8a9ff9c42361f5d5271b645362a54cf65b2a4e5e3a081fa88484e7045454eb7d

Resubmissions

11/01/2024, 11:39

240111-nsffxafahn 8

10/01/2024, 12:20

10/01/2024, 12:12

15/11/2023, 07:53

23/04/2023, 09:14

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2023, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CocCocSetup.exe
Size

985KB
MD5

cd555f9dedb29f37935d063e6e49a6f0
SHA1

c4eaf2cb8c86588cdc45e926a28d664d35856682
SHA256

8a9ff9c42361f5d5271b645362a54cf65b2a4e5e3a081fa88484e7045454eb7d
SHA512

cf0a6a94e281f01d59efa9a7f7b3ff2ea84a83d5461ab42a3e13555f6fcedc313555bac90a35595f81a624fe5ca316efd110bca3c5440391ebd57d67820a3f64
SSDEEP

24576:uyn6Gt4c9YPQBXui4k0vQV55SPNKN8BZ5zAjqvdWABOdbd5c:N63c9YeXuqQQkPnPlWABCB5c

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CocCocUpdate.exe	CocCocUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CocCocUpdate.exe\DisableExceptionChainValidation = "0"	CocCocUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	CocCocUpdate.exe

Executes dropped EXE 9 IoCs

pid	Process
1812	CocCocUpdate.exe
3664	CocCocUpdate.exe
2540	CocCocUpdate.exe
4108	CocCocUpdateComRegisterShell64.exe
3392	CocCocUpdateComRegisterShell64.exe
1716	CocCocUpdateComRegisterShell64.exe
512	CocCocUpdate.exe
3628	CocCocUpdate.exe
412	CocCocUpdate.exe

Loads dropped DLL 14 IoCs

pid	Process
1812	CocCocUpdate.exe
3664	CocCocUpdate.exe
2540	CocCocUpdate.exe
4108	CocCocUpdateComRegisterShell64.exe
2540	CocCocUpdate.exe
3392	CocCocUpdateComRegisterShell64.exe
2540	CocCocUpdate.exe
1716	CocCocUpdateComRegisterShell64.exe
2540	CocCocUpdate.exe
512	CocCocUpdate.exe
3628	CocCocUpdate.exe
412	CocCocUpdate.exe
412	CocCocUpdate.exe
3628	CocCocUpdate.exe

Registers COM server for autorun 1 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32	CocCocUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBFA21E1-BBB8-46B3-95EB-791E29BA42F3}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdateres_en.dll	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdate.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\coccocpdate.dll	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psmachine.dll	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psuser.dll	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateCore.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdate.dll	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocCrashHandler64.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psuser_64.dll	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateOnDemand.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine.dll	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psmachine_64.dll	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\coccocpdateres_en.dll	CocCocSetup.exe
File opened for modification	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdate.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine_64.dll	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateSetup.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateBroker.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe	CocCocUpdate.exe
File opened for modification	C:\Program Files (x86)\CocCoc\Temp\GUT85FE.tmp	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocCrashHandler64.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateOnDemand.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psuser_64.dll	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateSetup.exe	CocCocSetup.exe
File opened for modification	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateSetup.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateCore.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocCrashHandler.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateComRegisterShell64.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psuser.dll	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateBroker.exe	CocCocSetup.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdate.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocCrashHandler.exe	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdateres_vi.dll	CocCocUpdate.exe
File created	C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\coccocpdateres_vi.dll	CocCocSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C03FA994-A3FC-4F46-A162-F02D8049EFB3}	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{37514F9D-A61C-4F73-B94C-56F2B47789EB}	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61C44F32-B764-4629-A9AD-A591E64B2580}\NumMethods\ = "5"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEB78192-82FD-49B8-ADFB-72A4EF44CF53}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0E42375-D761-47E9-B64F-310CEB39F32F}\NumMethods	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61C44F32-B764-4629-A9AD-A591E64B2580}	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65E9B228-F204-4120-9A17-57A536F60279}\ProgID\ = "CocCocUpdate.OnDemandCOMClassSvc.1.0"	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\InProcServer32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CocCocUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CocCocUpdate.Update3WebMachineFallback\CurVer	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD24225-816C-4325-B8A3-48E4BA4E6F01}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3405A-1CA1-4750-A6D9-4ED9BB3A5A59}	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDC22AF6-28C2-4638-9580-F867915A38C4}\NumMethods\ = "17"	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\NumMethods	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32\ = "C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\psmachine_64.dll"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\NumMethods	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEB78192-82FD-49B8-ADFB-72A4EF44CF53}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39C205D3-F366-4863-8AED-010180781931}	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3BDCD40-E6F3-4F35-BA05-70D4C0389AE5}\ProxyStubClsid32	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F2423F4C-65FB-438D-BBDC-07D15CB094F5}\ = "IPolicyStatus2"	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C765636-A9B6-457A-B7CA-146B131BE5BD}\NumMethods	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56D89BD1-3C6D-4D41-BAD1-F9ECA194DE72}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\NumMethods	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0E95D0FD-DB2F-4BA7-B75E-D396084807BE}\InprocHandler32\ThreadingModel = "Both"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CocCocUpdate.CredentialDialogMachine\CLSID\ = "{7CD86E69-266E-45B6-9BED-EF6FF8789728}"	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{761F9E0B-294D-472F-BD97-8AD90AFE1178}\VersionIndependentProgID\ = "CocCocUpdate.Update3WebSvc"	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4975912A-17C1-40D4-BCF5-1190E476FE82}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\ = "IGoogleUpdate3"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA0E8C3A-2E4D-4E10-8AD7-8618C5138480}\NumMethods\ = "9"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF051BE3-B7D3-4F50-B578-C647DD386940}\NumMethods	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\NumMethods	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7A78866B-695A-4153-A29F-92B38626E332}\ProxyStubClsid32	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEB78192-82FD-49B8-ADFB-72A4EF44CF53}\NumMethods\ = "16"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03EFB89B-5FE9-488F-B4E7-D4AC5BC0E207}\ = "IProcessLauncher2"	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4975912A-17C1-40D4-BCF5-1190E476FE82}\ = "IGoogleUpdate3Web"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65E9B228-F204-4120-9A17-57A536F60279}\ProgID	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\NumMethods\ = "11"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CocCocUpdate.CoreMachineClass.1\CLSID	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}\NumMethods\ = "8"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F15393EF-1112-41C4-9A24-20C0F0075DC1}	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEF4B990-4E74-4DC3-BBCA-BDD8E48271B1}	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CocCocUpdate.CredentialDialogMachine.1.0	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53F9B7E5-DC7B-4C70-87EA-9AE3629CBA75}	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3124620-6D96-42F8-BA39-EEE8E5F387A9}\ = "PSFactoryBuffer"	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CocCocUpdate.CoreMachineClass\CLSID	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98864DB4-F198-41BB-9901-D499B74FAB1C}\ProxyStubClsid32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A673FB09-4B52-4BAF-BA9B-4B422531B44E}\ProxyStubClsid32	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABA164D4-F794-491D-9400-7CA9E6F7EEF6}\ProxyStubClsid32\ = "{F3124620-6D96-42F8-BA39-EEE8E5F387A9}"	CocCocUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEDCD5F7-53DB-4F2A-B062-C44D847FC810}\LocalizedString = "@C:\\Program Files (x86)\\CocCoc\\Update\\2.9.1.11\\coccocpdate.dll,-3000"	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E42375-D761-47E9-B64F-310CEB39F32F}\ProxyStubClsid32	CocCocUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE7F68D5-4B90-4CB1-A35E-83A7024A83AA}\NumMethods\ = "4"	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CocCocUpdate.Update3COMClassService.1.0\CLSID	CocCocUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0E42375-D761-47E9-B64F-310CEB39F32F}\ProxyStubClsid32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEB78192-82FD-49B8-ADFB-72A4EF44CF53}	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2560148E-7680-4457-999A-188115E23484}\InprocServer32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C765636-A9B6-457A-B7CA-146B131BE5BD}	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3339BB5A-555B-4C33-8D97-15F78BFF5CE1}	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61C44F32-B764-4629-A9AD-A591E64B2580}\ProxyStubClsid32	CocCocUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A72E0E76-BF8B-48C8-BC14-DDE8254EBDA9}	CocCocUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1812	CocCocUpdate.exe
1812	CocCocUpdate.exe
1812	CocCocUpdate.exe
1812	CocCocUpdate.exe
1812	CocCocUpdate.exe
1812	CocCocUpdate.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	CocCocUpdate.exe
Token: SeDebugPrivilege	1812	CocCocUpdate.exe
Token: SeDebugPrivilege	1812	CocCocUpdate.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1812	1168	CocCocSetup.exe	84
PID 1168 wrote to memory of 1812	1168	CocCocSetup.exe	84
PID 1168 wrote to memory of 1812	1168	CocCocSetup.exe	84
PID 1812 wrote to memory of 3664	1812	CocCocUpdate.exe	85
PID 1812 wrote to memory of 3664	1812	CocCocUpdate.exe	85
PID 1812 wrote to memory of 3664	1812	CocCocUpdate.exe	85
PID 1812 wrote to memory of 2540	1812	CocCocUpdate.exe	86
PID 1812 wrote to memory of 2540	1812	CocCocUpdate.exe	86
PID 1812 wrote to memory of 2540	1812	CocCocUpdate.exe	86
PID 2540 wrote to memory of 4108	2540	CocCocUpdate.exe	87
PID 2540 wrote to memory of 4108	2540	CocCocUpdate.exe	87
PID 2540 wrote to memory of 3392	2540	CocCocUpdate.exe	88
PID 2540 wrote to memory of 3392	2540	CocCocUpdate.exe	88
PID 2540 wrote to memory of 1716	2540	CocCocUpdate.exe	89
PID 2540 wrote to memory of 1716	2540	CocCocUpdate.exe	89
PID 1812 wrote to memory of 512	1812	CocCocUpdate.exe	90
PID 1812 wrote to memory of 512	1812	CocCocUpdate.exe	90
PID 1812 wrote to memory of 512	1812	CocCocUpdate.exe	90
PID 1812 wrote to memory of 3628	1812	CocCocUpdate.exe	91
PID 1812 wrote to memory of 3628	1812	CocCocUpdate.exe	91
PID 1812 wrote to memory of 3628	1812	CocCocUpdate.exe	91

C:\Users\Admin\AppData\Local\Temp\CocCocSetup.exe
"C:\Users\Admin\AppData\Local\Temp\CocCocSetup.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdate.exe
  "C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdate.exe" /installsource taggedmi /install "appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=prefers&usagestats=1&lang=vi&client={XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}&brand=XXXX&ap=arch_x64"
  2⤵
  - Sets file execution options in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe
    "C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe" /regsvc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:3664
- - C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe
    "C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe" /regserver
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:4108
  - - C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:3392
  - - C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe
      "C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:1716
- - C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe
    "C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjIuOS4xLjExIiBzaGVsbF92ZXJzaW9uPSIyLjkuMS4xMSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntGNkQ4MEVCMi1GOTJELTRGQjUtQjRGQy0xNjlCRkRCN0YzRjZ9IiB1c2VyaWQ9IjkzNEQxRURDLTNDRDQtNEMxRi05MERBLTczN0Y3NjlCNTkwNCIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezE2NjNCMjJELUE0RkEtNDA5NC1BMDlGLTY0NTVGRTg5NDQ4Q30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMi45LjEuMTEiIGxhbmc9InZpIiBicmFuZD0iWFhYWCIgY2xpZW50PSJ7WFhYWFhYWFgtWFhYWC1YWFhYLVhYWFgtWFhYWFhYWFhYWFhYfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxNDA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:512
- - C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe
    "C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe" /handoff "appguid={C0CC0CBB-47DD-46FF-A04D-7011A06486E1}&appname=C%E1%BB%91c%20C%E1%BB%91c&needsadmin=prefers&usagestats=1&lang=vi&client={XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}&brand=XXXX&ap=arch_x64" /installsource taggedmi /sessionid "{F6D80EB2-F92D-4FB5-B4FC-169BFDB7F3F6}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3628

C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe
"C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocCrashHandler.exe

Filesize
284KB

MD5
91a739dd2dc03a05c292842063fc2886

SHA1
2ce2176364f8cf5ea2646474f3bad2536418433f

SHA256
b2d63af3a9913bf317ee2cc3f43993745a69421c5cae1a36601b09910a8206cb

SHA512
ce664bb90f2b14dbf16628b8c029183cdeabb574994354c148f6e264591d18042dad698202e3fea611a529e3d2a5c0b2cae90613c9a5f7923e6f92df4706594c

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocCrashHandler64.exe

Filesize
356KB

MD5
c3b2ebc44982b86287f8394d97daeab8

SHA1
56764c5525905c2192128b4e6120c5b95138fa15

SHA256
59ac2e278e3c12edb030db1c9a44d4667f2955c2a0e44bf431cb8d24de3628cc

SHA512
0b58bd61c064a0616d9b07cdc2e0233b99f0162717b641beba0afc3c5403bc1454b2040a10a6b4d2dc200ed35f957f4bc798e50e42b49791be349b7c2feeb18d

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateBroker.exe

Filesize
96KB

MD5
004704b169392a67252d238ba15fc562

SHA1
39f373d5f36d609115ff66d5380e9a4ead162a8d

SHA256
5cb1f179cd2638afd5e44ca4f95d6c6510ad718dc4f31c0a41a90cb0979b36e5

SHA512
489471fbbae7a353e43defbaefb1a8605b452dd2b1864b7c771b17b0bcddf96ae1438364922fed0cb9bd4e696357e1bafdd5cefbe5af4e605144236d41d57e68

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateComRegisterShell64.exe

Filesize
175KB

MD5
ea327f0ec955c01b3c3b384324e69c08

SHA1
97651752395a12a75a9e65e68bbb881c2916c589

SHA256
5b3f3b6f9946b8c7649d8a96869543db1b56a0626fb0f604e88aae8ec3ac9f5e

SHA512
b47f3a3c72b2175fd07a478942eadcd4ade2ead81e84e252a90590d8a55ee5dc7fab521e146f404f54d952c1e7aad8fbbbeb48b345ef12850414b0d19f30c568

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateCore.exe

Filesize
210KB

MD5
9287e4adfc59a3594c424d060470937e

SHA1
6dee7a2aed9df21ef039d1d0e47e6def0e8ea981

SHA256
2ee666029c9ff654a59e7d020ff916adc08e36546e2607715ace94ed05a223f7

SHA512
04a05e58c13e90a1765bc36d2ca3e04483539b3c8d08227a2e7555e586257eebe3058569c4bc51a62cc2943e5e092cc19397eae04754bab7b92ed180731a836a

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateOnDemand.exe

Filesize
96KB

MD5
b86d3b6fe21dd53355c3e01adbc022ae

SHA1
dced13046663263508e12f1ba1a3d5509263a7cd

SHA256
8b0485bbd66b4243a2647be2be724b5bafeb13121819f462c0f5f0706d93be20

SHA512
a17d8039e01268145ffa4f8fc72ed5aab1e1f429c018c281fda4e133f479b3b8b399391def8c15b5bc0e6106a98954239580c8af7caf6e4476e5fdb1e85239dc

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\CocCocUpdateSetup.exe

Filesize
985KB

MD5
cd555f9dedb29f37935d063e6e49a6f0

SHA1
c4eaf2cb8c86588cdc45e926a28d664d35856682

SHA256
8a9ff9c42361f5d5271b645362a54cf65b2a4e5e3a081fa88484e7045454eb7d

SHA512
cf0a6a94e281f01d59efa9a7f7b3ff2ea84a83d5461ab42a3e13555f6fcedc313555bac90a35595f81a624fe5ca316efd110bca3c5440391ebd57d67820a3f64

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\coccocpdateres_en.dll

Filesize
847KB

MD5
6a572d7bd47c4c53947da163a871e993

SHA1
95024181814b309e895e25baa708b0ddc779f09e

SHA256
5122416a179a6549d5fea3d9bc90685727369e42c1a217e32ab79592949ed977

SHA512
9696e2bf334d378b4b1a865d9ff5fd3224b258f793ad20b75bcf6ce3e4ca91c39910b829a70a1ffaad58b905faae3645e1212b50bdb7fa865009d0e18f359e0b

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\coccocpdateres_vi.dll

Filesize
848KB

MD5
e4352d7213b524795a0aa1220c670465

SHA1
f55fce12fb141ec283101e940ea3c3b845d95ee4

SHA256
75d4f634fbd48ddf5d13698dbaeb0d3ed477d285ae5d3d2be547891f58187b1b

SHA512
cc0af3958c67e0c113dfc67648e327ba4ac5fcebaf8a00c2662a5c993c3b77350950568bf6fb37ac1c3efcd9aa5f8575b535adef7d933eac984f7a734d9811fc

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psmachine.dll

Filesize
268KB

MD5
ecf4364a3aea05bca4576319b96f932c

SHA1
f901e7070877bcf7d370032912e23863a8bf1924

SHA256
282136c590bb5edda854bafa41a4083fee498a42a754e7828cde5ddfcb87a298

SHA512
2ba37f2e0fc2ee26696fe28d298dfbd1268bb8fe8601c4274243242a54147f05f8e164e549c4d987bacd04b4200fb3e07b18cab7069f25b36740efa2c240a644

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psmachine_64.dll

Filesize
326KB

MD5
42ce02da0f1b95776b0182ffa5f9ddab

SHA1
3474545abce3b4f2660d4791d30494b3622e01bb

SHA256
3fe1497c8971c1b369a0dd1136914dbbececf80e6be9450b80be44a9442bde07

SHA512
0bff557ed392bf4c65210a615a8de2d1785ebd0bf9a568ef3df7bd09baa35eabb4c3e285c166591c38cba0b57841f5341c7e87e5ce792e6ec077b9c2cf662841

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psuser.dll

Filesize
268KB

MD5
1f94181c0633d32a3f8d99824a5c4657

SHA1
873227a568b4b3cfbb317dcdb2a79a876e9a7703

SHA256
fcb9f15a1923ec7605e759e0767f85a327ef9934febbb02745bd945f346eaf67

SHA512
1d1ee96d4d892ef94c7df0ce51285b5f2990e402bcd9d0930da25ed6030db6f9501fec3321f9b20568df0845a488a07e2727227211ce4e068572bccc758ba5fe

Download Submit
C:\Program Files (x86)\CocCoc\Temp\GUM85FD.tmp\psuser_64.dll

Filesize
326KB

MD5
05e7728b177f42f0d4adaf917106ba4d

SHA1
b075dff89d538639323d204ba8c44c597b404541

SHA256
b0d19bf8ff141e3655a310d402038f6c887ff12135741327324d225859b49a1a

SHA512
9cfde285f914877f303a020b3554b60cfc6255e2b2c57332bf4b515859413dc5b730fe62ed3b340c1801b871def6347a26e8dd19fa02622e55ab510e5d07c380

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe

Filesize
175KB

MD5
ea327f0ec955c01b3c3b384324e69c08

SHA1
97651752395a12a75a9e65e68bbb881c2916c589

SHA256
5b3f3b6f9946b8c7649d8a96869543db1b56a0626fb0f604e88aae8ec3ac9f5e

SHA512
b47f3a3c72b2175fd07a478942eadcd4ade2ead81e84e252a90590d8a55ee5dc7fab521e146f404f54d952c1e7aad8fbbbeb48b345ef12850414b0d19f30c568

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe

Filesize
175KB

MD5
ea327f0ec955c01b3c3b384324e69c08

SHA1
97651752395a12a75a9e65e68bbb881c2916c589

SHA256
5b3f3b6f9946b8c7649d8a96869543db1b56a0626fb0f604e88aae8ec3ac9f5e

SHA512
b47f3a3c72b2175fd07a478942eadcd4ade2ead81e84e252a90590d8a55ee5dc7fab521e146f404f54d952c1e7aad8fbbbeb48b345ef12850414b0d19f30c568

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe

Filesize
175KB

MD5
ea327f0ec955c01b3c3b384324e69c08

SHA1
97651752395a12a75a9e65e68bbb881c2916c589

SHA256
5b3f3b6f9946b8c7649d8a96869543db1b56a0626fb0f604e88aae8ec3ac9f5e

SHA512
b47f3a3c72b2175fd07a478942eadcd4ade2ead81e84e252a90590d8a55ee5dc7fab521e146f404f54d952c1e7aad8fbbbeb48b345ef12850414b0d19f30c568

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\CocCocUpdateComRegisterShell64.exe

Filesize
175KB

MD5
ea327f0ec955c01b3c3b384324e69c08

SHA1
97651752395a12a75a9e65e68bbb881c2916c589

SHA256
5b3f3b6f9946b8c7649d8a96869543db1b56a0626fb0f604e88aae8ec3ac9f5e

SHA512
b47f3a3c72b2175fd07a478942eadcd4ade2ead81e84e252a90590d8a55ee5dc7fab521e146f404f54d952c1e7aad8fbbbeb48b345ef12850414b0d19f30c568

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdate.dll

Filesize
1.1MB

MD5
833bad514bbae67f27134bdb706a7b40

SHA1
45cdd7a3fb0a8c88f3e965e2c6054a3fdcb0207f

SHA256
0ff521c04a3554e0432a6ad029946f26d69252acd1b4e63a35fceb58b70ffd49

SHA512
cd2d8af17f684ed66adcfb937db9270bd01ee754985ea3023943e6de7ee8d5b33985d20a1d2ec5c7444dd21a92e3dacdc46336b74395569dd1d9ba119cdd5ed8

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdateres_en.dll

Filesize
847KB

MD5
6a572d7bd47c4c53947da163a871e993

SHA1
95024181814b309e895e25baa708b0ddc779f09e

SHA256
5122416a179a6549d5fea3d9bc90685727369e42c1a217e32ab79592949ed977

SHA512
9696e2bf334d378b4b1a865d9ff5fd3224b258f793ad20b75bcf6ce3e4ca91c39910b829a70a1ffaad58b905faae3645e1212b50bdb7fa865009d0e18f359e0b

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\coccocpdateres_vi.dll

Filesize
848KB

MD5
e4352d7213b524795a0aa1220c670465

SHA1
f55fce12fb141ec283101e940ea3c3b845d95ee4

SHA256
75d4f634fbd48ddf5d13698dbaeb0d3ed477d285ae5d3d2be547891f58187b1b

SHA512
cc0af3958c67e0c113dfc67648e327ba4ac5fcebaf8a00c2662a5c993c3b77350950568bf6fb37ac1c3efcd9aa5f8575b535adef7d933eac984f7a734d9811fc

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine.dll

Filesize
268KB

MD5
ecf4364a3aea05bca4576319b96f932c

SHA1
f901e7070877bcf7d370032912e23863a8bf1924

SHA256
282136c590bb5edda854bafa41a4083fee498a42a754e7828cde5ddfcb87a298

SHA512
2ba37f2e0fc2ee26696fe28d298dfbd1268bb8fe8601c4274243242a54147f05f8e164e549c4d987bacd04b4200fb3e07b18cab7069f25b36740efa2c240a644

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine.dll

Filesize
268KB

MD5
ecf4364a3aea05bca4576319b96f932c

SHA1
f901e7070877bcf7d370032912e23863a8bf1924

SHA256
282136c590bb5edda854bafa41a4083fee498a42a754e7828cde5ddfcb87a298

SHA512
2ba37f2e0fc2ee26696fe28d298dfbd1268bb8fe8601c4274243242a54147f05f8e164e549c4d987bacd04b4200fb3e07b18cab7069f25b36740efa2c240a644

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine.dll

Filesize
268KB

MD5
ecf4364a3aea05bca4576319b96f932c

SHA1
f901e7070877bcf7d370032912e23863a8bf1924

SHA256
282136c590bb5edda854bafa41a4083fee498a42a754e7828cde5ddfcb87a298

SHA512
2ba37f2e0fc2ee26696fe28d298dfbd1268bb8fe8601c4274243242a54147f05f8e164e549c4d987bacd04b4200fb3e07b18cab7069f25b36740efa2c240a644

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine.dll

Filesize
268KB

MD5
ecf4364a3aea05bca4576319b96f932c

SHA1
f901e7070877bcf7d370032912e23863a8bf1924

SHA256
282136c590bb5edda854bafa41a4083fee498a42a754e7828cde5ddfcb87a298

SHA512
2ba37f2e0fc2ee26696fe28d298dfbd1268bb8fe8601c4274243242a54147f05f8e164e549c4d987bacd04b4200fb3e07b18cab7069f25b36740efa2c240a644

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine.dll

Filesize
268KB

MD5
ecf4364a3aea05bca4576319b96f932c

SHA1
f901e7070877bcf7d370032912e23863a8bf1924

SHA256
282136c590bb5edda854bafa41a4083fee498a42a754e7828cde5ddfcb87a298

SHA512
2ba37f2e0fc2ee26696fe28d298dfbd1268bb8fe8601c4274243242a54147f05f8e164e549c4d987bacd04b4200fb3e07b18cab7069f25b36740efa2c240a644

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine.dll

Filesize
268KB

MD5
ecf4364a3aea05bca4576319b96f932c

SHA1
f901e7070877bcf7d370032912e23863a8bf1924

SHA256
282136c590bb5edda854bafa41a4083fee498a42a754e7828cde5ddfcb87a298

SHA512
2ba37f2e0fc2ee26696fe28d298dfbd1268bb8fe8601c4274243242a54147f05f8e164e549c4d987bacd04b4200fb3e07b18cab7069f25b36740efa2c240a644

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine_64.dll

Filesize
326KB

MD5
42ce02da0f1b95776b0182ffa5f9ddab

SHA1
3474545abce3b4f2660d4791d30494b3622e01bb

SHA256
3fe1497c8971c1b369a0dd1136914dbbececf80e6be9450b80be44a9442bde07

SHA512
0bff557ed392bf4c65210a615a8de2d1785ebd0bf9a568ef3df7bd09baa35eabb4c3e285c166591c38cba0b57841f5341c7e87e5ce792e6ec077b9c2cf662841

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine_64.dll

Filesize
326KB

MD5
42ce02da0f1b95776b0182ffa5f9ddab

SHA1
3474545abce3b4f2660d4791d30494b3622e01bb

SHA256
3fe1497c8971c1b369a0dd1136914dbbececf80e6be9450b80be44a9442bde07

SHA512
0bff557ed392bf4c65210a615a8de2d1785ebd0bf9a568ef3df7bd09baa35eabb4c3e285c166591c38cba0b57841f5341c7e87e5ce792e6ec077b9c2cf662841

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine_64.dll

Filesize
326KB

MD5
42ce02da0f1b95776b0182ffa5f9ddab

SHA1
3474545abce3b4f2660d4791d30494b3622e01bb

SHA256
3fe1497c8971c1b369a0dd1136914dbbececf80e6be9450b80be44a9442bde07

SHA512
0bff557ed392bf4c65210a615a8de2d1785ebd0bf9a568ef3df7bd09baa35eabb4c3e285c166591c38cba0b57841f5341c7e87e5ce792e6ec077b9c2cf662841

Download Submit
C:\Program Files (x86)\CocCoc\Update\2.9.1.11\psmachine_64.dll

Filesize
326KB

MD5
42ce02da0f1b95776b0182ffa5f9ddab

SHA1
3474545abce3b4f2660d4791d30494b3622e01bb

SHA256
3fe1497c8971c1b369a0dd1136914dbbececf80e6be9450b80be44a9442bde07

SHA512
0bff557ed392bf4c65210a615a8de2d1785ebd0bf9a568ef3df7bd09baa35eabb4c3e285c166591c38cba0b57841f5341c7e87e5ce792e6ec077b9c2cf662841

Download Submit
C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\Program Files (x86)\CocCoc\Update\CocCocUpdate.exe

Filesize
114KB

MD5
77d51803a8b7dcb8d58efb21d77a62d2

SHA1
cdcfb110fa562419b0bbb96207d3ae1cb55bb834

SHA256
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde

SHA512
a67517e66a60d874a81a60ce433071010234ecf86a5c581fc356062adf136a6b322a922ab789f823175facaa0936226326e39a6632f6b45fbbfc30400ba4c6a3

Download Submit
C:\ProgramData\CocCoc\uid

Filesize
36B

MD5
a44cd58b774dff1294c93ae94ec87c0e

SHA1
b059766ea119a8175d09672e4898e352ea4e53e4

SHA256
b94f67de725f751b5722a68fb630a99b27240e41a1c893bf47be9f036cfbb2e5

SHA512
00863f19c18890f42d1f308d4f4c1d79fb0187356085464741471d102348127abf13d67582b8ed0b0f75f6fba874e841972fff2376a2b7b905db83ca51131802

Download Submit