Overview
overview
7Static
static
35052cf2d1f...18.exe
windows7-x64
75052cf2d1f...18.exe
windows10-2004-x64
7$_2_/Downl...PS.dll
windows7-x64
3$_2_/Downl...PS.dll
windows10-2004-x64
3$_2_/Extract.dll
windows7-x64
3$_2_/Extract.dll
windows10-2004-x64
3$_2_/MiniQQDL.exe
windows7-x64
7$_2_/MiniQQDL.exe
windows10-2004-x64
7$_2_/TNProxy.dll
windows7-x64
3$_2_/TNProxy.dll
windows10-2004-x64
3$_2_/Tencentdl.exe
windows7-x64
3$_2_/Tencentdl.exe
windows10-2004-x64
3$_2_/dlcore.dll
windows7-x64
3$_2_/dlcore.dll
windows10-2004-x64
3$_2_/predown.dll
windows7-x64
3$_2_/predown.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$_2_/DownloadProxyPS.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$_2_/DownloadProxyPS.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$_2_/Extract.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$_2_/Extract.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$_2_/MiniQQDL.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$_2_/MiniQQDL.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$_2_/TNProxy.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$_2_/TNProxy.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$_2_/Tencentdl.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$_2_/Tencentdl.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$_2_/dlcore.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$_2_/dlcore.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$_2_/predown.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$_2_/predown.dll
Resource
win10v2004-20241007-en
General
-
Target
5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
5052cf2d1f8b28b72768fae254e34a64
-
SHA1
c28918f7ddabe26ba0d0ece6e3ea953ae5e7df72
-
SHA256
206f0e7fd34c289a30061a61e700296dca6df48535922f94384f6c1715534691
-
SHA512
bd222d6b63b1c199da18b652d226f9a67c0f34931ceb60849ec0272a7042ba3bfe46b659baf7e8a09a073a9145bc618a47ff4bc99a25d7bac6dcc78b0118f620
-
SSDEEP
49152:prpRAcE4BJ16/bI6KH9/W/mxnwfYkW7mr1ir:pREYnFH9/PJYYkWe0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Tencentdl.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation tencentdl.exe -
Executes dropped EXE 5 IoCs
pid Process 1824 Tencentdl.exe 4824 MiniQQDL.exe 736 tencentdl.exe 1028 tencentdl.exe 2712 tencentdl.exe -
Loads dropped DLL 14 IoCs
pid Process 4824 MiniQQDL.exe 1028 tencentdl.exe 3648 regsvr32.exe 4824 MiniQQDL.exe 4824 MiniQQDL.exe 1028 tencentdl.exe 4824 MiniQQDL.exe 4824 MiniQQDL.exe 1028 tencentdl.exe 2712 tencentdl.exe 2712 tencentdl.exe 2712 tencentdl.exe 2712 tencentdl.exe 2712 tencentdl.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: MiniQQDL.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 tencentdl.exe File opened for modification \??\PhysicalDrive0 MiniQQDL.exe File opened for modification \??\PhysicalDrive0 tencentdl.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe Tencentdl.exe File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll Tencentdl.exe File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll Tencentdl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MiniQQDL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tencentdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS\ = "0" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID\ = "DownloadProxy.Downloader" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\DownloadProxyPS.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E} tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer\ = "DownloadProxy.Downloader.1" tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32 tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd tencentdl.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 2fc17a4f7a0e8b4bb062362b2203dbfb MiniQQDL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81} tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib tencentdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0 tencentdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS tencentdl.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4824 MiniQQDL.exe 4824 MiniQQDL.exe 1028 tencentdl.exe 1028 tencentdl.exe 2712 tencentdl.exe 2712 tencentdl.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 4824 MiniQQDL.exe 4824 MiniQQDL.exe 1028 tencentdl.exe 2712 tencentdl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4824 MiniQQDL.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4352 wrote to memory of 1824 4352 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 84 PID 4352 wrote to memory of 1824 4352 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 84 PID 4352 wrote to memory of 1824 4352 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 84 PID 4352 wrote to memory of 4824 4352 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 85 PID 4352 wrote to memory of 4824 4352 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 85 PID 4352 wrote to memory of 4824 4352 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe 85 PID 1824 wrote to memory of 736 1824 Tencentdl.exe 86 PID 1824 wrote to memory of 736 1824 Tencentdl.exe 86 PID 1824 wrote to memory of 736 1824 Tencentdl.exe 86 PID 736 wrote to memory of 3648 736 tencentdl.exe 88 PID 736 wrote to memory of 3648 736 tencentdl.exe 88 PID 736 wrote to memory of 3648 736 tencentdl.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe" /Install2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3648
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4824
-
-
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1028
-
C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD520a290387265425af96f651e77980cc7
SHA18e4e81cdda51eeb9af705dad53f9b4b589b74b3e
SHA256be084831617a9191d223167be28e8941a169cd730992b9080a586d222f6aba26
SHA512148107f9924d8e6df5bcff7dcfba7e7e3e710f14e54df925bc48a299a0ded2b03cdb9c7e1f35a64a401323b8946e6cea8dd906a9d393a7e58af5638e83789f5c
-
Filesize
13B
MD5fcdbaab3b332f90e2c6aec0e0c1b835d
SHA131a8c1d4f0211e534b3b28d867f5aa54838fc276
SHA256523c575e9afff0d47d61c7324358dcccfed98b4f315c11b67ee3cf255449960b
SHA512606739c79371de93c3a88e7843bca3bfae86708b9e631d37b1d931653e929ae15b1ab99064bb6abcb31e0f135357afc44e5249b07e9b110994648c7f2a8cc201
-
Filesize
8B
MD5f6bd6b3389b872033d462029172c8612
SHA1f4533a73e647c710d3ddbfb253de66e1ac8a6891
SHA256f0a0278e4372459cca6159cd5e71cfee638302a7b9ca9b05c34181ac0a65ac5d
SHA5128c7471bddfd31fa1e83a761a2f5bc2fc772a5567c85b3a753d3b8a2e8259386f8f7e440c0ad80272514d821ff27362047e1171b02a95537bd3b40416e5810231
-
Filesize
65KB
MD54ceb4641a90de4feee34ba5f949d41ba
SHA1cb060db236d9938f97b5e4e2d1b1c663071a2bd7
SHA2562a075c11148c3f04163b9ffdaa05d4b46bc55c96b2fe50d0a39cc377139c2b26
SHA512932960a503817683c3d7c66695732ec6dc59887b0eaa8d53c4e26e1de6fd6c4e9291a4afe25d898c9b02dfe4cd976414f66b715b861e7974e765bff587fa2d27
-
Filesize
829KB
MD5b45f4840234e8aa94d0d75c47cc052ff
SHA19fd12d040d7033c0b5b81d4c3ce97145bf504cc4
SHA256e510b8ef6baba2229fe2c7a88865b8f9cb4609a8d504ca74ca93420fe4eef700
SHA51208322f3fdf76d52544e8c0ccf88e127f23237fb9d0de3002c6231cea2d5e97342068617d2b4695ccf858ab148436255a965a5daa28e2d3a99f51767a5f306ff8
-
Filesize
601KB
MD5e6f2f48d472676dadd9a7d50566ebedb
SHA1414f0aeaf7fc815d550385cea1ee4d7077f8cf71
SHA256804b1bb1ee609957eacfae505a98744b40e6967fe5b215f628b94fae6abaae02
SHA512ac99e0056abf53b16090cd9cef1b5ea6d3ef393513daaeb05e79b5c1d3d564b6cd74013459813f6b1bbc6844866af8a8f504f995a511e0a61264aed72f8bc0f6
-
Filesize
821KB
MD5b8f64b0b53e039cbeba7d60c81710bd8
SHA1a9be269daa7f404a23fcaf002be7ee13697ef8e0
SHA25654e0b845eff52823a951ff4b38c6728a381613a0603ce82d4d5c34aa6402f7cc
SHA5129b5c5818fc0a11c8dc80b3befd3459a031f411fc5ddba43f7c0737f20ce6b265599790b64897aed448ccff766c98c5f8d0837495a8eecca36777be390f49ec05
-
Filesize
850B
MD59592bad096e70eeac962f67426e04614
SHA1a804b1e7f13ed6fd6be1f4524d51fb363f10a405
SHA256d1519683a381602b04f217934415057f7bf2dc5d18f88a510860fbce138d8e4f
SHA512f96135bf64898fd43747e0412d0e1d0a3fae790a33df00b03e75e5514accf416244a4102c660b4079306be3ab0ef9628f1edbb7cb5307fa933185f7940d561ae
-
Filesize
1.7MB
MD582ce23aad749aee959820533c0676cb2
SHA13aa526a4ed51491b01a5419713d1582a426b7efc
SHA256a2fd92c7fc26bf2851aaefcc5f0bafd75511794ad0c781e1a715df812f7bd2ab
SHA512c91f5165059677071a1e2949244dd1ce4e2c5ce58fe38298f1707ff4b6de6981d7c45f8fd5a189a91d154b0c4af25dbaae4e7a51f107dee77f2f51f0150d2707
-
Filesize
358KB
MD59da51d4506bd094fbfc7d337338fc872
SHA11b5799ef6b66ac9471842f17570813e7c42cdb27
SHA256f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501
SHA51207dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044
-
Filesize
3KB
MD51aa27fb55cb6f229cd47074268ed89cf
SHA111abd79d69b8012a2bfa48af4462a2169d554cf1
SHA2569525586a06237e90be7969028a255a627c547b9cf916549ee7438a896588b3c3
SHA512347e29a88e74be4689bc7df6f6f6ece30b398338083117f85398e19cb43c310d7b81c039b79976abd09902005a34b8b2f7a4da004f9460d8b6c0cd74c8405409
-
Filesize
8KB
MD5810e18e5e782ea451d6c78bc5586e194
SHA1aaa61c7655e0cdf407ca26d8a9777078603be676
SHA25665b38298dc57ad481c76795c7262e426f76564666bf9b461535243eda06af5ca
SHA51285829e840849a2074d2a6d23fd0a86facaf7a9d39101d9eae3c96025fb817b2730f709c6692d2284e9e229b85d43277e53d4a3d7352fcfb82cac8cc508c416a2
-
Filesize
3KB
MD50167d8af18d97247c2a8fe123531460d
SHA1733e5003888e6416ea43af197e290c143eaac5e8
SHA25664de4c088b64f617967143113eaf571046e116616d013f2df19925442fa4871a
SHA5125ebe8a916e51db2556d07313e33381df550c2b668b2f23e2be56c95834573294cdfa5fb42e9e96587eba50a55169e0816a67f2f8e13dd152a4891ce20739ff7d
-
Filesize
5KB
MD52f94db129b7474b09958a7f04ba3591b
SHA178e5ed7db8a0d9d1f32508f8605b999c334860f4
SHA256406481e12ef84471031264244e035993abdb832792519d45bdc6b1240eb33bb7
SHA512d888a0398d4b6509c930dab11a8702859cd4fee4e647eb06ddad8562ec4ce8042453312ec633d449a9fc2160138b2590beb3d61f35ddf45443448cc1e6e8c342
-
Filesize
2KB
MD5366d5ae87ae0c97ee8b995334f86f572
SHA11c350c4a3ddbd582013dcb7f86d272eca81f3e9b
SHA256ee7f579baa2cd58ea7a093f6913e2074b987d862b07603b09bf2c0be0476c91d
SHA51207f4aef8e673b6ec236daab90a915352dc6c4273e9e99e1af01a3fbc79e1214b83c4d0f3d0699f09fb980ac42a34f8c9b79c8d4ea0152d966650a1607354c0fb
-
Filesize
6KB
MD5c5a0b10d206e67a2e23ceba6e0996cb9
SHA15594da0d5a20980fb9eee9f3cb123f98f04102ca
SHA25679c07d49c63921752a6614e593b232b70348b0613decc724ed8eedb691fd4461
SHA5128f2dbf7e94f2202e9ced29dc5ca33ac77ddd5faf1484320bcab195364a1685fa883cab0f5a325148c6b7913a8338f970906f62f4485ada3da0e45323d3811e24
-
Filesize
30KB
MD56e3de863ba255d42b15c0b1fe7e74dc7
SHA12edb379f17c36c91cbc313d8afa4c3389f975283
SHA256284578c26f6f083fdcdddf8734273adb92230d9aac8d652b3ca93aa73ba01065
SHA512c6b5c6fe71579009cb0dc5c5e7d36adb484e202d65586786e4b1092f8a141bd997bf5fd23ce3646433b620036ed7deb8b41d1000bbf92d69fe23071cf6f2bd82
-
Filesize
5KB
MD5bd7e98287cc90e5a71c21333f8a67f53
SHA177d0118645af536580983de045357afbc5c753e7
SHA2564f1f2d974d7a10930f0b255fcb33ba313bd9296694d9b35c3a1cbe7f1899fe1c
SHA5122cefb47e3ee4796416c6e35b2a2ae5f3538951d73f85c47e9bf2f0a0e441cf795aec404bb647e63073a303034b0c947c522213e96bb0708172719fad18e38d26
-
Filesize
2KB
MD54449c38913ad0ee04b8f37cddd9351ee
SHA1fd638a9038d76d00a4ee83e0daf83f25d1a56296
SHA256f92c38e9e499d1b6e25e98c896e6ba9a957f3ebb5857cf0ec74be7cae9c806da
SHA512ad4949c79400a4ed4e5e1a1e09e7de212acfea6487948b519d47ba2dc333198a339e2b8184f28d519f8efd11cda3b0f0215ee6ce4e3847534a2306a79fa715ec
-
Filesize
377KB
MD5858fc685a5bff591985394f9cdf9e289
SHA15970a28aab399d005885b9c6b79eafd606640fab
SHA2563404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
SHA512620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0
-
Filesize
4KB
MD5c8c946b477d16d4a4a8afbaa5b34487a
SHA14f9ee477b7ebbcf76551ad468caad87d44b4044b
SHA25662e613ef55fe8144867fd8521065a1ace6aa3b1f85911ba343be3c4311b88cc4
SHA51282f25c507f21137f936cc51efe968c9a5c89921b9241b750818c27c096e4a24ded5b5d194e4a645b5cdcf29174139d873b628f6cc53c81fbea204c8a758de959
-
Filesize
49B
MD5a0b75ed98fc4ada93f4fa46c5ca2798e
SHA1c0ef629de1b6afe558ce7d7be63875766d3fb30a
SHA256431eed895f2678955c7acc1beab41dfa30d1b89dd4927e9a0c56b1c57b52a835
SHA512bccd4f3eb5f64527b75ee7bb7630f12bec8f54be30bde1a21ec89920244ef49c8d3f726aa8ddcebc95cb70266acb72b4a6e04873beb2eb90fdd60af713afa35c
-
Filesize
64B
MD5130401193e712950009d8fc8e307963d
SHA15249eb4e58b26399b6953fe904104f0ea27fa5e3
SHA2561c2aebef8009f60cb26e9cb10d3a01d3cdb1f625929f4f599fe5ffc1c73e4316
SHA512e9efaefa35e5fa298d65f7941573f816ddfddd1d27cbcfd16e23f9e29acdd19c74fa29da7d668cd76c21d9d8b30afd7572211a541e80f8a8e670ede1c89e536b