Overview
overview
7Static
static
35052cf2d1f...18.exe
windows7-x64
75052cf2d1f...18.exe
windows10-2004-x64
7$_2_/Downl...PS.dll
windows7-x64
3$_2_/Downl...PS.dll
windows10-2004-x64
3$_2_/Extract.dll
windows7-x64
3$_2_/Extract.dll
windows10-2004-x64
3$_2_/MiniQQDL.exe
windows7-x64
7$_2_/MiniQQDL.exe
windows10-2004-x64
7$_2_/TNProxy.dll
windows7-x64
3$_2_/TNProxy.dll
windows10-2004-x64
3$_2_/Tencentdl.exe
windows7-x64
3$_2_/Tencentdl.exe
windows10-2004-x64
3$_2_/dlcore.dll
windows7-x64
3$_2_/dlcore.dll
windows10-2004-x64
3$_2_/predown.dll
windows7-x64
3$_2_/predown.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$_2_/DownloadProxyPS.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$_2_/DownloadProxyPS.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$_2_/Extract.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$_2_/Extract.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$_2_/MiniQQDL.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$_2_/MiniQQDL.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$_2_/TNProxy.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$_2_/TNProxy.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$_2_/Tencentdl.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$_2_/Tencentdl.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$_2_/dlcore.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$_2_/dlcore.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$_2_/predown.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$_2_/predown.dll
Resource
win10v2004-20241007-en
General
-
Target
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
5052cf2d1f8b28b72768fae254e34a64
-
SHA1
c28918f7ddabe26ba0d0ece6e3ea953ae5e7df72
-
SHA256
206f0e7fd34c289a30061a61e700296dca6df48535922f94384f6c1715534691
-
SHA512
bd222d6b63b1c199da18b652d226f9a67c0f34931ceb60849ec0272a7042ba3bfe46b659baf7e8a09a073a9145bc618a47ff4bc99a25d7bac6dcc78b0118f620
-
SSDEEP
49152:prpRAcE4BJ16/bI6KH9/W/mxnwfYkW7mr1ir:pREYnFH9/PJYYkWe0
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2796 Tencentdl.exe 2624 tencentdl.exe 2776 MiniQQDL.exe 296 tencentdl.exe -
Loads dropped DLL 14 IoCs
pid Process 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 2796 Tencentdl.exe 2796 Tencentdl.exe 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 2776 MiniQQDL.exe 332 regsvr32.exe 296 tencentdl.exe 296 tencentdl.exe 2776 MiniQQDL.exe 296 tencentdl.exe 296 tencentdl.exe 296 tencentdl.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: MiniQQDL.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 tencentdl.exe File opened for modification \??\PhysicalDrive0 MiniQQDL.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe Tencentdl.exe File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll Tencentdl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MiniQQDL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid MiniQQDL.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ = "IDownloader_2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\ = "DownloadProxy 1.0 Type Library" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID\ = "DownloadProxy.Downloader.1" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514} regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = ce40891da703f14293ef32e26d037193 MiniQQDL.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1} tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR\ tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\DownloadProxyPS.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E} tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 regsvr32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2776 MiniQQDL.exe 2776 MiniQQDL.exe 296 tencentdl.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2776 MiniQQDL.exe 2776 MiniQQDL.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2776 MiniQQDL.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2796 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2796 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2796 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2796 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 30 PID 2796 wrote to memory of 2624 2796 Tencentdl.exe 32 PID 2796 wrote to memory of 2624 2796 Tencentdl.exe 32 PID 2796 wrote to memory of 2624 2796 Tencentdl.exe 32 PID 2796 wrote to memory of 2624 2796 Tencentdl.exe 32 PID 2312 wrote to memory of 2776 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 31 PID 2312 wrote to memory of 2776 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 31 PID 2312 wrote to memory of 2776 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 31 PID 2312 wrote to memory of 2776 2312 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 31 PID 2624 wrote to memory of 332 2624 tencentdl.exe 33 PID 2624 wrote to memory of 332 2624 tencentdl.exe 33 PID 2624 wrote to memory of 332 2624 tencentdl.exe 33 PID 2624 wrote to memory of 332 2624 tencentdl.exe 33 PID 2624 wrote to memory of 332 2624 tencentdl.exe 33 PID 2624 wrote to memory of 332 2624 tencentdl.exe 33 PID 2624 wrote to memory of 332 2624 tencentdl.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe" /Install2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:332
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD54ceb4641a90de4feee34ba5f949d41ba
SHA1cb060db236d9938f97b5e4e2d1b1c663071a2bd7
SHA2562a075c11148c3f04163b9ffdaa05d4b46bc55c96b2fe50d0a39cc377139c2b26
SHA512932960a503817683c3d7c66695732ec6dc59887b0eaa8d53c4e26e1de6fd6c4e9291a4afe25d898c9b02dfe4cd976414f66b715b861e7974e765bff587fa2d27
-
Filesize
601KB
MD5e6f2f48d472676dadd9a7d50566ebedb
SHA1414f0aeaf7fc815d550385cea1ee4d7077f8cf71
SHA256804b1bb1ee609957eacfae505a98744b40e6967fe5b215f628b94fae6abaae02
SHA512ac99e0056abf53b16090cd9cef1b5ea6d3ef393513daaeb05e79b5c1d3d564b6cd74013459813f6b1bbc6844866af8a8f504f995a511e0a61264aed72f8bc0f6
-
Filesize
850B
MD59592bad096e70eeac962f67426e04614
SHA1a804b1e7f13ed6fd6be1f4524d51fb363f10a405
SHA256d1519683a381602b04f217934415057f7bf2dc5d18f88a510860fbce138d8e4f
SHA512f96135bf64898fd43747e0412d0e1d0a3fae790a33df00b03e75e5514accf416244a4102c660b4079306be3ab0ef9628f1edbb7cb5307fa933185f7940d561ae
-
Filesize
1.7MB
MD582ce23aad749aee959820533c0676cb2
SHA13aa526a4ed51491b01a5419713d1582a426b7efc
SHA256a2fd92c7fc26bf2851aaefcc5f0bafd75511794ad0c781e1a715df812f7bd2ab
SHA512c91f5165059677071a1e2949244dd1ce4e2c5ce58fe38298f1707ff4b6de6981d7c45f8fd5a189a91d154b0c4af25dbaae4e7a51f107dee77f2f51f0150d2707
-
Filesize
358KB
MD59da51d4506bd094fbfc7d337338fc872
SHA11b5799ef6b66ac9471842f17570813e7c42cdb27
SHA256f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501
SHA51207dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044
-
Filesize
3KB
MD51aa27fb55cb6f229cd47074268ed89cf
SHA111abd79d69b8012a2bfa48af4462a2169d554cf1
SHA2569525586a06237e90be7969028a255a627c547b9cf916549ee7438a896588b3c3
SHA512347e29a88e74be4689bc7df6f6f6ece30b398338083117f85398e19cb43c310d7b81c039b79976abd09902005a34b8b2f7a4da004f9460d8b6c0cd74c8405409
-
Filesize
8KB
MD5810e18e5e782ea451d6c78bc5586e194
SHA1aaa61c7655e0cdf407ca26d8a9777078603be676
SHA25665b38298dc57ad481c76795c7262e426f76564666bf9b461535243eda06af5ca
SHA51285829e840849a2074d2a6d23fd0a86facaf7a9d39101d9eae3c96025fb817b2730f709c6692d2284e9e229b85d43277e53d4a3d7352fcfb82cac8cc508c416a2
-
Filesize
3KB
MD50167d8af18d97247c2a8fe123531460d
SHA1733e5003888e6416ea43af197e290c143eaac5e8
SHA25664de4c088b64f617967143113eaf571046e116616d013f2df19925442fa4871a
SHA5125ebe8a916e51db2556d07313e33381df550c2b668b2f23e2be56c95834573294cdfa5fb42e9e96587eba50a55169e0816a67f2f8e13dd152a4891ce20739ff7d
-
Filesize
5KB
MD52f94db129b7474b09958a7f04ba3591b
SHA178e5ed7db8a0d9d1f32508f8605b999c334860f4
SHA256406481e12ef84471031264244e035993abdb832792519d45bdc6b1240eb33bb7
SHA512d888a0398d4b6509c930dab11a8702859cd4fee4e647eb06ddad8562ec4ce8042453312ec633d449a9fc2160138b2590beb3d61f35ddf45443448cc1e6e8c342
-
Filesize
2KB
MD5366d5ae87ae0c97ee8b995334f86f572
SHA11c350c4a3ddbd582013dcb7f86d272eca81f3e9b
SHA256ee7f579baa2cd58ea7a093f6913e2074b987d862b07603b09bf2c0be0476c91d
SHA51207f4aef8e673b6ec236daab90a915352dc6c4273e9e99e1af01a3fbc79e1214b83c4d0f3d0699f09fb980ac42a34f8c9b79c8d4ea0152d966650a1607354c0fb
-
Filesize
6KB
MD5c5a0b10d206e67a2e23ceba6e0996cb9
SHA15594da0d5a20980fb9eee9f3cb123f98f04102ca
SHA25679c07d49c63921752a6614e593b232b70348b0613decc724ed8eedb691fd4461
SHA5128f2dbf7e94f2202e9ced29dc5ca33ac77ddd5faf1484320bcab195364a1685fa883cab0f5a325148c6b7913a8338f970906f62f4485ada3da0e45323d3811e24
-
Filesize
30KB
MD56e3de863ba255d42b15c0b1fe7e74dc7
SHA12edb379f17c36c91cbc313d8afa4c3389f975283
SHA256284578c26f6f083fdcdddf8734273adb92230d9aac8d652b3ca93aa73ba01065
SHA512c6b5c6fe71579009cb0dc5c5e7d36adb484e202d65586786e4b1092f8a141bd997bf5fd23ce3646433b620036ed7deb8b41d1000bbf92d69fe23071cf6f2bd82
-
Filesize
5KB
MD5bd7e98287cc90e5a71c21333f8a67f53
SHA177d0118645af536580983de045357afbc5c753e7
SHA2564f1f2d974d7a10930f0b255fcb33ba313bd9296694d9b35c3a1cbe7f1899fe1c
SHA5122cefb47e3ee4796416c6e35b2a2ae5f3538951d73f85c47e9bf2f0a0e441cf795aec404bb647e63073a303034b0c947c522213e96bb0708172719fad18e38d26
-
Filesize
2KB
MD54449c38913ad0ee04b8f37cddd9351ee
SHA1fd638a9038d76d00a4ee83e0daf83f25d1a56296
SHA256f92c38e9e499d1b6e25e98c896e6ba9a957f3ebb5857cf0ec74be7cae9c806da
SHA512ad4949c79400a4ed4e5e1a1e09e7de212acfea6487948b519d47ba2dc333198a339e2b8184f28d519f8efd11cda3b0f0215ee6ce4e3847534a2306a79fa715ec
-
Filesize
377KB
MD5858fc685a5bff591985394f9cdf9e289
SHA15970a28aab399d005885b9c6b79eafd606640fab
SHA2563404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
SHA512620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0
-
Filesize
4KB
MD5c8c946b477d16d4a4a8afbaa5b34487a
SHA14f9ee477b7ebbcf76551ad468caad87d44b4044b
SHA25662e613ef55fe8144867fd8521065a1ace6aa3b1f85911ba343be3c4311b88cc4
SHA51282f25c507f21137f936cc51efe968c9a5c89921b9241b750818c27c096e4a24ded5b5d194e4a645b5cdcf29174139d873b628f6cc53c81fbea204c8a758de959
-
Filesize
829KB
MD5b45f4840234e8aa94d0d75c47cc052ff
SHA19fd12d040d7033c0b5b81d4c3ce97145bf504cc4
SHA256e510b8ef6baba2229fe2c7a88865b8f9cb4609a8d504ca74ca93420fe4eef700
SHA51208322f3fdf76d52544e8c0ccf88e127f23237fb9d0de3002c6231cea2d5e97342068617d2b4695ccf858ab148436255a965a5daa28e2d3a99f51767a5f306ff8
-
Filesize
821KB
MD5b8f64b0b53e039cbeba7d60c81710bd8
SHA1a9be269daa7f404a23fcaf002be7ee13697ef8e0
SHA25654e0b845eff52823a951ff4b38c6728a381613a0603ce82d4d5c34aa6402f7cc
SHA5129b5c5818fc0a11c8dc80b3befd3459a031f411fc5ddba43f7c0737f20ce6b265599790b64897aed448ccff766c98c5f8d0837495a8eecca36777be390f49ec05