ef287c84613bac14274548cd7a0237b912cb26dbeb3448468f29a6174d204cd2

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Size

1.2MB
MD5

0200b0ae3a29723f6e583e0176f5ca82
SHA1

1b8ea6499bd7def114b8d42da1728d06c91c5cd5
SHA256

ef287c84613bac14274548cd7a0237b912cb26dbeb3448468f29a6174d204cd2
SHA512

e150b41da7019e2a51ed53b57c5d951e39c3972b38a02c255883fb86fa5f23e0c44d2fdc860629f6aca817559811a7ec076e3498fe900ac7da8632bec2977c86
SSDEEP

24576:E5VcGFJMAwLDiE8l1iiJcvkU6NnDnjWpInqyaNJyT18zT:8cGFJMAwfio+VNRnhafA10

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4748	QQDownloader(xmlbar).exe

Loads dropped DLL 6 IoCs

pid	Process
3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Swedish.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\config\swfobject.js	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Chinese Simplified.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Arabic.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\German.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Korean.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\QQDownloader(xmlbar).exe	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\updater.exe	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Chinese Traditional.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Japanese.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Dutch.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Russian.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\IEBar\config\Chinese Simplified\XBIEBar.xml	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Czech.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\French.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\config\FlvRules.ini	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\IEBar\xbietb.dll	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\sounds\jobdone.wav	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\English.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Polish.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Italian.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Portuguese.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Spanish.lng	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\config\mediaplayer.swf	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\config\Domain.ini	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\IEBar\config\defaults\XBIEBar.xml	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\config\Type.ini	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\IEBar\config\defaults\xmlbar.bmp	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xmlbar\QQ Downloader\Uninstall.exe	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQDownloader(xmlbar).exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\MenuStatusBar = "Run QQ Downloader"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F714027E-66D4-4335-9935-4A96469F6EA2}\AppName = "QQDownloader(xmlbar).exe"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F714027E-66D4-4335-9935-4A96469F6EA2}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{6B896ADB-4A82-46e2-858C-13134782CE34} = "Show Xmlbar Toolbar"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	QQDownloader(xmlbar).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QQDownloader(xmlbar).exe = "9000"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8034618b4b13db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ef658b4b13db01	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134539"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\Icon = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\QQDownloader(xmlbar).exe,128"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\HotIcon = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\QQDownloader(xmlbar).exe,129"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F714027E-66D4-4335-9935-4A96469F6EA2}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	QQDownloader(xmlbar).exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\Default Visible = "Yes"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134539"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134539"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F714027E-66D4-4335-9935-4A96469F6EA2}\AppPath = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2156063500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	QQDownloader(xmlbar).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F714027E-66D4-4335-9935-4A96469F6EA2}\Policy = "3"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F714027E-66D4-4335-9935-4A96469F6EA2}\AppName = "QQDownloader(xmlbar).exe"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F714027E-66D4-4335-9935-4A96469F6EA2}\AppPath = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2155907142"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb51000000000200000000001066000000010000200000004d560f2bf7fe5307bd87b4c8cbda66a19ea2f4a1d34abd46c48f1331647377a5000000000e80000000020000200000000ad15ba51633bcd6e89c045f18f6c452def7ab90e70b1e4f968f885c2b0f8fa8200000007a414d52ef9e2be581fd23db5d65962d22657ef9fb0fd8bdc1cb7d510cd1fbbf40000000867ab8c3a068f68ea495ab88efe0ae16d4c449269d216a7027061656689cc4df7cc0847beea608c37ef7abe0089337062542ee73f26c0b156f3f449237424e0c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434474237"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\ButtonText = "Run QQ Downloader"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Xmlbar Search\ = "http://www.xmlbar.com/iebar/iemenu.php?lang=English&ver=1.0"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Xmlbar Search\Contexts = "16"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\Exec = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\QQDownloader(xmlbar).exe"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\IESettingSync	QQDownloader(xmlbar).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2155907142"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2156063500"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{612F6E5C-B314-4bab-93D1-D266AAFBE700}\MenuText = "QQ Downloader"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MenuExt\&Xmlbar Search	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F714027E-66D4-4335-9935-4A96469F6EA2}\Policy = "3"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AC08AE7B-7F3E-11EF-B1C5-62A6B307388A} = "0"	iexplore.exe

Modifies registry class 58 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar\Shell\Open\Command	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\TypeLib\ = "{D4FB30ED-7DDB-4e2c-A7F2-C7B905D5D771}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\FLAGS	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\ProxyStubClsid32	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar\Shell	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\InprocServer32\ThreadingModel = "Apartment"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\HELPDIR	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\ = "IXBIEBarObj"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\ProgID	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46E2-858C-13134782CE34}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\0	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\ProxyStubClsid32	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\VersionIndependentProgID	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\InprocServer32	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\TypeLib\ = "{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar\DefaultIcon	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj.1\CLSID\ = "{6B896ADB-4A82-46e2-858C-13134782CE34}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\IEBar\\"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\ProgID\ = "XBIEBar.XBIEBarObj.1"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\VersionIndependentProgID\ = "XBIEBar.XBIEBarObj"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar\DefaultIcon\ = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\QQDownloader(xmlbar).exe"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\ = "IXBIEBarObj"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj\CurVer	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\0\win32\ = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\IEBar\\xbietb.dll"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\TypeLib	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\FLAGS\ = "0"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar\URL Protocol	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj.1\CLSID	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\ = "Show Xmlbar Toolbar"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\InprocServer32\ = "C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\IEBar\\xbietb.dll"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\TypeLib\Version = "1.0"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Xmlbar\\QQ Downloader\\QQDownloader(xmlbar).exe\" \"%1\""	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj.1\ = "XBIEBarBand"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\TypeLib\ = "{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar\Shell\Open	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj.1	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj\ = "XBIEBarBand"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46E2-858C-13134782CE34}\Implemented Categories	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\Programmable	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46E2-858C-13134782CE34}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\0\win32	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\TypeLib	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj\CLSID	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj\CLSID\ = "{6B896ADB-4A82-46e2-858C-13134782CE34}"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46e2-858C-13134782CE34}\TypeLib	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B896ADB-4A82-46E2-858C-13134782CE34}	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4FC7CF5-06C2-486E-A27B-5D6E1FB57B14}\TypeLib\Version = "1.0"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlbar	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBIEBar.XBIEBarObj\CurVer\ = "XBIEBar.XBIEBarObj.1"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4FB30ED-7DDB-4E2C-A7F2-C7B905D5D771}\1.0\ = "XBIEBar 1.0 Type Library"	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3428	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3428	iexplore.exe
3428	iexplore.exe
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
4748	QQDownloader(xmlbar).exe
4748	QQDownloader(xmlbar).exe
4748	QQDownloader(xmlbar).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2892	3428	iexplore.exe	91
PID 3428 wrote to memory of 2892	3428	iexplore.exe	91
PID 3428 wrote to memory of 2892	3428	iexplore.exe	91
PID 3480 wrote to memory of 4748	3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe	94
PID 3480 wrote to memory of 4748	3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe	94
PID 3480 wrote to memory of 4748	3480	0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0200b0ae3a29723f6e583e0176f5ca82_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files (x86)\Xmlbar\QQ Downloader\QQDownloader(xmlbar).exe
  "C:\Program Files (x86)\Xmlbar\QQ Downloader\QQDownloader(xmlbar).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4748

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3428 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Xmlbar\QQ Downloader\IEBar\xbietb.dll

Filesize
404KB

MD5
f03364a071944d6517a537b0d91409b2

SHA1
c8cdda8df6bc7b832dda8891a61005fc0c11821d

SHA256
4af7f55e631b40d49c973e9f595f6c9d0ab0ac85be8358dc44e5e121f3699aaa

SHA512
39e04e8d0cdbee66df03bddf531c2eba831268b29530c1bae8d0bd9ba0abd1ffc86218ff33c41fcfaadfec2238382dbec8407e993ba9ce75528841c44e8302d9

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\QQDownloader(xmlbar).exe

Filesize
1.6MB

MD5
42dcc73ed5873118929ae6831775dee4

SHA1
f0cf1fe3e3f535cb1a7ee8ec9cbf51834c8f21e5

SHA256
ca1981d57358c407332049a27b4aac932c4dc65c4350e06cd561f14e71e626ec

SHA512
adb07dbf0030ee14b2b966ec0e585b83f9ed221f598139b6a99ee5aae27a47d376bcaa7ff19eeaf2a865201738e74e1c68f3b27f689d4fe6c337482d89c3f201

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\config\Domain.ini

Filesize
50B

MD5
dd4b89e5fa93334d2eb6475f60ef0fd5

SHA1
bb50cd55291e8a4aeb941d1a5c50129fd71e508a

SHA256
e7c6f5489b7c2bd8c1c31708b43dde04916334a1df36ae230c32642dd81e5e7d

SHA512
861ff981e3d53b9fdf2856030e15f0d5bc04df133505e8c42317859850c3ebd08811e725d405d3cd86e5a0825b78e008abac89b4aa83c1114a80d76db327f489

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\config\FlvRules.ini

Filesize
6KB

MD5
faa4d8ec36a9c6c376fafecec234754e

SHA1
88ee35ed91df9fcb8b90835dcd79dda624a2832c

SHA256
d4d8c485edf5061974442e9c24da82477ab8cc27ccd82d3479a3577a03d37b01

SHA512
1f6ac2f7c2195b5bb3bad4f1c61178b5b3e5400b28a4b1b360b227f8a0a900ee13ae9cc6beccc456dadcb5dc86f9aa4d4ac08db1f261c0ff1a60de369ff94fa0

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\config\Type.ini

Filesize
68B

MD5
cccd49d6d1130053977d006698c9171a

SHA1
e503afdd1762a955a6b7d8bdbee482b67dabb7c3

SHA256
a0ec4f882636ac38dd9b6c1d29d331505ab5f1b3982a257785b7cbae008b2ade

SHA512
bde4bc5a3e8092e9ac0496bedfc69d6f6c036c52d7d7af4b9f23dc7ace34d3ab46d2619f8e497335f308439a2d099e20bbb27c00e06672b503b9847beec9f06d

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Arabic.lng

Filesize
16KB

MD5
79c5dd3a47dcae5ea2c030e21a7bf675

SHA1
3f69fc391b92a9bd53b6473fe954e5604c66c700

SHA256
cf3eb7db4f98111b41f0e12de8f0e7bbb5dae9f16e21536225e6fbaf03a4e01b

SHA512
efa8735662b80af68cd1595837f0a3dd4c21e43f2e185342321d1704bb374f87df09f3444f7ffec6ab761f0eaef2ba6d597597785e2ee051163bc9bd5b0f60d6

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Chinese Simplified.lng

Filesize
11KB

MD5
f3a99a3149a90fbc70cbc25fa7306652

SHA1
ec63259c7beedb20b019a2156612ba2f8b5457c9

SHA256
fd88f8afb454858243ac74b36076266d5fe6910663d459a8949903d084020da2

SHA512
082f2bda6ba49e3f9d09b26fd50be637c31a895bac1b613a1a46d936293df240e838264fc4cdb3c2a6fab51856a0f5d194882a8329d9b1ab52c39094b579e68d

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Chinese Traditional.lng

Filesize
11KB

MD5
3f8a3bb2433f0ed36aeaea32210fc1a6

SHA1
6b9d5d5fe0b6a6680bce7ff0fa643cd0a7c27465

SHA256
d3e98e6da9ee6c911518e0d7cddd7f602120a805076c7894b60c9cc16b886b5d

SHA512
ea6709b82b4e614f3559ef446d729f031037eba479551c6f510a4551cf7abff383c180b4c859098fc1a1ef6a8b75c92f9f1064759bc21d2930aaf880aa6bbe4f

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Czech.lng

Filesize
11KB

MD5
80fb3e5a0fd1b4664674faa44e4e3957

SHA1
b139f9e33bbe94d3c225bbe3e3b6356389b22c8b

SHA256
3989a9542bb9abfa0066c53675ca898097e200c783da00db635b308a94e2ea71

SHA512
16bf2e89393f8c9725f3a31cce2094fc5d5f72fe26f0777eed7d51698e1ecf375034df27903c3b7cc13b1cd929a6964191fe33835040f72f070256943bc28e0a

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Dutch.lng

Filesize
11KB

MD5
b65052119511a4ba77705ce386a3f363

SHA1
a9c89a096bd8af7c83b4941b01106acb397eed87

SHA256
f3bc508ef300774ba8f735177d7172ecb41ed709a44159114b266b33ed2470f6

SHA512
f62c32651eead77567a54af6b2246b73105b0784b1f4922f4d2d86b3973d7eccc4668673e4aa116435010617375aaaf33e882ae88f52f27a71496a92c2e95bfb

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\English.lng

Filesize
11KB

MD5
badd3c23d462d67e56cf67389973aecd

SHA1
5a33134f20cf7c16804a75e89bcceaf5fca8f52b

SHA256
1f75e127fd62b9f3efa6a8cc436bfa8fa18c1f8baf5bf7d5c33c9821e323d935

SHA512
5de3571ca8dc6fb08af8114b2e027e53370399c152be6185a1948ec792e93ec2d985710b01f469e0ae0b5e9bbc55c8b5b68b950efb3bf066530708168e068069

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\French.lng

Filesize
13KB

MD5
c034514a327e46ebefc77de30e2d67a1

SHA1
eb40b0e15252fafad0cbd3514fe77a0f7019778e

SHA256
355f4b5ba5885520265ed0e727ff3b1365c33d2e4e4b1a5ecd29919e4566b532

SHA512
fdffbaee934e41116d77d47e16bd843f7a9a16f555fe17d4e5f8dfe77b86ceac0a8623a3bba1194444158d02ecde4a8281311d39e05fa9750d4d3a3f013db77c

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\German.lng

Filesize
12KB

MD5
ae378af750c4e877c924466eb5b01a1e

SHA1
d88a67e165c14c479872df1ccb1a4a4175ef92bb

SHA256
3a03632a4f544211e46e82632b83ba9b7437dedad9ab81ff8c2dd30480911991

SHA512
bc432a91ca4198fe4fe6c3c819286e734d35b562c3c337e74f718332b8d84ff0720c511399ebb4c42e8d71cd87842177828cc67524733ab0804abd63411426ce

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Italian.lng

Filesize
12KB

MD5
4fff69b70c8deb199fb4e606a5f15979

SHA1
e882210086c123d5b1eef503d77c97c11d1794ec

SHA256
a8e11d9aad0028545b0cb08f57e932b83d5dcf07f8911b8eb22f94c62be9bd8a

SHA512
69f7cd7ebf14b683c5eadb7878b3a55590caea7a33c51956750cd02b9aa2d8d625174884b17246464cc3752f7d5110fcff0620b89cf5c0bb10e0f5f9cc4973bb

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Japanese.lng

Filesize
16KB

MD5
1f3da82d5e850f9d6b45701be77c4f5c

SHA1
cc969c79a8f2ed396e0fa497fc83f54fa81988f3

SHA256
b26641b693214565603cdcf8fbac000cebeb09db36bd8f1097048c234499cd97

SHA512
8d797b13dd321a01c2be61c9f74f1e0f6c93ec906c114be92b471018d2548d5605645ef54e115aec8c0c4f586e33ed87a36e689518ce819245f9c9127578ec5c

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Korean.lng

Filesize
13KB

MD5
01bbbf388b16b2ada523f9cf4b6189b5

SHA1
71261f65a8e6fcdfc77b66e9b382f288a03c41e6

SHA256
339c1de551fefea94c9c507a8e58a970961c353e087040102e571362f20e9b08

SHA512
b1cb1d72e5ace8b9e4f708263daced5882b98e2a6094e7ce35016b8781ccdbba4f6e3177823044f106cade30ded96d9ef929ade3487637fbda4bd5d4559b6ba2

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Polish.lng

Filesize
12KB

MD5
3ef835a1ab625754064d81af81cc1ca5

SHA1
f98c77b1747383e7687d07eb0b5857b4959332f4

SHA256
32c3c3fe4d498bc01e565ba98c595f55a9c341b2a23c189a47a120488bc547e1

SHA512
0cd0226c49197d5b1d3318df1ee118e1b05ee21c0f24b6d3a79cd86d2c5b4edfd550b322e1cdbcd8afded99531c9ca19e15dc63dcc1a94537302356d0fac5bfe

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Portuguese.lng

Filesize
12KB

MD5
00515a22ba5ce999349bf90ef06e8479

SHA1
3cd488b2b62ba62eb7333122637198d10573f00d

SHA256
2cf2fca35b5dde9df680eb366d8a4de54fe073f3bb45fb02fd2273897cbc9bee

SHA512
9e49cc39c8fa4519af35ca4d9467c371f0d291bf7082a03232186255b46da892f6b7e219cdded969d7e1bcaf9cb8e183c115ad58747127bd7331c8f9d61a586f

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Russian.lng

Filesize
18KB

MD5
b60250cf6746404eec3493802d5c64c1

SHA1
bdfff27885ad54a0804c7760dc084a8abc663ea3

SHA256
75fbc3876b72ccb8187c59515b50e92c878b4f4841d07b2803731519790c54af

SHA512
bd7893e5e037a1b468b7079c92d15966771eadb00fe6315d646e3213de50c00c293c954b38b06d3a6876396b299bf5c6c70f8140ff4778d695250eebfb4edddb

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Spanish.lng

Filesize
13KB

MD5
55cf595b7cca0205b1b3ff1b147618ae

SHA1
5bfbacc7d328537b90b7ec665a54f63ee747f34f

SHA256
5a19a72de95e8075f16bd864bcb6e2dbd6cf8bb0e33bcd0241adca0b6878817d

SHA512
c94c1378268d23f63346f4d45a51032d84c404d3ac5c7edabb7c474da65ceda7ce9266c10239b46b17bc5825303d8b06e51f2f55e7fddd17bd123db7b261f550

Download Submit
C:\Program Files (x86)\Xmlbar\QQ Downloader\language\Swedish.lng

Filesize
11KB

MD5
8992c44bcdd81657c7167e9865935cab

SHA1
a6e75df89d61d3773c61d3f40c05de44e5a43da0

SHA256
54963afdd9bb6278a89b915592649fec2383e082af9718269d76db1dfa344683

SHA512
aa8a28d97d6b6d2722c4c8b6b07b0e96f18226b7960848f579bd37325e1828cae9d1a8fc2e5fb6c9faa421b4c5ff38ca1cd46f672aba237c4458700d93803f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5c93309a2b418ef7de0afb3ae82770c2

SHA1
1b9d1a371d163274c3831c764f18ce33f529e5f6

SHA256
fa0eff22a494037462bc32f5f477044d28d8e7795b8e2ee7724dbe0c646f2b22

SHA512
08d71c4cd9ff5df8c53b83bc24fa1ef42c3c205ed08b3a3d38fbc737a68083241c0230a942336f76d0aeb3bf7ffcdc8b8e4f3f82f9f3eba1c7e47af83802af76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
436f35ad019ac62701d494bcbebc9f91

SHA1
1644382074bc565318fda2aff05ac621f494c14e

SHA256
1f0d759ec7b37de287b8242ea6a7dfff79a8ccfde27824a8d92bf3a9e61d1d5e

SHA512
4319235c9d9e870d355e7f2d36e0d5130b5713d3c1ea72f54819750074c0ab8bc4018d968f8052a254abf6326f37132dbbec3f0ece53133af4a26fe744ec0517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
cf37cb81da79a45bb1ca3fbc1b7bdc40

SHA1
987475f436d1e30318bc0352e2b38b6e7bc6ba21

SHA256
134caa8b0290c6e030ef4a9f3e23ea8d7d1eb21b1d2cc24bf753615b35639287

SHA512
af31083d9b1205aab6fe432dbba2587c6599477077b8c4bf7445d9f53ed636ac29740d0dffd1f8cd2518b530795832540863fd259ec6f89d1c94c7b540f50909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
175e97ec20be84a082993802248c4d8e

SHA1
08175fdcda97c2d0d9db85bbc9f31d7a3ff12a89

SHA256
7a78d4152b14fb631190b83b2e83921adba024a2e390583ae9f8e1d243afb654

SHA512
eda864721a7f40dac77951df5d67a0d8cd4da2574cf93df79e875fc84aa0e61458b1c273909645db077f23874c61444bf94ca6c0ce5dfe5901312f46e4fb97d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver63D6.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ia2xzjv\imagestore.dat

Filesize
1KB

MD5
a534a0edae1b6774753e4520a65c8af7

SHA1
26e2c390c361773e3966b90a66fde4eb461dd2e7

SHA256
e568da7a51ce524191d67509371aecc93e74545b0c79a4685b1703164af65be5

SHA512
67e5f2fc6e099f08dc2bf1a695e055b4003a7a5812ec0f8cfd7018e79e222e755e72e9b4e7966e881a61c08ba667ce8c2cb1b8c10ee0b10116a4ce0960293b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\favicon[1].ico

Filesize
1KB

MD5
2f28c6396b4d1b56a709ce4188302a4a

SHA1
68151fb446d60e76f6563d638d5b620d70948abc

SHA256
c9acc7ee399fe561e7d6dfaa3718993179436cf4d5039909792ec8134bb6b571

SHA512
3c9f8f13671060c4da7f3ced16ba86244ef8f7b360e254fb7078d96169695ce3a2d33438573190ba602031b76ada08c104591a9fc633f846250394a757c6d326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TFR56A.tmp

Filesize
1KB

MD5
caf070fc22a2dae9ae230fbdb212b6c8

SHA1
d3a8e06c572b8327f1af3bd3f5606a754122fd93

SHA256
def1dc1793a25411ac7164b55c533c60a734aad9c14e42171aab409142f65efd

SHA512
a169ffe140112aa6045a74c922b032cb8cafb3a56f0f8de902bc303de4360411b0d6b80c7e10937c3ef17139978df144a88dd53b9eff675070d54ed3ac28aea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg881E.tmp\CloseFlvDownload.dll

Filesize
61KB

MD5
524c601bb4991548b078b00dbfc773a9

SHA1
2289c4dddc7019727b7450898b88b6c0dfb6d3bb

SHA256
4acbff9bc8d6498abccb6d952752a3b769e9ca3042dc1ae5018577708cb8f8c3

SHA512
96d1b80c5903b3b6de6344cd6d6e3187a85139c3380fe26cb047a3bc9185032d43e22414cbc21f433ef70be80d4b71c1596669fb00b684188fa765d34bf5ba3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg881E.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg881E.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg881E.tmp\ioSpecial.ini

Filesize
718B

MD5
498c7a214bb73687eaf701b91a2aedf9

SHA1
4eebc43d50c7022363c1e5085cbb2e8b0c9ec4df

SHA256
dae792302db0108ca5fe21859589a9fd406d5600dab24ed0e4dce6c965048887

SHA512
c6d6b975eed2f2dbbea0c9acc695199448b79fde6a5dd73b7f0dcebc8c4c23fd7e2087de08b1ed361fd018a1d0aa0dad73cac2f7a42ffc50071dae7198cf5f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg881E.tmp\ioSpecial.ini

Filesize
856B

MD5
e2486fdcd3bb4452c112fa378607cc2d

SHA1
e4764418a08cb2e835732b3aedc2016e0fd6dab0

SHA256
0f63fd0e2a3120688e3de817b1a0c20f9420c8a16bd68e426b216363dd5211b7

SHA512
99afd3836b5e47383718e5fa5a4b8afa7b7bd650ade23c0574c81f7181a1faa3e4b38164851642c270ca1ef960a497c76a420c3c308e187cee9c71f5c82ac818

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg881E.tmp\ioSpecial.ini

Filesize
882B

MD5
81ac08813a06553980e1516a9facc574

SHA1
2508d41b6e547e2adbee98a3e5d4f6e5d6fc1803

SHA256
5d2bc037357d5a1693b245f73c9aafe154113de7680dfcf88d6bd5a56e386c18

SHA512
81d182abff9f62891c8879308635a4fb4143893bb3d0e6867dc2e3a61bf99bf914bc6d6837ba82f30399c294036f8acd8a4fb2f354b2831b7159b559f2046c6d

Download Submit
memory/3480-88-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/3480-123-0x00000000051F0000-0x0000000005257000-memory.dmp

Filesize
412KB

Download