blackmoon | 774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921

Analysis

max time kernel
196s
max time network
240s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
Size

3.5MB
MD5

3122d50c68a14c92156f3d04b54bfe5e
SHA1

0258047ff25d6e3be692bde793228ea365879d24
SHA256

774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921
SHA512

fcf2a80fbdd0ca928728aaed179a6680c1e4d527020e7aed318245bee9510d49397b3b2429e023a0ea62753743bf31cc4f40995859970d35ea2390b11aaa4d9e
SSDEEP

98304:ZQBLXBmC5ACOfCBkqIVmdXpoFC4U56+3Q:qBXBhzOcpWece6+A

Score

10^/10

blackmoon adware banker discovery persistence stealer trojan upx vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1596-58-0x0000000000400000-0x000000000091F000-memory.dmp	family_blackmoon
\Program Files (x86)\CNPlayer\tp.exe	family_blackmoon
\Program Files (x86)\CNPlayer\tp.exe	family_blackmoon
C:\Program Files (x86)\CNPlayer\tp.exe	family_blackmoon
behavioral1/memory/1596-105-0x0000000000400000-0x000000000091F000-memory.dmp	family_blackmoon

Executes dropped EXE 3 IoCs

Processes:

cnplayer_temp.exeCNPSetup.exetp.exe

pid process

300 cnplayer_temp.exe
1744 CNPSetup.exe
1860 tp.exe

pid	process
300	cnplayer_temp.exe
1744	CNPSetup.exe
1860	tp.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CNPlayer\Parameters\ServiceDll = "C:\\Program Files (x86)\\CNPlayer\\cn_player.dll"	tp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1596-54-0x0000000000400000-0x000000000091F000-memory.dmp	upx
behavioral1/memory/1596-58-0x0000000000400000-0x000000000091F000-memory.dmp	upx
behavioral1/memory/1596-105-0x0000000000400000-0x000000000091F000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1792-120-0x00000000004F0000-0x0000000000551000-memory.dmp	vmprotect
behavioral1/memory/1792-122-0x00000000004F0000-0x0000000000551000-memory.dmp	vmprotect
behavioral1/memory/1792-127-0x00000000004F0000-0x0000000000551000-memory.dmp	vmprotect

Loads dropped DLL 28 IoCs

Processes:

774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.execnplayer_temp.exeCNPSetup.exetp.exesvchost.exeregsvr32.exe

pid	process
1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
300	cnplayer_temp.exe
1744	CNPSetup.exe
1744	CNPSetup.exe
1744	CNPSetup.exe
1744	CNPSetup.exe
1744	CNPSetup.exe
1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
1744	CNPSetup.exe
1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
1744	CNPSetup.exe
1860	tp.exe
1744	CNPSetup.exe
1744	CNPSetup.exe
1744	CNPSetup.exe
1792	svchost.exe
948	regsvr32.exe
948	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CNPSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	CNPSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNPlayer = "\"C:\\Program Files (x86)\\CNPlayer\\CNPlayer.exe\" /autorun"	CNPSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\ = "ShoppingHelper"	regsvr32.exe

Drops file in Program Files directory 64 IoCs

Processes:

cnplayer_temp.exe774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exeCNPSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\CNPlayer\images\CF_Bottom.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\CF_Right.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\CF_Top.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\tool\xl_cximage.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\CF_RightTop.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\ProgressBarFill.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\msvcp71.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\Close_Hover.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\cn_player.dll	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
File created	C:\Program Files (x86)\CNPlayer\zlib1.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\Cancel_Hover.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\CF_Top.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\giflib4.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\Data\data.db	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\Close_Down.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\Close_Normal.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\Confirm_Hover.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\atl71.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\CNPlayer.exe	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\Cancel_Disable.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\xl_cximage.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\atl71.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\minizip.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\msvcp90.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\tool\msvcp71.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\PlayerBase.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\Cancel_Disable.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\Uninst.exe	CNPSetup.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\data.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\libpng13.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\autoupdate.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\Cancel_Hover.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\CNPAgent.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\CNPAgent.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\EventHelper.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\msvcp71.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\Close_Down.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\tool\libjpeg6b.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\msvcp71.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\tool\Data\data.db	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\Cancel_Down.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\ShoppingHelper.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\jscript.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\CNPlayer.exe	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\CF_Left.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\CF_LeftTop.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\CNPAgent.546.dll	CNPSetup.exe
File created	C:\Program Files (x86)\CNPlayer\CNPAgent.546.dll	CNPSetup.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\autoupdate.dll	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\EventHelper.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\CF_LeftTop.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\Close_Disable.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\Confirm_Normal.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\tool\Data\config.xml	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\CF_Left.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\ProgressBarBk.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\images\ProgressBarFill.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\tool\atl71.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\PlayerBase.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\CF_RightBottom.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\Confirm_Down.bmp	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\images\Confirm_Hover.bmp	cnplayer_temp.exe
File created	C:\Program Files (x86)\CNPlayer\tool\tool.dll	cnplayer_temp.exe
File opened for modification	C:\Program Files (x86)\CNPlayer\tool\zlib1.dll	cnplayer_temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe	nsis_installer_2
\Program Files (x86)\CNPlayer\Uninst.exe	nsis_installer_1
\Program Files (x86)\CNPlayer\Uninst.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

CNPSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\CNHD	CNPSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	CNPSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\CNHD\WarnOnOpen = "0"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\CNHD	CNPSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\CNHD\WarnOnOpen = "0"	CNPSetup.exe

Modifies registry class 64 IoCs

Processes:

CNPSetup.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA536CAC-6A78-45aa-8BED-7C1887833AC1}\ = "CNPAgent"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CNHD\URL Protocol	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShoppingHelper.ShoppingHelper\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32CB073-0047-45D3-8D28-6CBB81EC48A7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32CB073-0047-45D3-8D28-6CBB81EC48A7}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}\ = "CNPAgentImpl Class"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}\TypeLib	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShoppingHelper.ShoppingHelper.1\CLSID\ = "{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShoppingHelper.ShoppingHelper\CLSID\ = "{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CNPAgent.CNPAgentImpl.1\CLSID\ = "{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}"	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{749E159A-0062-43C2-AE7F-8618CDBC2A30}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\CNPlayer\\"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CNHD	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32CB073-0047-45D3-8D28-6CBB81EC48A7}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}\TypeLib\ = "{749E159A-0062-43c2-AE7F-8618CDBC2A30}"	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{749E159A-0062-43C2-AE7F-8618CDBC2A30}\1.0\ = "CNPAgent 1.0 Type Library"	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}\ = "_ICNPAgentImplEvents"	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\ = "ICNPAgentImpl"	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\TypeLib\Version = "1.0"	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\VersionIndependentProgID\ = "ShoppingHelper.ShoppingHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{749E159A-0062-43C2-AE7F-8618CDBC2A30}\1.0\FLAGS\ = "0"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}\ProxyStubClsid32	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CNHD\Shell\Open\command	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B32CB073-0047-45D3-8D28-6CBB81EC48A7}\1.0\ = "ShoppingHelper 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CNPAgent.CNPAgentImpl\CLSID	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CNPAgent.CNPAgentImpl\CurVer\ = "CNPAgent.CNPAgentImpl.1"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}\VersionIndependentProgID	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}\Programmable	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CNHD\Shell\Open	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CNPAgent.CNPAgentImpl.1	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CNPAgent.CNPAgentImpl\CLSID\ = "{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{749E159A-0062-43C2-AE7F-8618CDBC2A30}\1.0	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}\ProxyStubClsid32	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\ProxyStubClsid32	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\TypeLib	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\TypeLib\ = "{749E159A-0062-43C2-AE7F-8618CDBC2A30}"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}\ProgID	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\TypeLib\ = "{B32CB073-0047-45d3-8D28-6CBB81EC48A7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\CNPAgent.DLL	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CNPAgent.CNPAgentImpl\ = "CNPAgentImpl Class"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{749E159A-0062-43C2-AE7F-8618CDBC2A30}\1.0\0	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\TypeLib\ = "{749E159A-0062-43C2-AE7F-8618CDBC2A30}"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShoppingHelper.ShoppingHelper\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\InprocServer32\ = "C:\\Users\\Public\\Qizhao\\ShoppingHelper.2.2.1.150.(546).dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CNPAgent.CNPAgentImpl	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}\TypeLib\Version = "1.0"	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6405D2D3-D20B-41D2-815C-5676C1D30866}\TypeLib	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShoppingHelper.ShoppingHelper	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShoppingHelper.ShoppingHelper\CurVer\ = "ShoppingHelper.ShoppingHelper.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\ = "¹ºÎï¾«Áé¹¤¾ßÌõ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\AppID = "{D921367F-0AD0-4c64-BE17-C2E9CCA52FD0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48EAAE6B-A37B-4cc1-8125-41A207B4C56A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}\InprocServer32	CNPSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80FA3B51-6A56-4468-AC75-5AC5B116A3EF}\TypeLib	CNPSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46D92D1C-AA39-471A-BE8D-A3B3BDCFB15D}\TypeLib\ = "{749E159A-0062-43C2-AE7F-8618CDBC2A30}"	CNPSetup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cnplayer_temp.exe

pid process

300 cnplayer_temp.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exetp.exe

pid process

1596 774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
1860 tp.exe

pid	process
300	cnplayer_temp.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.execnplayer_temp.exe

description	pid	process	target process
PID 1596 wrote to memory of 300	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	cnplayer_temp.exe
PID 1596 wrote to memory of 300	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	cnplayer_temp.exe
PID 1596 wrote to memory of 300	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	cnplayer_temp.exe
PID 1596 wrote to memory of 300	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	cnplayer_temp.exe
PID 1596 wrote to memory of 300	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	cnplayer_temp.exe
PID 1596 wrote to memory of 300	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	cnplayer_temp.exe
PID 1596 wrote to memory of 300	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	cnplayer_temp.exe
PID 300 wrote to memory of 1744	300	cnplayer_temp.exe	CNPSetup.exe
PID 300 wrote to memory of 1744	300	cnplayer_temp.exe	CNPSetup.exe
PID 300 wrote to memory of 1744	300	cnplayer_temp.exe	CNPSetup.exe
PID 300 wrote to memory of 1744	300	cnplayer_temp.exe	CNPSetup.exe
PID 300 wrote to memory of 1744	300	cnplayer_temp.exe	CNPSetup.exe
PID 300 wrote to memory of 1744	300	cnplayer_temp.exe	CNPSetup.exe
PID 300 wrote to memory of 1744	300	cnplayer_temp.exe	CNPSetup.exe
PID 1596 wrote to memory of 1860	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	tp.exe
PID 1596 wrote to memory of 1860	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	tp.exe
PID 1596 wrote to memory of 1860	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	tp.exe
PID 1596 wrote to memory of 1860	1596	774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe	tp.exe
PID 300 wrote to memory of 948	300	cnplayer_temp.exe	regsvr32.exe
PID 300 wrote to memory of 948	300	cnplayer_temp.exe	regsvr32.exe
PID 300 wrote to memory of 948	300	cnplayer_temp.exe	regsvr32.exe
PID 300 wrote to memory of 948	300	cnplayer_temp.exe	regsvr32.exe
PID 300 wrote to memory of 948	300	cnplayer_temp.exe	regsvr32.exe
PID 300 wrote to memory of 948	300	cnplayer_temp.exe	regsvr32.exe
PID 300 wrote to memory of 948	300	cnplayer_temp.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
"C:\Users\Admin\AppData\Local\Temp\774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\cnplayer_temp.exe
"C:\Users\Admin\AppData\Local\Temp\cnplayer_temp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe
"C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe" /autorun /uid 7AAB9C3024C2ND1 /instsource temp /instdir "C:\Program Files (x86)\CNPlayer" /setuppath "C:\Users\Admin\AppData\Local\Temp\cnplayer_temp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1744

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\CNPlayer\ShoppingHelper.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:948

C:\Program Files (x86)\CNPlayer\tp.exe
"C:\Program Files (x86)\CNPlayer\tp.exe" 774c89fd31006f8b9c96c402a3210caeee298b49018ca5e67ad72712a599f921.exe
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k webGame
1⤵
- Loads dropped DLL
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CNPlayer\ATL71.DLL
Filesize
87KB

MD5
1f1d608abcc34ca2a5369c95b47605f0

SHA1
3340aa7ba25c25ce8cd3fd657aa6b04fb8319099

SHA256
3d116a14cfc3723257521ea309ef1fb3c950691756a89a839df3f8dbfbae56be

SHA512
a76532a8ce8055314bf1da6f8f3d8eda051457560f9c5ee9b2ea75c2da71830d6da0cc180661d51ba5080837198bc669124c89d88c71440018021a54c1d7ad16

Download Submit
C:\Program Files (x86)\CNPlayer\CNPAgent.dll
Filesize
159KB

MD5
90ee9753702b077c726dc386573e5208

SHA1
6f5d1af8c220589dab09e9e9686c0c7ed1818592

SHA256
d8d4649f49d1b0e05ac5c507428436e7cd0101f5cbae2cc2f814358b93607a4f

SHA512
b41082d3efd201da060fe1c6ba4b84d042b2745f0b54051f5c3ea5adccaf0ed18f61bf67b5d0c73dadf99096e5004fdf3bf58284ad7a4f25913419c6153623a0

Download Submit
C:\Program Files (x86)\CNPlayer\CNPlayer.exe
Filesize
571KB

MD5
732877bd3c357f94fafdd4e8a7f48f95

SHA1
0f3e8cd03bb4f4606685f58c31b7fadbe00e4373

SHA256
480aa37ed292fb2f333e526a10f46f306247260ca47aba1ac95bd396b3d00476

SHA512
02dbe438e37a63c5284416c2537d2bcd9e61c7b3e711f76e50e21d76c72a5c8caf81ea1aeeab995a333472d5c9d7dce0e5acdc37d56d1d62c106702e539cbe39

Download Submit
C:\Program Files (x86)\CNPlayer\MSVCP71.dll
Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Program Files (x86)\CNPlayer\MSVCR71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Program Files (x86)\CNPlayer\ShoppingHelper.dll
Filesize
308KB

MD5
f835adf47b51c5a0144de157c9756864

SHA1
577fb36e0119ea29793d306e7937ef016a551687

SHA256
448d41550a6e8c82dcf6372e6bd99912c7a194f104fd11d31374209b203dd2c9

SHA512
186d190729c07dae3f31298e4884470c35bd39faa6d8abac330d53ccbf696663949ac62115f58c22133c18c19f67f5ccf00aa5f535286025238328454c468745

Download Submit
C:\Program Files (x86)\CNPlayer\cn_player.dll
Filesize
258KB

MD5
9492026dc404d27d3250767306f794df

SHA1
0228647d06ed547fa77ccd3c9002688936b6b662

SHA256
7b468de05794f4a44dd4057cd14edc8b0f3965cdfa61e964f72051b111aa93f0

SHA512
389f043379514eeed04018091a22b03bfcd7ea7db8f79168bef5423d7ff086bcdf728496f232d70691dbdd1db44cfc0408023329b4790e5a3d9809ae05b7a95a

Download Submit
C:\Program Files (x86)\CNPlayer\msvcp90.dll
Filesize
555KB

MD5
6de5c66e434a9c1729575763d891c6c2

SHA1
a230e64e0a5830544a25890f70ce9c9296245945

SHA256
4f7ed27b532888ce72b96e52952073eab2354160d1156924489054b7fa9b0b1a

SHA512
27ec83ee49b752a31a9469e17104ed039d74919a103b625a9250ac2d4d8b8601034d8b3e2fa87aadbafbdb89b01c1152943e8f9a470293cc7d62c2eefa389d2c

Download Submit
C:\Program Files (x86)\CNPlayer\msvcr90.dll
Filesize
640KB

MD5
e7d91d008fe76423962b91c43c88e4eb

SHA1
29268ef0cd220ad3c5e9812befd3f5759b27a266

SHA256
ed0170d3de86da33e02bfa1605eec8ff6010583481b1c530843867c1939d2185

SHA512
c3d5da1631860c92decf4393d57d8bff0c7a80758c9b9678d291b449be536465bda7a4c917e77b58a82d1d7bfc1f4b3bee9216d531086659c40c41febcdcae92

Download Submit
C:\Program Files (x86)\CNPlayer\tp.exe
Filesize
208KB

MD5
33eb3a96413275fa0c3ace17062ee34a

SHA1
5bb6d1f7fba08d8f0d4cb8b23728b2d1b55c60b9

SHA256
8982b950676e4c21af06ff24756dc567834fb3aacc2de05ee219c76372a5cd9d

SHA512
96cd16a2ab54ad27e0516c85ae72e69d0602f12968e400f18d81e49ea4552dabbb3976e00f435df07ab665b3df2500e9360f84d4287e97feffcd21a7c272adb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe
Filesize
133KB

MD5
c0035aa82f5d924c21c3bbac52658739

SHA1
c578629a2cdaca24647fba2dc9c865d17a253273

SHA256
3adcad0f95848e122e5c5249e33cc16f3275d512391ee8c14453c51b12661582

SHA512
408b910eedfba0bbc2856dcfdcf782d13c8205e82a577e703d964eed07aadbcaa2cf4759320c5dd1f9db8601c2cad7ec3e1a3d13d94928b148f187c2e3612439

Download Submit
C:\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe
Filesize
133KB

MD5
c0035aa82f5d924c21c3bbac52658739

SHA1
c578629a2cdaca24647fba2dc9c865d17a253273

SHA256
3adcad0f95848e122e5c5249e33cc16f3275d512391ee8c14453c51b12661582

SHA512
408b910eedfba0bbc2856dcfdcf782d13c8205e82a577e703d964eed07aadbcaa2cf4759320c5dd1f9db8601c2cad7ec3e1a3d13d94928b148f187c2e3612439

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnplayer_temp.exe
Filesize
3.2MB

MD5
bb00aa4707db6ae595f753af7cf20104

SHA1
179da0cc964abf81f30de60d77a4d52f3b7b377d

SHA256
95a4b67500517b371e9aaad2d25705d2aa131aa21e02e971f3de7677994b1750

SHA512
5d2533ca339d0b825b67e848947f70e9b4b4ee9214ef28b8b8aba4f6f2344473317ee25455f3b2d31da3136e942227bf93a6631f05cea5b2a72dd60267b6f7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnplayer_temp.exe
Filesize
3.2MB

MD5
bb00aa4707db6ae595f753af7cf20104

SHA1
179da0cc964abf81f30de60d77a4d52f3b7b377d

SHA256
95a4b67500517b371e9aaad2d25705d2aa131aa21e02e971f3de7677994b1750

SHA512
5d2533ca339d0b825b67e848947f70e9b4b4ee9214ef28b8b8aba4f6f2344473317ee25455f3b2d31da3136e942227bf93a6631f05cea5b2a72dd60267b6f7f0

Download Submit
\Program Files (x86)\CNPlayer\CNPAgent.546.dll
Filesize
159KB

MD5
90ee9753702b077c726dc386573e5208

SHA1
6f5d1af8c220589dab09e9e9686c0c7ed1818592

SHA256
d8d4649f49d1b0e05ac5c507428436e7cd0101f5cbae2cc2f814358b93607a4f

SHA512
b41082d3efd201da060fe1c6ba4b84d042b2745f0b54051f5c3ea5adccaf0ed18f61bf67b5d0c73dadf99096e5004fdf3bf58284ad7a4f25913419c6153623a0

Download Submit
\Program Files (x86)\CNPlayer\CNPAgent.dll
Filesize
159KB

MD5
90ee9753702b077c726dc386573e5208

SHA1
6f5d1af8c220589dab09e9e9686c0c7ed1818592

SHA256
d8d4649f49d1b0e05ac5c507428436e7cd0101f5cbae2cc2f814358b93607a4f

SHA512
b41082d3efd201da060fe1c6ba4b84d042b2745f0b54051f5c3ea5adccaf0ed18f61bf67b5d0c73dadf99096e5004fdf3bf58284ad7a4f25913419c6153623a0

Download Submit
\Program Files (x86)\CNPlayer\ShoppingHelper.dll
Filesize
308KB

MD5
f835adf47b51c5a0144de157c9756864

SHA1
577fb36e0119ea29793d306e7937ef016a551687

SHA256
448d41550a6e8c82dcf6372e6bd99912c7a194f104fd11d31374209b203dd2c9

SHA512
186d190729c07dae3f31298e4884470c35bd39faa6d8abac330d53ccbf696663949ac62115f58c22133c18c19f67f5ccf00aa5f535286025238328454c468745

Download Submit
\Program Files (x86)\CNPlayer\Uninst.exe
Filesize
82KB

MD5
c73f4ad23016d26a5952a21f6302ebb0

SHA1
a23922d17f9962353dc10767b1a23314e9f3d2b7

SHA256
9983f9bfbb8ca92da99c3dab21eed9444f29df4f88a414a762827b620f5d03ce

SHA512
812e81e9d873db3a6fff0216aac78713b14be2ecee8c5d9ba369f323ee9bff2bcc668b99b7bb1a4afbc60425eedca15e3630a6b334d4134a76fbc8adc8042983

Download Submit
\Program Files (x86)\CNPlayer\atl71.dll
Filesize
87KB

MD5
1f1d608abcc34ca2a5369c95b47605f0

SHA1
3340aa7ba25c25ce8cd3fd657aa6b04fb8319099

SHA256
3d116a14cfc3723257521ea309ef1fb3c950691756a89a839df3f8dbfbae56be

SHA512
a76532a8ce8055314bf1da6f8f3d8eda051457560f9c5ee9b2ea75c2da71830d6da0cc180661d51ba5080837198bc669124c89d88c71440018021a54c1d7ad16

Download Submit
\Program Files (x86)\CNPlayer\cn_player.dll
Filesize
258KB

MD5
9492026dc404d27d3250767306f794df

SHA1
0228647d06ed547fa77ccd3c9002688936b6b662

SHA256
7b468de05794f4a44dd4057cd14edc8b0f3965cdfa61e964f72051b111aa93f0

SHA512
389f043379514eeed04018091a22b03bfcd7ea7db8f79168bef5423d7ff086bcdf728496f232d70691dbdd1db44cfc0408023329b4790e5a3d9809ae05b7a95a

Download Submit
\Program Files (x86)\CNPlayer\cn_player.dll
Filesize
258KB

MD5
9492026dc404d27d3250767306f794df

SHA1
0228647d06ed547fa77ccd3c9002688936b6b662

SHA256
7b468de05794f4a44dd4057cd14edc8b0f3965cdfa61e964f72051b111aa93f0

SHA512
389f043379514eeed04018091a22b03bfcd7ea7db8f79168bef5423d7ff086bcdf728496f232d70691dbdd1db44cfc0408023329b4790e5a3d9809ae05b7a95a

Download Submit
\Program Files (x86)\CNPlayer\msvcp71.dll
Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
\Program Files (x86)\CNPlayer\msvcr71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\Program Files (x86)\CNPlayer\tp.exe
Filesize
208KB

MD5
33eb3a96413275fa0c3ace17062ee34a

SHA1
5bb6d1f7fba08d8f0d4cb8b23728b2d1b55c60b9

SHA256
8982b950676e4c21af06ff24756dc567834fb3aacc2de05ee219c76372a5cd9d

SHA512
96cd16a2ab54ad27e0516c85ae72e69d0602f12968e400f18d81e49ea4552dabbb3976e00f435df07ab665b3df2500e9360f84d4287e97feffcd21a7c272adb1

Download Submit
\Program Files (x86)\CNPlayer\tp.exe
Filesize
208KB

MD5
33eb3a96413275fa0c3ace17062ee34a

SHA1
5bb6d1f7fba08d8f0d4cb8b23728b2d1b55c60b9

SHA256
8982b950676e4c21af06ff24756dc567834fb3aacc2de05ee219c76372a5cd9d

SHA512
96cd16a2ab54ad27e0516c85ae72e69d0602f12968e400f18d81e49ea4552dabbb3976e00f435df07ab665b3df2500e9360f84d4287e97feffcd21a7c272adb1

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\CNPSetup.exe
Filesize
133KB

MD5
c0035aa82f5d924c21c3bbac52658739

SHA1
c578629a2cdaca24647fba2dc9c865d17a253273

SHA256
3adcad0f95848e122e5c5249e33cc16f3275d512391ee8c14453c51b12661582

SHA512
408b910eedfba0bbc2856dcfdcf782d13c8205e82a577e703d964eed07aadbcaa2cf4759320c5dd1f9db8601c2cad7ec3e1a3d13d94928b148f187c2e3612439

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\EventHelper.dll
Filesize
267KB

MD5
21cf2a2da5838a3a59847d0d4ab30d4f

SHA1
08db110df6cdfeb6c1e2f1939d4ac2d841743234

SHA256
91786b30be3dd94ce15e501cbf2fe1009c39b564081954df7a0d9b6eb57e21d5

SHA512
e9df87ff722b1187e6e91d22ac053968df9b0e9ac694b5f9e795aecaa2594fde87779dc5d53f531cac1b011b883e193c091c0db6e758afa6b0fcae77ff397da7

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\atl71.dll
Filesize
87KB

MD5
1f1d608abcc34ca2a5369c95b47605f0

SHA1
3340aa7ba25c25ce8cd3fd657aa6b04fb8319099

SHA256
3d116a14cfc3723257521ea309ef1fb3c950691756a89a839df3f8dbfbae56be

SHA512
a76532a8ce8055314bf1da6f8f3d8eda051457560f9c5ee9b2ea75c2da71830d6da0cc180661d51ba5080837198bc669124c89d88c71440018021a54c1d7ad16

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\libjpeg6b.dll
Filesize
116KB

MD5
42cc9dbec31024bfb017070d699d4ee6

SHA1
27a2edd4ee97e9461696e21dbd5109f8f028f7b8

SHA256
d71ab9343bd05686807feb3c209e9888ffe035fc96559e88d8aeea4527141f0c

SHA512
339e201b006832f5716d84a13459f2aced5eb3906382be712786e6c8da2a5a1e63b58ab749cecdc5d2bfe2de51b63af4881d11bf29a48ebd839b63f8bd4bb169

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\libpng13.dll
Filesize
224KB

MD5
1e1e34be543669a185f52a8589e84e86

SHA1
a1b8d8cb3e32b6c662a05da4129e8fda02c54008

SHA256
cba3b634236d173993e541f789b666d972a5437fecf04fb94036f48fff79611e

SHA512
01dacd238c443bd2e11030d201819b98068b5cccdb0f1acf96582d7538d3a36a5e4087fdbf20d6b41782a854569bdaf67470cc3bb8fb9e663a3089b7307e5f36

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\msscript.ocx
Filesize
100KB

MD5
656524b4401f21e2929b78ef4c36db27

SHA1
d91ff837d6ced5f0442fd0812b6c1079fe417906

SHA256
d493f101ccd1d8804c0981f4fc630718b267d7155bdb575d6f619497956ea44e

SHA512
d28b17c924fb5f172944c055a85003575300305eddbbc4c89460777108c87154622b39515ee1f994d713d790fe5b74a69c835bd00d0affc5292fa0150617c34c

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\msvcp71.dll
Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\msvcr71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\tool.dll
Filesize
1023KB

MD5
93c91d0163cdf1a0aaa186a5eec2daef

SHA1
abf34fcaa161c0382241e5d20438cade06a66303

SHA256
619d7da7efa8ff53fb2fe1aa17ddd93f7b415541a276cadd1b89d0570af82878

SHA512
6697c10bcf82d5ea932bf99d6509b8c1b884aa9bfb9b6de9092674a5df4cfba92d0b4006de4c05f58ecff431f6c5d6c3c3184f917883e80f093d5a2c1918d53f

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\xl_cximage.dll
Filesize
263KB

MD5
6cf935bb953b9274457384d48a70bb4d

SHA1
234d2fda16e31785adea31e05c92caaad9c5a5de

SHA256
6c5af5bb4659ff7a8666c524e37849f36d8800124846d95570cacd1322993e2f

SHA512
9ec666c4acd911356357304b3ce528f01215e1a81ef0c517d09044da50c23d3d5c440bb787646fcdedf81a181c11d7500c9c1a05f9fe2126dbaab21fbaa80c97

Download Submit
\Users\Admin\AppData\Local\Temp\CNPlayer\Install\tool\zlib1.dll
Filesize
95KB

MD5
e9a32a93b378e0bfd24291a619bd4fa1

SHA1
13520fd7562fa1ea3a2bd5cc59662295ba55d63e

SHA256
84af9d643bdb04b03495eb179e1e590f79fb9940ddceb86979195114a317a932

SHA512
6bd52f796aec3773fbfd404bab503277b8e2326abe9cde8c26945914365f22f92225c0bf834a1d7076499ddd65ec4f5fa2810fa6cea4cb9be7cdc994dd6f1206

Download Submit
\Users\Admin\AppData\Local\Temp\cnplayer_temp.exe
Filesize
3.2MB

MD5
bb00aa4707db6ae595f753af7cf20104

SHA1
179da0cc964abf81f30de60d77a4d52f3b7b377d

SHA256
95a4b67500517b371e9aaad2d25705d2aa131aa21e02e971f3de7677994b1750

SHA512
5d2533ca339d0b825b67e848947f70e9b4b4ee9214ef28b8b8aba4f6f2344473317ee25455f3b2d31da3136e942227bf93a6631f05cea5b2a72dd60267b6f7f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2628.tmp\NSISLog.dll
Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2628.tmp\NSISLog.dll
Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2628.tmp\System.dll
Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2628.tmp\Time.dll
Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
\Users\Public\Qizhao\ShoppingHelper.2.2.1.150.(546).dll
Filesize
308KB

MD5
f835adf47b51c5a0144de157c9756864

SHA1
577fb36e0119ea29793d306e7937ef016a551687

SHA256
448d41550a6e8c82dcf6372e6bd99912c7a194f104fd11d31374209b203dd2c9

SHA512
186d190729c07dae3f31298e4884470c35bd39faa6d8abac330d53ccbf696663949ac62115f58c22133c18c19f67f5ccf00aa5f535286025238328454c468745

Download Submit
memory/300-68-0x0000000000860000-0x000000000087D000-memory.dmp

Filesize
116KB

Download
memory/300-65-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/300-79-0x0000000002E90000-0x0000000002ED4000-memory.dmp

Filesize
272KB

Download
memory/300-71-0x00000000021D0000-0x0000000002209000-memory.dmp

Filesize
228KB

Download
memory/300-74-0x0000000000890000-0x00000000008A6000-memory.dmp

Filesize
88KB

Download
memory/300-60-0x0000000000000000-mapping.dmp

Download
memory/948-129-0x0000000000460000-0x00000000004AF000-memory.dmp

Filesize
316KB

Download
memory/948-116-0x0000000000000000-mapping.dmp

Download
memory/1596-105-0x0000000000400000-0x000000000091F000-memory.dmp

Filesize
5.1MB

Download
memory/1596-54-0x0000000000400000-0x000000000091F000-memory.dmp

Filesize
5.1MB

Download
memory/1596-55-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/1596-56-0x0000000000A01000-0x0000000000A05000-memory.dmp

Filesize
16KB

Download
memory/1596-58-0x0000000000400000-0x000000000091F000-memory.dmp

Filesize
5.1MB

Download
memory/1744-82-0x0000000000000000-mapping.dmp

Download
memory/1744-88-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1744-111-0x00000000030D3000-0x00000000030E0000-memory.dmp

Filesize
52KB

Download
memory/1792-122-0x00000000004F0000-0x0000000000551000-memory.dmp

Filesize
388KB

Download
memory/1792-120-0x00000000004F0000-0x0000000000551000-memory.dmp

Filesize
388KB

Download
memory/1792-127-0x00000000004F0000-0x0000000000551000-memory.dmp

Filesize
388KB

Download
memory/1860-102-0x0000000000000000-mapping.dmp

Download