Malware Analysis Report

2025-08-05 10:49

Sample ID 241017-csnlqs1bjj
Target 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118
SHA256 206f0e7fd34c289a30061a61e700296dca6df48535922f94384f6c1715534691
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

206f0e7fd34c289a30061a61e700296dca6df48535922f94384f6c1715534691

Threat Level: Shows suspicious behavior

The file 5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 02:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ = "IDownloader_2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\ = "DownloadProxy 1.0 Type Library" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID\ = "DownloadProxy.Downloader.1" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = ce40891da703f14293ef32e26d037193 C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR\ C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\DownloadProxyPS.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe
PID 2312 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe
PID 2312 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe
PID 2312 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe
PID 2796 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2796 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2796 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2796 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2312 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe
PID 2312 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe
PID 2312 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe
PID 2312 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe
PID 2624 wrote to memory of 332 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 332 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 332 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 332 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 332 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 332 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2624 wrote to memory of 332 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe

"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe" /Install

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe

"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe"

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdlxf.qq.com udp
US 8.8.8.8:53 cfg.xf.qq.com udp
US 8.8.8.8:53 fs_report_doctor.qq.com udp
US 8.8.8.8:53 pdlxf_doctor.qq.com udp
US 8.8.8.8:53 fs_tcp_conn_doctor.qq.com udp
US 8.8.8.8:53 local_p2p.qq.com udp
US 8.8.8.8:53 stun.qq.com udp
US 8.8.8.8:53 xuanfengnet.qq.com udp
US 8.8.8.8:53 xf_com_update_doctor.qq.com udp
US 8.8.8.8:53 fs_bt.qq.com udp
US 8.8.8.8:53 fs_conn_back_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_other_doctor.qq.com udp
US 8.8.8.8:53 fs_emule.qq.com udp
US 8.8.8.8:53 fs_h2u.qq.com udp
US 8.8.8.8:53 fs_rc.qq.com udp
US 8.8.8.8:53 xf.stat_doctor.qq.com udp
US 8.8.8.8:53 xf_bt.stat.qq.com udp
US 8.8.8.8:53 xf_em.stat.qq.com udp

Files

\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe

MD5 b8f64b0b53e039cbeba7d60c81710bd8
SHA1 a9be269daa7f404a23fcaf002be7ee13697ef8e0
SHA256 54e0b845eff52823a951ff4b38c6728a381613a0603ce82d4d5c34aa6402f7cc
SHA512 9b5c5818fc0a11c8dc80b3befd3459a031f411fc5ddba43f7c0737f20ce6b265599790b64897aed448ccff766c98c5f8d0837495a8eecca36777be390f49ec05

\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe

MD5 b45f4840234e8aa94d0d75c47cc052ff
SHA1 9fd12d040d7033c0b5b81d4c3ce97145bf504cc4
SHA256 e510b8ef6baba2229fe2c7a88865b8f9cb4609a8d504ca74ca93420fe4eef700
SHA512 08322f3fdf76d52544e8c0ccf88e127f23237fb9d0de3002c6231cea2d5e97342068617d2b4695ccf858ab148436255a965a5daa28e2d3a99f51767a5f306ff8

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\dlcore.dll

MD5 82ce23aad749aee959820533c0676cb2
SHA1 3aa526a4ed51491b01a5419713d1582a426b7efc
SHA256 a2fd92c7fc26bf2851aaefcc5f0bafd75511794ad0c781e1a715df812f7bd2ab
SHA512 c91f5165059677071a1e2949244dd1ce4e2c5ce58fe38298f1707ff4b6de6981d7c45f8fd5a189a91d154b0c4af25dbaae4e7a51f107dee77f2f51f0150d2707

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\tnproxy.dll

MD5 858fc685a5bff591985394f9cdf9e289
SHA1 5970a28aab399d005885b9c6b79eafd606640fab
SHA256 3404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
SHA512 620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\extract.dll

MD5 9da51d4506bd094fbfc7d337338fc872
SHA1 1b5799ef6b66ac9471842f17570813e7c42cdb27
SHA256 f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501
SHA512 07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\DownloadProxyPS.dll

MD5 4ceb4641a90de4feee34ba5f949d41ba
SHA1 cb060db236d9938f97b5e4e2d1b1c663071a2bd7
SHA256 2a075c11148c3f04163b9ffdaa05d4b46bc55c96b2fe50d0a39cc377139c2b26
SHA512 932960a503817683c3d7c66695732ec6dc59887b0eaa8d53c4e26e1de6fd6c4e9291a4afe25d898c9b02dfe4cd976414f66b715b861e7974e765bff587fa2d27

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\close.png

MD5 2f94db129b7474b09958a7f04ba3591b
SHA1 78e5ed7db8a0d9d1f32508f8605b999c334860f4
SHA256 406481e12ef84471031264244e035993abdb832792519d45bdc6b1240eb33bb7
SHA512 d888a0398d4b6509c930dab11a8702859cd4fee4e647eb06ddad8562ec4ce8042453312ec633d449a9fc2160138b2590beb3d61f35ddf45443448cc1e6e8c342

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\xzqdl.ico

MD5 c8c946b477d16d4a4a8afbaa5b34487a
SHA1 4f9ee477b7ebbcf76551ad468caad87d44b4044b
SHA256 62e613ef55fe8144867fd8521065a1ace6aa3b1f85911ba343be3c4311b88cc4
SHA512 82f25c507f21137f936cc51efe968c9a5c89921b9241b750818c27c096e4a24ded5b5d194e4a645b5cdcf29174139d873b628f6cc53c81fbea204c8a758de959

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\mainwnd.jpg

MD5 6e3de863ba255d42b15c0b1fe7e74dc7
SHA1 2edb379f17c36c91cbc313d8afa4c3389f975283
SHA256 284578c26f6f083fdcdddf8734273adb92230d9aac8d652b3ca93aa73ba01065
SHA512 c6b5c6fe71579009cb0dc5c5e7d36adb484e202d65586786e4b1092f8a141bd997bf5fd23ce3646433b620036ed7deb8b41d1000bbf92d69fe23071cf6f2bd82

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\mainbnd.png

MD5 c5a0b10d206e67a2e23ceba6e0996cb9
SHA1 5594da0d5a20980fb9eee9f3cb123f98f04102ca
SHA256 79c07d49c63921752a6614e593b232b70348b0613decc724ed8eedb691fd4461
SHA512 8f2dbf7e94f2202e9ced29dc5ca33ac77ddd5faf1484320bcab195364a1685fa883cab0f5a325148c6b7913a8338f970906f62f4485ada3da0e45323d3811e24

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\min.png

MD5 bd7e98287cc90e5a71c21333f8a67f53
SHA1 77d0118645af536580983de045357afbc5c753e7
SHA256 4f1f2d974d7a10930f0b255fcb33ba313bd9296694d9b35c3a1cbe7f1899fe1c
SHA512 2cefb47e3ee4796416c6e35b2a2ae5f3538951d73f85c47e9bf2f0a0e441cf795aec404bb647e63073a303034b0c947c522213e96bb0708172719fad18e38d26

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\config.ini

MD5 9592bad096e70eeac962f67426e04614
SHA1 a804b1e7f13ed6fd6be1f4524d51fb363f10a405
SHA256 d1519683a381602b04f217934415057f7bf2dc5d18f88a510860fbce138d8e4f
SHA512 f96135bf64898fd43747e0412d0e1d0a3fae790a33df00b03e75e5514accf416244a4102c660b4079306be3ab0ef9628f1edbb7cb5307fa933185f7940d561ae

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\unchecked.png

MD5 4449c38913ad0ee04b8f37cddd9351ee
SHA1 fd638a9038d76d00a4ee83e0daf83f25d1a56296
SHA256 f92c38e9e499d1b6e25e98c896e6ba9a957f3ebb5857cf0ec74be7cae9c806da
SHA512 ad4949c79400a4ed4e5e1a1e09e7de212acfea6487948b519d47ba2dc333198a339e2b8184f28d519f8efd11cda3b0f0215ee6ce4e3847534a2306a79fa715ec

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\checked.png

MD5 0167d8af18d97247c2a8fe123531460d
SHA1 733e5003888e6416ea43af197e290c143eaac5e8
SHA256 64de4c088b64f617967143113eaf571046e116616d013f2df19925442fa4871a
SHA512 5ebe8a916e51db2556d07313e33381df550c2b668b2f23e2be56c95834573294cdfa5fb42e9e96587eba50a55169e0816a67f2f8e13dd152a4891ce20739ff7d

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\loading.png

MD5 366d5ae87ae0c97ee8b995334f86f572
SHA1 1c350c4a3ddbd582013dcb7f86d272eca81f3e9b
SHA256 ee7f579baa2cd58ea7a093f6913e2074b987d862b07603b09bf2c0be0476c91d
SHA512 07f4aef8e673b6ec236daab90a915352dc6c4273e9e99e1af01a3fbc79e1214b83c4d0f3d0699f09fb980ac42a34f8c9b79c8d4ea0152d966650a1607354c0fb

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\button.png

MD5 810e18e5e782ea451d6c78bc5586e194
SHA1 aaa61c7655e0cdf407ca26d8a9777078603be676
SHA256 65b38298dc57ad481c76795c7262e426f76564666bf9b461535243eda06af5ca
SHA512 85829e840849a2074d2a6d23fd0a86facaf7a9d39101d9eae3c96025fb817b2730f709c6692d2284e9e229b85d43277e53d4a3d7352fcfb82cac8cc508c416a2

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\XF.png

MD5 1aa27fb55cb6f229cd47074268ed89cf
SHA1 11abd79d69b8012a2bfa48af4462a2169d554cf1
SHA256 9525586a06237e90be7969028a255a627c547b9cf916549ee7438a896588b3c3
SHA512 347e29a88e74be4689bc7df6f6f6ece30b398338083117f85398e19cb43c310d7b81c039b79976abd09902005a34b8b2f7a4da004f9460d8b6c0cd74c8405409

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\PreDown.dll

MD5 e6f2f48d472676dadd9a7d50566ebedb
SHA1 414f0aeaf7fc815d550385cea1ee4d7077f8cf71
SHA256 804b1bb1ee609957eacfae505a98744b40e6967fe5b215f628b94fae6abaae02
SHA512 ac99e0056abf53b16090cd9cef1b5ea6d3ef393513daaeb05e79b5c1d3d564b6cd74013459813f6b1bbc6844866af8a8f504f995a511e0a61264aed72f8bc0f6

memory/2776-73-0x0000000005B40000-0x0000000005B50000-memory.dmp

memory/296-75-0x0000000003110000-0x00000000032D0000-memory.dmp

memory/296-80-0x0000000003E50000-0x0000000003EAD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\DownloadProxyPS.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ = "IDownloader_2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\DownloadProxyPS.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods\ = "6" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2612 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2612 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2612 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2612 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2612 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2612 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\DownloadProxyPS.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\DownloadProxyPS.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\DownloadProxyPS.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ = "IDownloader_2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods\ = "6" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\DownloadProxyPS.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2216 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\DownloadProxyPS.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\DownloadProxyPS.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240903-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\predown.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\predown.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\predown.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 284

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240729-en

Max time kernel

101s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
File opened for modification \??\PhysicalDrive0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\DownloadProxyPS.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods\ = "6" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = d93bff35b3206b4dadba76af1d45f394 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID\ = "DownloadProxy.Downloader.1" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID\ = "DownloadProxy.Downloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS\ = "0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\ = "DownloadProxy 1.0 Type Library" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2028 wrote to memory of 2868 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2028 wrote to memory of 2868 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2028 wrote to memory of 2868 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2028 wrote to memory of 2868 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2268 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2268 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2268 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2268 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 2868 wrote to memory of 2920 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2920 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2920 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2920 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2920 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2920 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2868 wrote to memory of 2920 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 2708 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2800 wrote to memory of 2708 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2800 wrote to memory of 2708 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2800 wrote to memory of 2708 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 2708 wrote to memory of 2612 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2708 wrote to memory of 2612 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2708 wrote to memory of 2612 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2708 wrote to memory of 2612 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2708 wrote to memory of 2612 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2708 wrote to memory of 2612 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2708 wrote to memory of 2612 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe"

C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe

"C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe" -install

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer

C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe

"C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe" -install

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cfg.xf.qq.com udp
US 8.8.8.8:53 fs_report_doctor.qq.com udp
US 8.8.8.8:53 pdlxf_doctor.qq.com udp
US 8.8.8.8:53 fs_tcp_conn_doctor.qq.com udp
US 8.8.8.8:53 fs_tcp_conn_doctor.qq.com udp
US 8.8.8.8:53 local_p2p.qq.com udp
US 8.8.8.8:53 local_p2p.qq.com udp
US 8.8.8.8:53 stun.qq.com udp
US 8.8.8.8:53 stun.qq.com udp
US 8.8.8.8:53 xuanfengnet.qq.com udp
US 8.8.8.8:53 xuanfengnet.qq.com udp
US 8.8.8.8:53 xf_com_update_doctor.qq.com udp
US 8.8.8.8:53 fs_bt.qq.com udp
US 8.8.8.8:53 fs_bt.qq.com udp
US 8.8.8.8:53 fs_conn_back_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_back_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_other_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_other_doctor.qq.com udp
US 8.8.8.8:53 fs_emule.qq.com udp
US 8.8.8.8:53 fs_emule.qq.com udp
US 8.8.8.8:53 fs_h2u.qq.com udp
US 8.8.8.8:53 fs_rc.qq.com udp
US 8.8.8.8:53 xf.stat_doctor.qq.com udp
US 8.8.8.8:53 xf_bt.stat.qq.com udp
US 8.8.8.8:53 xf_em.stat.qq.com udp
US 8.8.8.8:53 xfstat.qq.com udp

Files

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe

MD5 b8f64b0b53e039cbeba7d60c81710bd8
SHA1 a9be269daa7f404a23fcaf002be7ee13697ef8e0
SHA256 54e0b845eff52823a951ff4b38c6728a381613a0603ce82d4d5c34aa6402f7cc
SHA512 9b5c5818fc0a11c8dc80b3befd3459a031f411fc5ddba43f7c0737f20ce6b265599790b64897aed448ccff766c98c5f8d0837495a8eecca36777be390f49ec05

memory/2268-14-0x0000000006680000-0x0000000006840000-memory.dmp

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll

MD5 82ce23aad749aee959820533c0676cb2
SHA1 3aa526a4ed51491b01a5419713d1582a426b7efc
SHA256 a2fd92c7fc26bf2851aaefcc5f0bafd75511794ad0c781e1a715df812f7bd2ab
SHA512 c91f5165059677071a1e2949244dd1ce4e2c5ce58fe38298f1707ff4b6de6981d7c45f8fd5a189a91d154b0c4af25dbaae4e7a51f107dee77f2f51f0150d2707

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll

MD5 858fc685a5bff591985394f9cdf9e289
SHA1 5970a28aab399d005885b9c6b79eafd606640fab
SHA256 3404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
SHA512 620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll

MD5 4ceb4641a90de4feee34ba5f949d41ba
SHA1 cb060db236d9938f97b5e4e2d1b1c663071a2bd7
SHA256 2a075c11148c3f04163b9ffdaa05d4b46bc55c96b2fe50d0a39cc377139c2b26
SHA512 932960a503817683c3d7c66695732ec6dc59887b0eaa8d53c4e26e1de6fd6c4e9291a4afe25d898c9b02dfe4cd976414f66b715b861e7974e765bff587fa2d27

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll

MD5 9da51d4506bd094fbfc7d337338fc872
SHA1 1b5799ef6b66ac9471842f17570813e7c42cdb27
SHA256 f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501
SHA512 07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

memory/2268-38-0x0000000006060000-0x0000000006070000-memory.dmp

memory/2296-36-0x00000000003B0000-0x00000000003C0000-memory.dmp

memory/2296-41-0x0000000003B60000-0x0000000003BBD000-memory.dmp

memory/2268-43-0x0000000002800000-0x000000000285D000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

138s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 3544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4940 wrote to memory of 3544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4940 wrote to memory of 3544 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A
File opened for modification \??\PhysicalDrive0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS\ = "0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID\ = "DownloadProxy.Downloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}\ = "DownloadProxy" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\DownloadProxyPS.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer\ = "DownloadProxy.Downloader.1" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 2fc17a4f7a0e8b4bb062362b2203dbfb C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4352 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe
PID 4352 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe
PID 4352 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe
PID 4352 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe
PID 4352 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe
PID 4352 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe
PID 1824 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 1824 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 1824 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 736 wrote to memory of 3648 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 736 wrote to memory of 3648 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 736 wrote to memory of 3648 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5052cf2d1f8b28b72768fae254e34a64_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe

"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe" /Install

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe

"C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe"

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 cfg.xf.qq.com udp
US 8.8.8.8:53 fs_report_doctor.qq.com udp
US 8.8.8.8:53 pdlxf_doctor.qq.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 fs_tcp_conn_doctor.qq.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 local_p2p.qq.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 stun.qq.com udp
US 8.8.8.8:53 xuanfengnet.qq.com udp
US 8.8.8.8:53 xf_com_update_doctor.qq.com udp
US 8.8.8.8:53 fs_bt.qq.com udp
US 8.8.8.8:53 fs_conn_back_doctor.qq.com udp
US 8.8.8.8:53 fs_report_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_other_doctor.qq.com udp
US 8.8.8.8:53 fs_emule.qq.com udp
US 8.8.8.8:53 fs_h2u.qq.com udp
US 8.8.8.8:53 fs_rc.qq.com udp
US 8.8.8.8:53 xf.stat_doctor.qq.com udp
US 8.8.8.8:53 xf_bt.stat.qq.com udp
US 8.8.8.8:53 xf_em.stat.qq.com udp
US 8.8.8.8:53 xfstat.qq.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\Tencentdl.exe

MD5 b8f64b0b53e039cbeba7d60c81710bd8
SHA1 a9be269daa7f404a23fcaf002be7ee13697ef8e0
SHA256 54e0b845eff52823a951ff4b38c6728a381613a0603ce82d4d5c34aa6402f7cc
SHA512 9b5c5818fc0a11c8dc80b3befd3459a031f411fc5ddba43f7c0737f20ce6b265599790b64897aed448ccff766c98c5f8d0837495a8eecca36777be390f49ec05

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\tnproxy.dll

MD5 858fc685a5bff591985394f9cdf9e289
SHA1 5970a28aab399d005885b9c6b79eafd606640fab
SHA256 3404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
SHA512 620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\DownloadProxyPS.dll

MD5 4ceb4641a90de4feee34ba5f949d41ba
SHA1 cb060db236d9938f97b5e4e2d1b1c663071a2bd7
SHA256 2a075c11148c3f04163b9ffdaa05d4b46bc55c96b2fe50d0a39cc377139c2b26
SHA512 932960a503817683c3d7c66695732ec6dc59887b0eaa8d53c4e26e1de6fd6c4e9291a4afe25d898c9b02dfe4cd976414f66b715b861e7974e765bff587fa2d27

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\extract.dll

MD5 9da51d4506bd094fbfc7d337338fc872
SHA1 1b5799ef6b66ac9471842f17570813e7c42cdb27
SHA256 f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501
SHA512 07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\dlcore.dll

MD5 82ce23aad749aee959820533c0676cb2
SHA1 3aa526a4ed51491b01a5419713d1582a426b7efc
SHA256 a2fd92c7fc26bf2851aaefcc5f0bafd75511794ad0c781e1a715df812f7bd2ab
SHA512 c91f5165059677071a1e2949244dd1ce4e2c5ce58fe38298f1707ff4b6de6981d7c45f8fd5a189a91d154b0c4af25dbaae4e7a51f107dee77f2f51f0150d2707

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\MiniQQDL.exe

MD5 b45f4840234e8aa94d0d75c47cc052ff
SHA1 9fd12d040d7033c0b5b81d4c3ce97145bf504cc4
SHA256 e510b8ef6baba2229fe2c7a88865b8f9cb4609a8d504ca74ca93420fe4eef700
SHA512 08322f3fdf76d52544e8c0ccf88e127f23237fb9d0de3002c6231cea2d5e97342068617d2b4695ccf858ab148436255a965a5daa28e2d3a99f51767a5f306ff8

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\xzqdl.ico

MD5 c8c946b477d16d4a4a8afbaa5b34487a
SHA1 4f9ee477b7ebbcf76551ad468caad87d44b4044b
SHA256 62e613ef55fe8144867fd8521065a1ace6aa3b1f85911ba343be3c4311b88cc4
SHA512 82f25c507f21137f936cc51efe968c9a5c89921b9241b750818c27c096e4a24ded5b5d194e4a645b5cdcf29174139d873b628f6cc53c81fbea204c8a758de959

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\close.png

MD5 2f94db129b7474b09958a7f04ba3591b
SHA1 78e5ed7db8a0d9d1f32508f8605b999c334860f4
SHA256 406481e12ef84471031264244e035993abdb832792519d45bdc6b1240eb33bb7
SHA512 d888a0398d4b6509c930dab11a8702859cd4fee4e647eb06ddad8562ec4ce8042453312ec633d449a9fc2160138b2590beb3d61f35ddf45443448cc1e6e8c342

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\config.ini

MD5 9592bad096e70eeac962f67426e04614
SHA1 a804b1e7f13ed6fd6be1f4524d51fb363f10a405
SHA256 d1519683a381602b04f217934415057f7bf2dc5d18f88a510860fbce138d8e4f
SHA512 f96135bf64898fd43747e0412d0e1d0a3fae790a33df00b03e75e5514accf416244a4102c660b4079306be3ab0ef9628f1edbb7cb5307fa933185f7940d561ae

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\checked.png

MD5 0167d8af18d97247c2a8fe123531460d
SHA1 733e5003888e6416ea43af197e290c143eaac5e8
SHA256 64de4c088b64f617967143113eaf571046e116616d013f2df19925442fa4871a
SHA512 5ebe8a916e51db2556d07313e33381df550c2b668b2f23e2be56c95834573294cdfa5fb42e9e96587eba50a55169e0816a67f2f8e13dd152a4891ce20739ff7d

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\loading.png

MD5 366d5ae87ae0c97ee8b995334f86f572
SHA1 1c350c4a3ddbd582013dcb7f86d272eca81f3e9b
SHA256 ee7f579baa2cd58ea7a093f6913e2074b987d862b07603b09bf2c0be0476c91d
SHA512 07f4aef8e673b6ec236daab90a915352dc6c4273e9e99e1af01a3fbc79e1214b83c4d0f3d0699f09fb980ac42a34f8c9b79c8d4ea0152d966650a1607354c0fb

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\button.png

MD5 810e18e5e782ea451d6c78bc5586e194
SHA1 aaa61c7655e0cdf407ca26d8a9777078603be676
SHA256 65b38298dc57ad481c76795c7262e426f76564666bf9b461535243eda06af5ca
SHA512 85829e840849a2074d2a6d23fd0a86facaf7a9d39101d9eae3c96025fb817b2730f709c6692d2284e9e229b85d43277e53d4a3d7352fcfb82cac8cc508c416a2

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\XF.png

MD5 1aa27fb55cb6f229cd47074268ed89cf
SHA1 11abd79d69b8012a2bfa48af4462a2169d554cf1
SHA256 9525586a06237e90be7969028a255a627c547b9cf916549ee7438a896588b3c3
SHA512 347e29a88e74be4689bc7df6f6f6ece30b398338083117f85398e19cb43c310d7b81c039b79976abd09902005a34b8b2f7a4da004f9460d8b6c0cd74c8405409

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\PreDown.dll

MD5 e6f2f48d472676dadd9a7d50566ebedb
SHA1 414f0aeaf7fc815d550385cea1ee4d7077f8cf71
SHA256 804b1bb1ee609957eacfae505a98744b40e6967fe5b215f628b94fae6abaae02
SHA512 ac99e0056abf53b16090cd9cef1b5ea6d3ef393513daaeb05e79b5c1d3d564b6cd74013459813f6b1bbc6844866af8a8f504f995a511e0a61264aed72f8bc0f6

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\mainwnd.jpg

MD5 6e3de863ba255d42b15c0b1fe7e74dc7
SHA1 2edb379f17c36c91cbc313d8afa4c3389f975283
SHA256 284578c26f6f083fdcdddf8734273adb92230d9aac8d652b3ca93aa73ba01065
SHA512 c6b5c6fe71579009cb0dc5c5e7d36adb484e202d65586786e4b1092f8a141bd997bf5fd23ce3646433b620036ed7deb8b41d1000bbf92d69fe23071cf6f2bd82

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\mainbnd.png

MD5 c5a0b10d206e67a2e23ceba6e0996cb9
SHA1 5594da0d5a20980fb9eee9f3cb123f98f04102ca
SHA256 79c07d49c63921752a6614e593b232b70348b0613decc724ed8eedb691fd4461
SHA512 8f2dbf7e94f2202e9ced29dc5ca33ac77ddd5faf1484320bcab195364a1685fa883cab0f5a325148c6b7913a8338f970906f62f4485ada3da0e45323d3811e24

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\min.png

MD5 bd7e98287cc90e5a71c21333f8a67f53
SHA1 77d0118645af536580983de045357afbc5c753e7
SHA256 4f1f2d974d7a10930f0b255fcb33ba313bd9296694d9b35c3a1cbe7f1899fe1c
SHA512 2cefb47e3ee4796416c6e35b2a2ae5f3538951d73f85c47e9bf2f0a0e441cf795aec404bb647e63073a303034b0c947c522213e96bb0708172719fad18e38d26

C:\Users\Admin\AppData\Local\Temp\QQGameDownloader\yxd1321498145\image\unchecked.png

MD5 4449c38913ad0ee04b8f37cddd9351ee
SHA1 fd638a9038d76d00a4ee83e0daf83f25d1a56296
SHA256 f92c38e9e499d1b6e25e98c896e6ba9a957f3ebb5857cf0ec74be7cae9c806da
SHA512 ad4949c79400a4ed4e5e1a1e09e7de212acfea6487948b519d47ba2dc333198a339e2b8184f28d519f8efd11cda3b0f0215ee6ce4e3847534a2306a79fa715ec

memory/4824-64-0x0000000007270000-0x0000000007430000-memory.dmp

memory/1028-73-0x0000000003F60000-0x0000000003FBD000-memory.dmp

memory/4824-70-0x0000000002460000-0x00000000024BD000-memory.dmp

C:\ProgramData\Tencent\Desktop\Global.db

MD5 20a290387265425af96f651e77980cc7
SHA1 8e4e81cdda51eeb9af705dad53f9b4b589b74b3e
SHA256 be084831617a9191d223167be28e8941a169cd730992b9080a586d222f6aba26
SHA512 148107f9924d8e6df5bcff7dcfba7e7e3e710f14e54df925bc48a299a0ded2b03cdb9c7e1f35a64a401323b8946e6cea8dd906a9d393a7e58af5638e83789f5c

memory/2712-82-0x0000000002900000-0x0000000002910000-memory.dmp

memory/2712-85-0x0000000003900000-0x000000000395D000-memory.dmp

C:\ProgramData\Tencent\QQDownload\mediadl.cch

MD5 fcdbaab3b332f90e2c6aec0e0c1b835d
SHA1 31a8c1d4f0211e534b3b28d867f5aa54838fc276
SHA256 523c575e9afff0d47d61c7324358dcccfed98b4f315c11b67ee3cf255449960b
SHA512 606739c79371de93c3a88e7843bca3bfae86708b9e631d37b1d931653e929ae15b1ab99064bb6abcb31e0f135357afc44e5249b07e9b110994648c7f2a8cc201

C:\Users\Admin\AppData\Roaming\Tencent\QQDownload\3574315683\Setting\host.dat

MD5 a0b75ed98fc4ada93f4fa46c5ca2798e
SHA1 c0ef629de1b6afe558ce7d7be63875766d3fb30a
SHA256 431eed895f2678955c7acc1beab41dfa30d1b89dd4927e9a0c56b1c57b52a835
SHA512 bccd4f3eb5f64527b75ee7bb7630f12bec8f54be30bde1a21ec89920244ef49c8d3f726aa8ddcebc95cb70266acb72b4a6e04873beb2eb90fdd60af713afa35c

C:\ProgramData\Tencent\QQDownload\mediadlp.cch

MD5 f6bd6b3389b872033d462029172c8612
SHA1 f4533a73e647c710d3ddbfb253de66e1ac8a6891
SHA256 f0a0278e4372459cca6159cd5e71cfee638302a7b9ca9b05c34181ac0a65ac5d
SHA512 8c7471bddfd31fa1e83a761a2f5bc2fc772a5567c85b3a753d3b8a2e8259386f8f7e440c0ad80272514d821ff27362047e1171b02a95537bd3b40416e5810231

C:\Users\Admin\AppData\Roaming\Tencent\QQDownload\3574315683\Setting\p2pconfig.dat

MD5 130401193e712950009d8fc8e307963d
SHA1 5249eb4e58b26399b6953fe904104f0ea27fa5e3
SHA256 1c2aebef8009f60cb26e9cb10d3a01d3cdb1f625929f4f599fe5ffc1c73e4316
SHA512 e9efaefa35e5fa298d65f7941573f816ddfddd1d27cbcfd16e23f9e29acdd19c74fa29da7d668cd76c21d9d8b30afd7572211a541e80f8a8e670ede1c89e536b

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Extract.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2700 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Extract.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Extract.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3048 wrote to memory of 2396 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\TNProxy.dll

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dlcore.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VqqSpeedDl.DLL\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib\ = "{25BD9BB7-33EC-4220-B725-56C470146288}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}\ = "VqqSpeedDl" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CurVer\ = "VqqSpeedDl.VqqDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dlcore.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID\ = "VqqSpeedDl.VqqDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\ = "VqqDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\ = "VqqDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VqqSpeedDl.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ = "VqqDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dlcore.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\ = "VqqSpeedDl 1.0 ÀàÐÍ¿â" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID\ = "VqqSpeedDl.VqqDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2148 wrote to memory of 2184 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dlcore.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\dlcore.dll

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dlcore.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID\ = "VqqSpeedDl.VqqDownload" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\ = "VqqSpeedDl 1.0 ÀàÐÍ¿â" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dlcore.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VqqSpeedDl.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID\ = "VqqSpeedDl.VqqDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib\ = "{25BD9BB7-33EC-4220-B725-56C470146288}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}\ = "VqqSpeedDl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\ = "VqqDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$_2_\\dlcore.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{362B8108-62ED-4F80-BC1D-FE904A262CE2}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\VqqSpeedDl.DLL\AppID = "{B85AFBF6-2E43-4F13-8AAE-332C9A18A866}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\ = "VqqDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CurVer\ = "VqqSpeedDl.VqqDownload.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\ = "VqqDownload Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VqqSpeedDl.VqqDownload\CLSID\ = "{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 1868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5096 wrote to memory of 1868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5096 wrote to memory of 1868 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$_2_\dlcore.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$_2_\dlcore.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Extract.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4704 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4704 wrote to memory of 4660 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Extract.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\Extract.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
File opened for modification \??\PhysicalDrive0 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File created C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\AppID = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DownloadProxy.EXE C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ = "_IDownloaderEvents" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS\ = "0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32\ = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe\"" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 45b797ab9d79634cada2b574ce2c5f2c C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ = "IDownloader" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ = "IDownloader_2" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR\ C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\VersionIndependentProgID\ = "DownloadProxy.Downloader" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\LocalServer32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32\ = "C:\\program files (x86)\\common files\\tencent\\qqdownload\\113\\tencentdl.exe" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\Programmable C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\Version = "1.0" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\CLSID\ = "{5318D0E8-A003-446A-B66C-5E5E652ACB24}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32 C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib\ = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1} C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1\ = "Downloader Class" C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5318D0E8-A003-446A-B66C-5E5E652ACB24}\TypeLib C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 3988 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 3988 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 3988 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 3988 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 3988 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
PID 3220 wrote to memory of 1168 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 3220 wrote to memory of 1168 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 3220 wrote to memory of 1168 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 840 wrote to memory of 3136 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 840 wrote to memory of 3136 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 840 wrote to memory of 3136 N/A C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe
PID 3136 wrote to memory of 1640 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3136 wrote to memory of 1640 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3136 wrote to memory of 1640 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1168 wrote to memory of 2232 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1168 wrote to memory of 2232 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1168 wrote to memory of 2232 N/A C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\MiniQQDL.exe"

C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe

"C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe" -install

C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe

"C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe" -install

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -RegServer

C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe

"C:\program files (x86)\common files\tencent\qqdownload\113\tencentdl.exe" -Embedding

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\113\DownloadProxyPS.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cfg.xf.qq.com udp
US 8.8.8.8:53 fs_report_doctor.qq.com udp
US 8.8.8.8:53 pdlxf_doctor.qq.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 fs_tcp_conn_doctor.qq.com udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 local_p2p.qq.com udp
US 8.8.8.8:53 stun.qq.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 xuanfengnet.qq.com udp
US 8.8.8.8:53 fs_bt.qq.com udp
US 8.8.8.8:53 xf_com_update_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_back_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_doctor.qq.com udp
US 8.8.8.8:53 fs_conn_other_doctor.qq.com udp
US 8.8.8.8:53 fs_emule.qq.com udp
US 8.8.8.8:53 fs_h2u.qq.com udp
US 8.8.8.8:53 fs_rc.qq.com udp
US 8.8.8.8:53 fs_report_doctor.qq.com udp
US 8.8.8.8:53 xf.stat_doctor.qq.com udp
US 8.8.8.8:53 xf_bt.stat.qq.com udp
US 8.8.8.8:53 xf_em.stat.qq.com udp
US 8.8.8.8:53 xfstat.qq.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\Tencentdl.exe

MD5 b8f64b0b53e039cbeba7d60c81710bd8
SHA1 a9be269daa7f404a23fcaf002be7ee13697ef8e0
SHA256 54e0b845eff52823a951ff4b38c6728a381613a0603ce82d4d5c34aa6402f7cc
SHA512 9b5c5818fc0a11c8dc80b3befd3459a031f411fc5ddba43f7c0737f20ce6b265599790b64897aed448ccff766c98c5f8d0837495a8eecca36777be390f49ec05

memory/3988-24-0x0000000007390000-0x0000000007550000-memory.dmp

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\DownloadProxyPS.dll

MD5 4ceb4641a90de4feee34ba5f949d41ba
SHA1 cb060db236d9938f97b5e4e2d1b1c663071a2bd7
SHA256 2a075c11148c3f04163b9ffdaa05d4b46bc55c96b2fe50d0a39cc377139c2b26
SHA512 932960a503817683c3d7c66695732ec6dc59887b0eaa8d53c4e26e1de6fd6c4e9291a4afe25d898c9b02dfe4cd976414f66b715b861e7974e765bff587fa2d27

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\extract.dll

MD5 9da51d4506bd094fbfc7d337338fc872
SHA1 1b5799ef6b66ac9471842f17570813e7c42cdb27
SHA256 f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501
SHA512 07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\tnproxy.dll

MD5 858fc685a5bff591985394f9cdf9e289
SHA1 5970a28aab399d005885b9c6b79eafd606640fab
SHA256 3404212366a3aed4155e5d73d901e769a7005cadde5169a8d9677ab5a0585dcf
SHA512 620491b27ff281ad42f947fb9dbef3256624fe8d298740d6b9942627525a2d44525cbb9065d2ffa2efb0ab3478b8a33148fc9b0b4c531106cc8e421e2c59f0d0

C:\Program Files (x86)\Common Files\Tencent\QQDownload\113\dlcore.dll

MD5 82ce23aad749aee959820533c0676cb2
SHA1 3aa526a4ed51491b01a5419713d1582a426b7efc
SHA256 a2fd92c7fc26bf2851aaefcc5f0bafd75511794ad0c781e1a715df812f7bd2ab
SHA512 c91f5165059677071a1e2949244dd1ce4e2c5ce58fe38298f1707ff4b6de6981d7c45f8fd5a189a91d154b0c4af25dbaae4e7a51f107dee77f2f51f0150d2707

memory/3988-35-0x0000000002910000-0x000000000296D000-memory.dmp

memory/1712-37-0x0000000003E10000-0x0000000003E6D000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe

"C:\Users\Admin\AppData\Local\Temp\$_2_\Tencentdl.exe"

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-17 02:20

Reported

2024-10-17 02:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\predown.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4460 wrote to memory of 4940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4460 wrote to memory of 4940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4460 wrote to memory of 4940 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\predown.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$_2_\predown.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 684

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A