08d987a0b81878732251161ba5ecec8d69560d9846c0f6

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml

Filesize
6KB

MD5
f8f734b39ac05e680b372c8fb7e19b86

SHA1
48d41d24889d40885e36cc93ba6f64b41fd5e4bd

SHA256
429403fda6b8d91af97f16a6576341cfef0fae2c38709ae7049aff448771545f

SHA512
1be5cd9bdab5c06bd904ef4409c7fbbeb03b113d60c84d741e62e7cb64d641c418f1c5dc9f9f45c5173587d9566fba09018cbb46844bd133277c07f9fa47bf76

Download Submit
C:\Program Files (x86)\Common Files\Tencent\TXSSO\I18N\SSOConfig.xml

Filesize
394B

MD5
2b563ba463450a8fd6f4bb7789503b44

SHA1
3cb6c17b613682106f3382d212d29b8af10df13e

SHA256
32f912e1eceb0000e04ddb3c627b00c4533e882cc34e3d8117bc9cafeb2faf8b

SHA512
b392808aa0686ff4b374c0e99af68428b361e6880f22dd5d59ca08e78228ad3162927d3fc347b53b26dae2bfbafbc795209fa5d1606af69604b9d2dc689affb4

Download Submit
C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\QQMusicHelper.dll

Filesize
52KB

MD5
d808105cea6c4d9a5b1eda91696173f6

SHA1
03ee8b5d84f1193ea7e17b085525853261f10c04

SHA256
bf4b623b11be15e06178db26ed5f5ac143e167d9488ee5d6f73bec59309b2675

SHA512
4aa96a64d0f736712a7414d4249ebcf2aad8dcbe0f8d304453cea7152370f1cfb0ce03babb3a76e8b3753ac9693e36c49352be7fa20c548bb85ed597e20a193d

Download Submit
C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\atl100.dll

Filesize
134KB

MD5
36d7d05505951f542922df4c725cc57d

SHA1
074902ff54d30ef6ee2fd6ebe475526cac84670c

SHA256
74b7c86b75cfaf5121554bd8cc4dd8e496458311070fa43b9b4fb13b4d8c8eab

SHA512
4c7f9445703fc79f595739cfc0d4e24dade4c9959f6cb24840b020e98943f4dbed9c2937187165452215ab0a683d1159c4d629e22bffa625bf08286fce657889

Download Submit
C:\Program Files (x86)\Tencent\QQMusicHelper\QQMusicHelper1257.3.28.50\npQQMusicHelper.dll

Filesize
64KB

MD5
42c3bd440ee63ef96740be82b69d733d

SHA1
ef0c4c16d697762608f39973edfc848175db73a8

SHA256
8da5fda23828f979fa84f9161a5d8ae55e7f00f24af0c732f76a1e571e9bfea1

SHA512
ca547a2247a73e14bc0e4d65cff1dad56c7380670f21f15f4f8b7efb9e99cba2855ac7a4c530793934eba048b69b1281dd5415744f651bd74fd5efadc23d93f1

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\ExceptCatch.dll

Filesize
97KB

MD5
d7f8d039dd0b7697a6d99e2fcad2db26

SHA1
8cb470d9ad988daec407b0075ebd8f61d21cd5e0

SHA256
2dfe47323638d5bfc8f6c64259fdc4e62f23ccb2870c120437e657ebd3b6cc9c

SHA512
a9cb3670d8f6922c1b6d0b8d962cae8e879aadac375c2a5cd14c2f8a5662b1424fece87c6f58d4d6cffc0f93dbd961fb108523c601859e473852bc38e9603599

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusic.exe

Filesize
624KB

MD5
74852f47f8fc8164f7b0e0876bc4f63d

SHA1
696524a1b6758eadbaf934200635f87726412c6e

SHA256
0cc7203f052205b9351f6ec6bf19d1facbb8dfec3892695ad6fb51cf12742ce4

SHA512
b76321d758e1d2fe002ec6cbde47ee8326df7543b7ca5586fdd164a010bbfabc3316afefb3874eb041d5dabab0c9c328eec84827ff70889077415bd9e85ab602

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusic.tpc

Filesize
642B

MD5
4076d9dae85f3b1fab7443acd429fc75

SHA1
fbe2db01320553cd7b18c3cb0d34964486ec3b9c

SHA256
b8d3d54dfc9f912277bf017239d2796a13aa4b4f597773bc81d4059aaf92ec16

SHA512
e3ba73c85e48ede3efa77d09c9f3f9274fd5022bbf5dda22250d0db9242d394b379b8645f4afe4f82f232530c129382e6ceafaeeedaee13667707084413ecd4d

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicHelperSetup.exe

Filesize
1.6MB

MD5
5fe7d51e9baa0690a1e51100f37ee33a

SHA1
c66d2b928323bbe2b6c3d25f1df2c5045c5e2fb5

SHA256
966f3a7c3d9c10df32cd593dc295df91f9d4b82b26f16b2566ca2f427b3ad46f

SHA512
362456d009d5c0a7f6c4147fba9fa3c3c4a4d22d0936370f49d9c697454be7e16c6887c385b9942aa0ae927ece0eeed7b31c0846e00ecea6804d7e415fa26de5

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicInstall\QQMusicMMInstaller.exe

Filesize
203KB

MD5
8d8e2d9b24870d21576c5edaf5678493

SHA1
3bb486c2276203c0485498a728a8f61006260d08

SHA256
7fcda51802bed56ba0b5936da86769f9885b1814cf805184c1940aed579c4471

SHA512
ee6613163367a8e91ca6880cf4ca7257478e5f2b925bba843f7e8e7a5183e1c4a02c2ecc5226a2f2447c1a37c7261984ab3c8e943dedabec0ec11dd159baa480

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusicService.exe

Filesize
404KB

MD5
12b42edfb1c99462ea6fe3a23eb881dd

SHA1
5485d6b07fd6f7ff318d40503956f0499470538e

SHA256
9e6cce3e56e27d087fe348de0efcffb7a9d0b5ceee2bfc62423725f29d12b3da

SHA512
60b7cf1dc721e3eddd93a6f9467d4055832bc16354463a5c8906dd3faa8343365a1d16731b5a2cfe2fd1ff427883e6df43b22b3fc35149276bd0756d39886a38

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QQMusic_Network.dll

Filesize
255KB

MD5
3da081acd33dc5e18eb78019e5ad1795

SHA1
e19690e7b1f84e7da7a501265fa2a66a38a6383a

SHA256
d4173187a9d033653d6b4c44a48fdda99013a541e93df9ac014572dd4e208393

SHA512
0bdec4f93514d2c6652f01172c3f565ffe439602fe23821a67ab20647778d9eb31e1fc3739b846821ef5ccb9cb301110f59b45c26d499e6d51bd4f6634f783fe

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\QXMatrix.dll

Filesize
1.7MB

MD5
9c645d46c887197a8e8a347eb12b1a56

SHA1
fab83ece6b1d5986294b98d7e21933e325d1475a

SHA256
592c2e363e92ab9381582c5079a2a13da36072565c31de7f932d593118788622

SHA512
5007f91f7c83a910907cb41bff6a5156908575ccb3ead8fe879b7ad49e97e8015d9e429d043b71527dbda9fcef4efc92885999d08bddb905921e1fae14f7fb2a

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\Bin\SSOCommon.dll

Filesize
1.4MB

MD5
1469a0185288bc815e1a630d3487811d

SHA1
937933a7f106739b7c1e8314fbe55bd71c895b73

SHA256
e04e0c822cf0263e36f84e0fbdf112461350507ca173be0896118b6de3ad272f

SHA512
03cf7cbedb05f9e0d288e2b786fa8a368cd74d4820216ba8de78ade0f83e067fbd90808ee3978342c65449a4c0ad9c550fb9780a45eb12f5947b6383b98eee64

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\Bin\SSOPlatform.dll

Filesize
1.6MB

MD5
d290601cdd907e19a9316d591b94aad7

SHA1
24a44560c304d693c1513006e2635c2a55e8eadc

SHA256
c9730d57c100badadfb0388716368771f125e30a459d6abe2fe97092255c6e17

SHA512
b51c109535f2fd19c5edf135b0879bd5940b395254af62f8fdb87c5c90821e1a7e64aaa377fa9c46adbf1e4b21c64329fd39e0ecc4a9a2b3435b547cbe43f00f

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\InstTXSSO.exe

Filesize
103KB

MD5
4c558e6345b196bd63295286d4dad331

SHA1
e84987eae7461948ac5a68b71295db6f29134c8c

SHA256
16811aa2765f9b301ee43ef7035073721cb3af475bb465b70ccf733b7a5d9e8f

SHA512
57767e300bf62e32d90ab6c5a4a00ec0426bff7bdb7dd1a1abc7dd91f29bda62fdecb703f2330aa7256eb1948dc95e1f5d8867fe3346b3597c2d06488b5a4ce9

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\TXSSO\bin\SSOLUIControl.dll

Filesize
454KB

MD5
645e024c4a51cd2b8bf3c9bb9d27b7cd

SHA1
57ec8d3ab4e2f056db304f100a8efd49da40cbbb

SHA256
ed828838a10e6a475cf9bbed6313e8bfcf5bbf830abfd36a9ea57872193bcd6b

SHA512
43fb0e6cbe3113ea5df5eb75ddfe090cd5b9460763771818ce8efae2122801c22e72b928634db3db3cba0bac620a9419feebc32d084f2c2830d9a61987505ae5

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\atl100.dll

Filesize
144KB

MD5
7c90027fb70d4ecb98e304db2bb7d391

SHA1
ed4bb1276437c9d95df40ded6bafbbfc320e1040

SHA256
81bc7e0f07e575c7a8ea90eeb63c687f60cf324e09d57daf972773a261f55b4b

SHA512
eeaf0584e1a8d9d7a2bee3725a2519a57d00f3eeecd37a1b6caac9cb4990886fdac3b40c3b9732f65ca0a1b8f7cd685df07563ae76deda0146fcc326270e4cdc

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\msvcp100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\msvcr100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\Tencent\QQMusic\QQMusic1257.3.28.43\vcomp100.dll

Filesize
59KB

MD5
3e6830fd1c8e155a394183426706c876

SHA1
ab1ba682457718c420399c25f74fc471552c9937

SHA256
ad9194f0d8403302def1e123757c40789e190ef4b3597352769ddacc4371b092

SHA512
394f82ef5fffd93b943aeaec38c65714ecbc13782ce8de8255599c6bcbc2f4861ffe8469098a68d84d6b27ec273e27639109ed46d60e89828b12025204e55b6f

Download Submit
C:\ProgramData\Tencent\QQ\dlcfg13.dat

Filesize
16B

MD5
fd637b13aa3e88c88c9b8b03440d4ba2

SHA1
61b663096cbe61fd4e83c1c150ec82a1d29befd4

SHA256
ff8a55cc047a005f33ceb4ec75d7c786679e36e2937179e75bdbb79dd45993a9

SHA512
28d6ebac1b4c9d132e6ab58ae9ebd90be5a26835e3e7b03e6216619e819286e3af5957f301af984e04580d2833cae414f9cb5991281b28d3ab214f43cfbf4556

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg1412.tmp\InstallHelper.dll

Filesize
519KB

MD5
cf583c140d7fc6ca507b96c889a690d8

SHA1
ef27bcbd5550ed203f8d39c2cfe347b0281baf41

SHA256
d53389931b59e20fe6428cb1146143c7bae5ba6324160d16a0e44b961f84b431

SHA512
1cb4f37f8dec5ea82f3bb8841e43d9cabb6af679ce1e3ad5df61d7b5ff3c1edd5ff2dbdac9acbd39fefa74ae5ab91080ab9bb7ad0f9f32e56fbf1b2f9ca862bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg1412.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3053.tmp\InstallHelper.dll

Filesize
356KB

MD5
8de08b94f54fcb62f5e25048d414bcb7

SHA1
f1c3054994248a985060172c370fe6b080740fa3

SHA256
5d22937831aed5ecc8c3c8286a084974c06f0ba24dc394baf2bbaa6cbeee97df

SHA512
609848f1c604bd4892d40695a9c8fb5895b5a2dcd123acb294dc36a28922cb792f4d2b46d4f2968d436f4f3ca7577b84a60fc904d28999b9c5ae32f8ebf0c6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\BCK.dll

Filesize
598KB

MD5
fd076dac527057dffdee0b3777f1a63e

SHA1
0dfdae4bce7fc6d1758b253b09d9a1e97c2e5e18

SHA256
24f1974be1c1cf05be3108c3f8cfb6b556d47b1e378afc782bd821e8368b7056

SHA512
12a8885ec7b054622e3a678f6478d881c6612d3a93202d2fd590218a96e0727e404efebb976d6140293b734c34491c5ed2ddfa7904a66dc4d72ed29e918c224c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\InstallHelper.dll

Filesize
592KB

MD5
cdc003452526f6903fdbe5541927aa14

SHA1
829dde27148a5e8512919336a1a0919b7efb7d34

SHA256
a34ebdb8ad523289b6d6ac431feddec55b595f7b68f0aab5e9bd5ebfb2f6593f

SHA512
5eddce68d846dddaee549cacdb60a42114240bfeb010cf68aaf3ecab792dc4eff7a2d22b267874e1330e7e967d09f228f288bd7da0dd121f073662a5db97da58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\InstallingBG01.png

Filesize
125KB

MD5
ed0f7a1c6d7eabbb75753fa51ef46707

SHA1
7cd46c88904d595940261dfba10236054f512eff

SHA256
2e69ee9547eb9c778f10724dc1f3b7923326ec8ccb863ce8294b421734dc4fe6

SHA512
600a84b69b495df2fd20f3e4d4eeb99f8b5cef41d4195765f7ac426943116da8a34a2fea40c9e23d5af7e405baa4ffdb1274fa9651a0db5a472a714636e6a950

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\InstallingBG02.png

Filesize
102KB

MD5
1163f67ade9c1ce607c2a22583101358

SHA1
2e3e6b30fb994f792df4a2ea9ee379f37f36d968

SHA256
2127ad6461bccd1a7b102e295179d19d6918cec2810c18eb8835bce811b52f5b

SHA512
0a7c5cf94077d6665aac7a37c54f7111414da64798c4d6e8e49c560102ad5148c19ca11e84c4db31a35db9db42e47e75fdca49efcda6269a65301ef78373001b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\InstallingBG03.png

Filesize
163KB

MD5
14493dff9e5b70cfa7e8fcc7baea48a3

SHA1
77fee127d49683c56bf9af02875ae31c697dd37a

SHA256
132010d316efd794aebb2ac9756bb39816c98faa0263afd9c0ecf59d169dbca4

SHA512
f9c998e6da91a3bab9f7023ff38f88d8c7bbfca2ea70718deb436372ec1f73f7ca3f49a8985af5d75cacb1496aa65da2972e0a2dfcb1d56b96c670e71848ebff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\QMNetwork.dll

Filesize
347KB

MD5
35951425829d6453edc812eeeecf00b5

SHA1
3233ccee46b88fbbc32272320c20ba582cfb3f0a

SHA256
5f6f3e3f3e4136805b92ddf5174f2c3509dfb4f7e7add37b7f71a494c08a95e6

SHA512
5e312d5cd8e999ca1f676c2060aa82ed7d47f14cef62d649c333482cabc3a5ac426d79cef50656ba0b148d7d6c0d5b214844c0dc41fb20db771de36f543d81b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\QQMusicCommon.dll

Filesize
932KB

MD5
156acea8485e341f5ddf77a6d80ab565

SHA1
5a5949017a507a1c2ba0b6f63d6cff041615f43e

SHA256
439a21a6192eb915a888f732495f93ac4285c60960c46a608ec08b3e73941261

SHA512
b350f0687d27919bee915111b312d16a103a715d6a04a36b7fdc6d42bd5b494f82e684407b0e660bfe95ffc40152e9cb2b60710aec8b59513c8fb477085d8226

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\QQMusicResource.dll

Filesize
1.8MB

MD5
7588b6fe2eecb11add4b8941d68380ca

SHA1
3e193c6454dce4c4b1b3a0ceabb77563b014db39

SHA256
a453e96179b6254f38959e11d47e7966c663182c206de04e3c9c35f050df709c

SHA512
85561fa925ac2458b9ef3d6f45d7f3ddaf463877b084169bc76878bc59d6621218909e832d0fc8bcb15d20d656ab633cbe861fd61f9d9478c2f9297c69c3d8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\QQPCDetector.dll

Filesize
646KB

MD5
43877a6e04e6ab1db20e387f50957fa1

SHA1
e847c4c8974857da6086d28b14b71882cf90eb14

SHA256
e63c43811bacb46229be7d266afb8e1ba7629013bf5206ffeafac819d61c17f2

SHA512
05762b45d86a84fa9daf9eff86512db2407a7dc1c16d920e2b48133d39e9e3c3caf9da83dd7d54ab420a51cd87ed148f8caf4197d5451a911232496fd975479b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\backTo.png

Filesize
1KB

MD5
a9b8c872f1bcaef50a89d32aa6cfac42

SHA1
7abf0a9a34cd0fb08b77b7c3b7779e5c1495a74f

SHA256
77e13ab686fd73ea310ca43a1c7fffea45fb897174be16012bedf328a93bcbe4

SHA512
f67fb5a8f19fb3c2da5a07869d7567dd4d23a452f3ef83a666558ac1f76b1133ab3f4914d46cf05d230dcd1f9268178c372081aba6ea08dc9520281977f4729b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\bg1.png

Filesize
62KB

MD5
9f635c46ac13f16f4270adb9d25a0271

SHA1
436bc639cb7217166c338d725ca57cf404a8ad2e

SHA256
30b4e3f798e691018cd477e75f77bdf26b1454e7adc0b55db4a395f6e2ef6650

SHA512
8a58ab255a0fb312724aa56012de949fe7fb313fabad17d22280936c425c6f993bb821bb925d9a70d18695b489d14b49f0af72a3a7ddb1dad6d5fe92d883193f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\bg3.png

Filesize
60KB

MD5
96b8e19bbfec18cc2a8c5b8d80f3c45c

SHA1
9fd804b228955bfbd84324afff5cc88906d9da21

SHA256
c2ed8cbf92145f8c8232afc26cf65fa7522f13d1a3d1427dea501b5d8f47cc46

SHA512
68042565080d832b63a2ee74556f3c8f123bb4e0689be09637c4e0a61b13927dd7d4f23175f1c29e98660a025e5a55fc0a796e999310d3699be815edd4c4d5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\browse.png

Filesize
426B

MD5
3be7795c80e4aecc08a29b929151e169

SHA1
27a7478e36bd05c93709296451d5999dc3195e45

SHA256
538160ec0dc6d6314c96792e1df41450e4ddf3386de437e5923e1247330666b6

SHA512
b168dd22fc5f9de929aef1d0f42b8625b33de514d49badbe7ad4883fb16c8ae31e44f4bf52b948662aa4b57987d2413cf271cc9d003fde768ef05af38bf458b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\checkbox.png

Filesize
1KB

MD5
81ae7464413cb3ff50ee61986a2227bf

SHA1
8d47e976a5e69b592e733e84de5cf452f6abe432

SHA256
955968a9e1b9e0811bf0a959c498c87421de3ddcf4f5a10ce0b5fb58ffbfcdfb

SHA512
c8d8357063505dae185a5c01f38d7188d591b6527a475da95af596e2ca929837eaf5b55c2f296f40f50a7c082f3fc01ad488141e0faa9e7646b374b50dcd7fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\close.png

Filesize
228B

MD5
d432c370f5f6daffb99c66ce50e742a9

SHA1
5d608ab256ef9a8f3ca6a2eb11732afc89906f01

SHA256
aa5e79d8aa6636a15ffc86f4fdf625d444b62cc6d056e28ca8a5c7f2baf319e5

SHA512
f1b30448249a7dfb584ba450d97bb91d3945d4b7310297fb73858965c56cf83175337a11d3aa57312de6d4a0c2e054f940fe80170a625dfcd330c6d0ab49ff3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\confirm.png

Filesize
1KB

MD5
0fa582381f30d1f22201af220dff1d02

SHA1
ef4552f1574b9ba02aadb83485e2fe87feb37af1

SHA256
b1d339f7d7ab12f0ede3ff0e5b88ba91eef82d96ebed7e6ae055f9aace227dc3

SHA512
9946a142de8c6fa8e26fbbee1817d8fa9b751f64af691e3744df76e65d9a5ec5f33a10557a210996e79396004c7cde7fc3c93ef65c03942531e6dec2aa8658b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\custom.png

Filesize
3KB

MD5
3f7880dccef26c3b2dfa33020937adda

SHA1
1a55d933efdb6d3688b128f562b57375ced3aa6d

SHA256
7b945b407e51784620b3b8faa7b0d7469a4757f73251b638cfc626dcf9a0f063

SHA512
a3aeb8f34a5f93f21219f1b53ec8200fda3fefe782b02a4c676700e7a673e2b6f9f7aa371291754950c95c4a5fa794915a05635b22501c96b49fcc5eb7b5e5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\empty_bg.png

Filesize
107B

MD5
a6ad30cd98be6d665a540822fa1702ee

SHA1
cd364ba9c924bb0f9a7f7bc5174955c477bfc496

SHA256
ff757935e2fbf69a7f52d832a4841a607fb51b93141c7d16efdd2fbfbcd1b2a1

SHA512
bf26054b7dd5d2ee6904ea0fac62460d639744e683977f164a56c5fe7b965e65da45c7a206a4b1c987590890cc16a8348e182fe2c0eb2273153479436f974d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\express.png

Filesize
7KB

MD5
75a13ad665c96190704fbdf626d08bf7

SHA1
b5c1b5c861c9eace629fdaaca9dc4311df097b54

SHA256
f3898a8f2bcff40ef20d3acb754080bce8326a3e14354cb1b34a907ce9899b19

SHA512
ca0d6242001570f9b24a713e8199d6318bbc46a3e21d47db9f67c8c8de0dab76d54044a1b37580d56a12e48344c5f9af3c700acf92583d22dcac08eebc828ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\full_bg.png

Filesize
1KB

MD5
808181370e40b4e725306ceb1a6b5b55

SHA1
07c4c6bcf8db8e37114076934f92869fdf36ed93

SHA256
d0cf257c39c5e992d363b07b91fa838482a401102c45db262e94b2de72331b44

SHA512
22321ca7fc9d07789985ecce4be62a5a366a0907320d41851aa548e7cf54f9a6a666ffdc830d285669f8e1f1cdb2d4316c7d0ac7a0495574d2b605498cfdd775

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\ioSpecial.ini

Filesize
1018B

MD5
27c2ac4561808f93ddcf66a7c51ee4dc

SHA1
f9c4e554204d15b30116205e406de2f46fca8296

SHA256
d52edbf988f27cbbd44cbf9feb684dcabfe20c118a3aaa500f00c1aa0bee6eb9

SHA512
b19413a2321e9f9c9478e458c1b811a0aa5c84b6518d0ce416d0e45b20248f2c054b40dd5c6a2fab65e0b9fffd347b396d9153fc32e53accbdf58a5e49f0cac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\onekey.png

Filesize
11KB

MD5
98165e77c3465490f2dfe6fb9b2b3a0e

SHA1
c6d5c1218c3e1bb518e7b8d2ada688e57796a4bd

SHA256
ce02872cea65b17ff4791f25b0152273564738cbef68b171a647e62c43f12ad3

SHA512
2b932442ce9bd88df489511d82d815dfbe466919d9b66993519c56f7c64d1e3c4a770ed539efbf77fc446e1662dcb24d91e8a4f9574c81ae9ecf0c62785415ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\qbdr.dll

Filesize
81KB

MD5
39b7f65a43ec5c4ce773e75d1c865dc3

SHA1
97dc95429db003bdb79b79420d7ed3cbab7ab238

SHA256
ed8c7c894cda915d782116dbc8d61bb8a74f67d646d4c19cb896d6e59eb89467

SHA512
a7df6ded954ac4f62bc60b83955780ec36d2d3aca830aaf4167ee06fa2d1eefdda2458858dfcb62abc74b95d4ae766d4487acffdfc27b739e7f06856f1a65534

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\shadow_active.png

Filesize
1KB

MD5
31f919fdc2049e164c0bf0b4821437cf

SHA1
da48509899d3abb2e16a2df901376a0d5531f516

SHA256
fe0d501cbe709b05a21b35764361a7007453255962f30f9a74c848982ed054ec

SHA512
118d6db772c2f5a297834fdcde1523875ab6f413963ac4bc55ced09921f876cd06e6bebda593ff33b3968080396b1a528605761ee8a42556d4426202f954025d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\shadow_deactive.png

Filesize
1KB

MD5
f12f177e5f5625ae22cd5b95600d9fe7

SHA1
53df332668332544868a64ea9e879bc72251dde6

SHA256
6c2c1f77e703d25c56cc31559f5557449182660846737f94fe84c70bc0fa9167

SHA512
3f9301aa401a8ffe3b05a44ed6b00cf4678b2c93609f71daace54e5d146c54594d3d7c6d5043a1a5a19f540abe5b6f20958519dc9977ba42a9e52105388d23e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrA3E3.tmp\strongbtn.png

Filesize
4KB

MD5
d65a3e7280709675f9c329ef011747d6

SHA1
f8430f7a10c7e3510186576970407a466c046373

SHA256
5320c874ad0dad1c50a60d2b68c377694c57368b6982f5bb0da1f017e8806371

SHA512
ed02b6b525ba158e406fb7df231ebbaed318e7edeb45acccebb1d6a7debbb4fffd7891bc44ce3146ad012f425540ca0f7ace3006df898cc99792c5ac090aa211

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
17KB

MD5
9d8a1ba4f4a141d019cdccce4a2c8c52

SHA1
6e8edfcc6458dcb6376d0b2ec44e3e361ef9d22a

SHA256
534fdb0118308a0a6d471f3c0b5091ff9a9ca153ea82128371f9331f19bd461e

SHA512
a7c7833f86c820a7741aefdc629d6b8d620eb7c205b5152bd3ee68526e834d53a572219b0567318d2cc46e7e9572626810ef256bf89ca3ce93ead1d5a3cbd88b

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\Common\gjdatareport.dll

Filesize
74KB

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQMusic\QQMusicCache\TestCache.dat

Filesize
9B

MD5
924e6c387012c03b33f2d516eb3fab2b

SHA1
c3dce4c44a6439c174a8aaf1fe0c48b0e7288d39

SHA256
05cc3b6630936db2a188d8a63750c50ff6bb3716dbf0409ca777be5ca8ad2ab8

SHA512
1a124e00741c21aa7291b91b01423c7bb97f8e2afa8731be6536955c0724bc3813a6d6a68395472efa902f12e7ebf9bf1af49293e8561ebff0347fabc282e110

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\TXSSO\SetupLogs\setuplog.log

Filesize
916B

MD5
b9237043c01b81a95ce0d277d44bee1b

SHA1
93a0d9d82c9be3b54b4085764b3843b356133807

SHA256
24573c7b09f9794486d4863ecfe317f3de0af6b370ab40b7eb04f11b843247a1

SHA512
72eb431fb836834879c66e5b832fb16715e920752a0b3451c865876878e3ef0b68a01ece7ba3eb9c64cfa916f5ddaa3257d12fe51047bd2f75394d2800525a3b

Download Submit
F:\QQMusicCache\Log\DataTransformex\DataTransformex(1257.3805)20240929032851.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2004-761-0x0000000004580000-0x00000000045DB000-memory.dmp

Filesize
364KB

Download
memory/2648-116-0x00000000079F0000-0x0000000007A87000-memory.dmp

Filesize
604KB

Download
memory/2648-125-0x0000000005B60000-0x0000000005B71000-memory.dmp

Filesize
68KB

Download