300fe6224578b1254a43444f7e1783dd608a6c065d4e6089e7560e719fc787b2

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sdset.exe
Size

151KB
MD5

3b2dd1df009c0c3af033244bf25bdcab
SHA1

80967024aac1030cc5d1d3090fcf960541f49307
SHA256

42458c56c75dfe69aa1f109af0fa4aadcad1b2b9a09573d5a7de1d59f27359d6
SHA512

6615be9ba9ca4afc4caa466e71a7c62a3d99e244be27ccc8342f0589acfe5dbe41340b4b5d5654c748b254908a528cbfc52911ad337ef7cd14b69ffb7dbe02fb
SSDEEP

3072:LFPFjfDhOQ8+he6tVfWqFhnZgW+YI9UdxJWpLGIn40ZBoctjFTqneqPE7k:LJNFO8e2WqfZgrWCjt0ctpmnBP6k

Score

10^/10

adware aspackv2 bootkit discovery evasion persistence stealer upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc"	remotesetup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\PROGRA~2\pcast\PODCAS~1\PODCAS~1.EXE = "C:\\PROGRA~2\\pcast\\PODCAS~1\\PODCAS~1.EXE:*:Enabled:Share Streaming"	PodcastBarMini.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica	remotesetup.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	remotesetup.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
52	1548	RunDll32.exe
53	2284	RunDll32.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\cdntran.sys	setup.exe
File created	C:\Windows\SysWOW64\drivers\cdnprot.sys	setup.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	U88.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\BC1F6A4D2D237C0C86152E1482B2026AAD912592\Blob = 030000000100000014000000bc1f6a4d2d237c0c86152e1482b2026aad91259204000000010000001000000021b95f50fc271b95e96fe8745943fd7c1900000001000000100000005996a7c1471ef385ca88fdecb02eeb990f00000001000000140000008bf79719c6ed6f882de19abdea037b89a41e3b0620000000010000001f0500003082051b30820403a003020102021066a83d9b70cff9b3791431edce6d8ec5300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293034312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303034204341301e170d3035303732363030303030305a170d3036303732363233353935395a3081de310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e67312c302a060355040a142331303030204f616b7320496e7465726e657420546563686e6f6c6f6769657320436f2e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632310f300d060355040b14066f6e6c696e65312c302a0603550403142331303030204f616b7320496e7465726e657420546563686e6f6c6f6769657320436f2e30819f300d06092a864886f70d010101050003818d0030818902818100c83574c77d9e2268b98d6136fccd329d056dab6c8f70006f46dd4471b5a2b25609f85c6fde9c717a537ce7711a8d7f2a03cb68e44d02b3eee533ab5b38192761f21290838d1cbe73e04daae8c13d0f0c11bc2765c62c5337a2b19bd794b474c66de76463b7146ead81129cc7f4338556797e6f9e8b4eaef9f98328d81fadc5a90203010001a382017f3082017b30090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f435343332d323030342d63726c2e766572697369676e2e636f6d2f435343332d323030342e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307506082b0601050507010104693067302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303f06082b060105050730028633687474703a2f2f435343332d323030342d6169612e766572697369676e2e636f6d2f435343332d323030342d6169612e636572301f0603551d2304183016801408f551e8fbfe3d3d64367c68cf5b78a8dfb9c537301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100850f265cbcf0dc1b11ef1ec6950d94f93f853a0d678e9d47e12a5e02aca9e47ec818a009e7cdd4962d52e2d62115f79141e64753977a3cde5030410467c9db7fbffeadda9205cbfa975575bee48857b561a2f5048d79802fe8d4987ca190bf38e300935f6dc3663b582c3582842089a23819ff3189c37840de399cc8f1ea6aa64d79ca12e2c9084d908dfa1baecf6816471bd66c5601d7cd4fb88da11edbea34e8b0d0e7f38a0bff59214f7571fccf44bde0f6caa8c0274fa3e2451061e9238e2d0203e0c1152388e6fb8327e03ab0fc33202db64956ae4c228bca02707c70d7989d9a0e20befcc595f02b9ba163ba09f3e5b3676bfe5e2fdff2808b3b779444	pcast.dll

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cdnprot\ImagePath = "system32\\drivers\\cdnprot.sys"	setup.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral29/files/0x000500000001948e-178.dat	acprotect
behavioral29/files/0x000500000001951b-201.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral29/files/0x000900000001a475-691.dat	aspack_v212_v242

Executes dropped EXE 14 IoCs

pid	Process
2808	setup.exe
2488	setup.exe
1740	cdnup.exe
1156	U88.exe
2912	remotesetup.exe
300	start.exe
1332	PodcastBarMini.exe
1636	bckmsn.exe
2224	CFSQdll.exe
2240	p2psvr.exe
276	p2psvr.exe
1732	p2psvr.exe
692	skinpacker.exe
1840	Search.exe

Loads dropped DLL 64 IoCs

pid	Process
2328	regsvr32.exe
2812	sdcnc.dll
2808	setup.exe
2808	setup.exe
2808	setup.exe
2808	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
1364	Setup_s34.exe
2488	setup.exe
1364	Setup_s34.exe
1364	Setup_s34.exe
2488	setup.exe
1364	Setup_s34.exe
1848	rundll32.exe
1848	rundll32.exe
1848	rundll32.exe
1848	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe
1732	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1732	rundll32.exe
1936	rundll32.exe
2280	rundll32.exe
2280	rundll32.exe
2488	setup.exe
1848	rundll32.exe
2280	rundll32.exe
936	sdreg.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
2488	setup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
2488	setup.exe
2700	qqa02_u88setup.exe
2700	qqa02_u88setup.exe
1156	U88.exe
1156	U88.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral29/files/0x000500000001948e-178.dat	upx
behavioral29/memory/1364-187-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral29/files/0x000500000001951b-201.dat	upx
behavioral29/memory/1364-203-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral29/memory/1364-214-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral29/memory/1848-231-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral29/memory/1848-230-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral29/memory/2280-240-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral29/memory/2796-307-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral29/memory/760-308-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral29/memory/2664-309-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral29/memory/1780-310-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral29/memory/2852-679-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral29/memory/2852-694-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral29/memory/1636-718-0x0000000010000000-0x00000000100FD000-memory.dmp	upx
behavioral29/memory/1280-730-0x0000000000270000-0x0000000000296000-memory.dmp	upx
behavioral29/memory/544-731-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral29/memory/544-795-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral29/memory/2384-916-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral29/memory/2920-930-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral29/memory/760-947-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral29/memory/2076-948-0x0000000010000000-0x000000001001C000-memory.dmp	upx
behavioral29/memory/1636-951-0x0000000010000000-0x00000000100FD000-memory.dmp	upx
behavioral29/memory/2256-949-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral29/memory/2920-1294-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral29/memory/2384-1303-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral29/memory/1636-1311-0x0000000010000000-0x00000000100FD000-memory.dmp	upx
behavioral29/memory/2384-1312-0x0000000000400000-0x0000000000495000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CdnCtr = "C:\\Program Files\\CNNIC\\Cdn\\cdnup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\update8 = "c:\\program Files\\Internet explorer\\lib\\aupdate.exe"	qqa02_u88setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MiniPcast = "C:\\Program Files (x86)\\pcast\\PodcastbarMini\\start.exe"	pcast.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bckmsn = "C:\\Program Files (x86)\\bckmsn\\bckmsn.exe"	bckmsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscfs = "RUNDLL32 C:\\Windows\\system32\\msibm\\cfsys.dll,cfs"	duisc.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MoveSearch = "C:\\Program Files (x86)\\wsearch\\Search.exe"	Search.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 16 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}	Setup_s34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ = "MMSAssist"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ = "MMSAssist"	Setup_s34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B580CF65-E151-49C3-B73F-70B13FCA8E86}	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ = "MMSAssist"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\	Setup_s34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	Setup_s34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{35980F6E-A137-4E50-953D-813BB8556899}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8A4280AD-9B37-4922-A51D-73F3C3A32AF7}\ = "BHelper"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}\	IEXPLORE.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cdn.dll	setup.exe
File created	C:\Windows\SysWOW64\cdnns.dll	setup.exe
File created	C:\Windows\SysWOW64\msibm\cfsbho.dll	duisc.dll
File opened for modification	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\stdup.dll	Setup_s34.exe
File created	C:\Windows\SysWOW64\ibmvdr_.dll	duisc.dll
File created	C:\Windows\SysWOW64\msibm\post.htm	Rundll32.exe
File opened for modification	C:\Windows\SysWOW64\msibm\CFSQdll.exe	duisc.dll
File created	C:\Windows\SysWOW64\msibm\cfs7zd.DLL	duisc.dll
File created	C:\Windows\SysWOW64\ibmuuid_.dll	RunDll32.exe
File opened for modification	C:\Windows\SysWOW64\msibm\intro.tpl	duisc.dll
File created	C:\Windows\SysWOW64\msibm\cfsupd.dll	duisc.dll
File created	C:\Windows\SysWOW64\msibm\cfsys.dll	duisc.dll
File created	C:\Windows\SysWOW64\msibm\linbak.dll	duisc.dll
File created	C:\Windows\SysWOW64\msibm\Uninstall.exe	duisc.dll
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	p2psvr.exe
File opened for modification	C:\Windows\SysWOW64\msibm\post.tpl	duisc.dll
File created	C:\Windows\SysWOW64\msibm\post.tpl	duisc.dll
File created	C:\Windows\SysWOW64\msibm\intro.tpl	duisc.dll
File opened for modification	C:\Windows\SysWOW64\ibmuuid_.dll	RunDll32.exe
File created	C:\Windows\SysWOW64\std.ini	Setup_s34.exe
File opened for modification	C:\Windows\SysWOW64\ibmvdr_.dll	duisc.dll
File created	C:\Windows\SysWOW64\msibm\intro.htm	Rundll32.exe
File created	C:\Windows\SysWOW64\msibm\cfscfg.7z	RunDll32.exe
File created	C:\Windows\SysWOW64\msibm\CFSQdll.exe	duisc.dll
File created	C:\Windows\SysWOW64\msibm\lowlvl.dll	duisc.dll

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wsearch\sysupdate.ini.tmp	sdpig.dll
File created	C:\Program Files\CNNIC\Cdn\cdnhint.dat	setup.exe
File created	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\3.ini	skinpacker.exe
File opened for modification	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\4.ini	skinpacker.exe
File created	C:\Program Files (x86)\wsearch\_uninstall	sdpig.dll
File created	C:\Program Files\Internet Explorer\lib\allverx.dat	qqa02_u88setup.exe
File created	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\ec3dbd81-fe29-4312-83ab-2af6a79ca3f1.ico	skinpacker.exe
File opened for modification	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\8b57e939-74f3-4168-9281-67796df3a410.ico	skinpacker.exe
File created	C:\Program Files (x86)\wsearch\SearchM.dll	sdpig.dll
File created	C:\PROGRA~2\bckmsn\200~1.1\dmplayer.dll	bckmsn.exe
File created	C:\Program Files (x86)\P4P\ToolbarTMP.DLL	sogoutb_setup_pp365sosoft08mini.exe
File created	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\85190a08-7b40-46d1-ab1f-0436c6e906e2.ico	skinpacker.exe
File created	C:\Program Files (x86)\wsearch\allverx.dat	sdpig.dll
File created	C:\Program Files (x86)\wsearch\mupdate.exe.tmp	sdpig.dll
File created	C:\Program Files\Internet Explorer\lib\u88.exe	qqa02_u88setup.exe
File created	C:\Progra~1\Baidu\bar\SET7FF9.tmp	baid.dll
File created	C:\Program Files (x86)\P4P\00000000-0000-0000-0000-000000000000.zip	sogoutb_setup_pp365sosoft08mini.exe
File created	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\Internet Explorer\lib\libu88icon.Ico.tmp	qqa02_u88setup.exe
File created	C:\Program Files\Internet Explorer\lib\libupdate.dat.tmp	qqa02_u88setup.exe
File opened for modification	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\85190a08-7b40-46d1-ab1f-0436c6e906e2.ico	skinpacker.exe
File created	C:\Program Files (x86)\pcast\PodcastbarMini\Start.exe	pcast.dll
File created	C:\Program Files\CNNIC\Cdn\client.dll	setup.exe
File created	C:\Program Files\Internet Explorer\lib\update.dat	qqa02_u88setup.exe
File created	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\2.ini	skinpacker.exe
File opened for modification	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\3.ini	skinpacker.exe
File created	C:\Program Files (x86)\wsearch\mUninstall.exe.tmp	sdpig.dll
File opened for modification	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnspie.dll	setup.exe
File created	C:\Program Files (x86)\pcast\PodcastbarMini\pCastCtl.dll	pcast.dll
File opened for modification	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\1.bmp	skinpacker.exe
File created	C:\Program Files (x86)\wsearch\mUninstall.exe	sdpig.dll
File created	C:\Program Files (x86)\wsearch\mupdate.exe	sdpig.dll
File opened for modification	C:\Program Files\Internet Explorer\lib\libupdate.dat	qqa02_u88setup.exe
File created	C:\Program Files (x86)\bckmsn\mpvisdm.dll	itadx.exe
File created	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File created	C:\Program Files (x86)\P4P\p2psvr.exe	sogoutb_setup_pp365sosoft08mini.exe
File created	C:\Program Files (x86)\P4P\PLUGINS\8b57e939-74f3-4168-9281-67796df3a410.ico	skinpacker.exe
File opened for modification	C:\Progra~1\Baidu\bar\SET7FF9.tmp	baid.dll
File created	C:\Program Files (x86)\wsearch\setup.tmp	sdpig.dll
File created	C:\Program Files (x86)\wsearch\Mouse1.dll	sdpig.dll
File created	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File created	C:\Program Files (x86)\pcast\PodcastbarMini\pbmini.config.xml	PodcastBarMini.exe
File created	C:\Program Files (x86)\pcast\PodcastbarMini\uninst.exe	pcast.dll
File created	C:\Program Files (x86)\pcast\PodcastbarMini\version.ini	pcast.dll
File opened for modification	C:\Program Files (x86)\pcast\PodcastbarMini\version.ini	pcast.dll
File created	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\2.bmp	skinpacker.exe
File opened for modification	C:\Program Files (x86)\wsearch\sysupdate.ini	sdpig.dll
File opened for modification	C:\Program Files (x86)\P4P\ToolbarTMP.DLL	sogoutb_setup_pp365sosoft08mini.exe
File created	C:\Program Files (x86)\P4P\PLUGINS\85190a08-7b40-46d1-ab1f-0436c6e906e2.ico	skinpacker.exe
File opened for modification	C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\theme.xml	skinpacker.exe
File opened for modification	C:\Program Files (x86)\wsearch\mUninstall.exe	sdpig.dll
File created	C:\Program Files (x86)\wsearch\sysupdate.ini	sdpig.dll
File opened for modification	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File opened for modification	C:\Program Files\Internet Explorer\lib\libaupdate.exe	qqa02_u88setup.exe
File opened for modification	C:\Progra~1\Baidu\bar\BaiDuBar.dll	baid.dll
File opened for modification	C:\Program Files (x86)\wsearch\mupdate.exe	sdpig.dll
File opened for modification	C:\Program Files (x86)\wsearch\sysadInfo.ini	sdpig.dll
File created	C:\Program Files (x86)\MMSAssist\MMSAssist.dll	Setup_s34.exe
File opened for modification	C:\Program Files\Internet Explorer\lib\liballverx.dat	qqa02_u88setup.exe
File created	C:\Program Files (x86)\wsearch\allverx.dat.tmp	sdpig.dll
File opened for modification	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File opened for modification	C:\Program Files\Internet Explorer\lib\libu88icon.Ico	qqa02_u88setup.exe
File opened for modification	C:\Program Files (x86)\P4P\PLUGINS\ec3dbd81-fe29-4312-83ab-2af6a79ca3f1.ico	skinpacker.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\u88icon.ico	U88.exe
File created	C:\Windows\Tasks\DDD_Install_Program.job	remotesetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	baid.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\CheckedValue = "1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\ClsidExtension = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\HKeyRoot = "2147483649"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\UncheckedValue = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\ValueName = "AutoUpdate"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\ClsidExtension = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	Setup_s34.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\ClsidExtension = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\ >> ²ÊÐÅ·¢ËÍ <<	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\ValueName = "EnableIdn"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUSEARCH.HTM"	baid.dll
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\DefaultValue = "1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	baid.dll
Key deleted	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\DefaultValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "ÖÐÎÄÉÏÍø"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\UncheckedValue = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt	Setup_s34.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\Contexts = 10	baid.dll
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ\Contexts = 10	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\Bitmap = "C:\\WINNT\\system32\\inetcpl.cpl,4497"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\Text = "Chinese Domain Name and Internet Keyword"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	Setup_s34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDU_DIC.HTM"	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Text = "Mail"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuText = "ÖÐÎÄÉÏÍø"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Type = "group"	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3\Contexts = 10	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\Text = "Automatically Update When New Version is Detected(Recommended)"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\Bitmap = "C:\\WINNT\\system32\\inetcpl.cpl,4497"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\Text = "Enable Chinese Domain Name Mailing System"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}	Setup_s34.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0C80A4C1-32DB-4BD4-95A3-873176BFE3B2}\WpadDecision = "0"	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0C80A4C1-32DB-4BD4-95A3-873176BFE3B2}\ba-89-48-fb-10-70	p2psvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-89-48-fb-10-70\WpadDecisionReason = "1"	p2psvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0C80A4C1-32DB-4BD4-95A3-873176BFE3B2}	p2psvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	p2psvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	p2psvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0C80A4C1-32DB-4BD4-95A3-873176BFE3B2}\WpadNetworkName = "Network 3"	p2psvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	p2psvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	p2psvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-89-48-fb-10-70	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	p2psvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	p2psvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0C80A4C1-32DB-4BD4-95A3-873176BFE3B2}\WpadDecisionReason = "1"	p2psvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0C80A4C1-32DB-4BD4-95A3-873176BFE3B2}\WpadDecisionTime = 806ba507b44fda01	p2psvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-89-48-fb-10-70\WpadDecisionTime = 806ba507b44fda01	p2psvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-89-48-fb-10-70\WpadDecision = "0"	p2psvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	p2psvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	p2psvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	p2psvr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser.1\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\FLAGS\ = "0"	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\0\win32	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D9A6231-1550-4652-A353-48E2C9194B19}\TypeLib\Version = "1.0"	sogoutb_setup_pp365sosoft08mini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\VersionIndependentProgID	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}\ProgID	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.IEPluginTB\CLSID\ = "{DBBB7978-AF21-4EF4-9AD1-B2F4BC75696C}"	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CurVer\ = "BaiduBar.Baidu.1"	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\ProgID\ = "MimeFilter.AdFilter.1"	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B46D3E4A-3F54-497D-AFFD-464AAE8098EF}\1.0\FLAGS	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\cfsbho.DLL\AppID	RunDll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEEE7FE9-3E06-43EE-B04D-18866CD0AD9C}\ProgID	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\0\win32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\imaol.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\InprocServer32	pcast.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sogoutb.Detector\CurVer	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\VersionIndependentProgID\ = "CndnIEHelper.CndnIEHlprObj"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\TypeLib\ = "{01833110-7C51-4D41-A09F-69EF74606E5B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.IEPluginEB.1	sogoutb_setup_pp365sosoft08mini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE1002D-90A5-4A5D-AABE-01803FFBCF7A}\Programmable	pcast.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cfsbho.BHelper\CurVer	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ = "ITool"	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F0B68791-936D-490E-8CD9-A31022B55B35}	sogoutb_setup_pp365sosoft08mini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchM.Com\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C5CE084B-31E0-4B34-A33A-82B4EA913CF8}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF}\TypeLib\ = "{C5CE084B-31E0-4B34-A33A-82B4EA913CF8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\stdup.dll"	Setup_s34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C7F88C1A-DF17-423B-B960-108AB7551FAA}\1.0\HELPDIR	pcast.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A0BC0BC-362E-4E43-95B6-5D166D3EE595}\TypeLib	pcast.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF}\ = "ICom"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\TypeLib\Version = "1.0"	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE82AFC1-5E4B-4F19-A3E3-4FFF55F3D279}\ = "IBHelper"	RunDll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4FFB0262-EB74-461F-BBC8-7818DF633687}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\P4P\\"	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68BEA531-2D55-4FF6-9B40-CDD285C44F7A}\TypeLib\ = "{C7F88C1A-DF17-423B-B960-108AB7551FAA}"	pcast.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID\ = "BaiduBar.Baidu"	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.IEPluginTB\CLSID	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEEE7FE9-3E06-43EE-B04D-18866CD0AD9C}\AppID	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar.WBHost.1\CLSID\ = "{5AA23B9D-99C0-4A41-A25D-58E806766680}"	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF}\ = "ICom"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser\ = "MailParser Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu.1\ = "MMSAssistMenu"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\Programmable	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A0BC0BC-362E-4E43-95B6-5D166D3EE595}\ProxyStubClsid32	pcast.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32	baid.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sogoutb.Detector\CLSID	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D977D6A9-BE13-496D-9BE4-175DFAC12628}\VersionIndependentProgID\ = "Toolbar.WBExtension"	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F0B68791-936D-490E-8CD9-A31022B55B35}\TypeLib\Version = "1.0"	sogoutb_setup_pp365sosoft08mini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DBBB7978-AF21-4EF4-9AD1-B2F4BC75696C}\ = "’È¹·Ö±Í¨³µ"	sogoutb_setup_pp365sosoft08mini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A431-5C3D-463D-A7CF-5587F9B7E191}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu\CLSID\ = "{6671A432-5C3D-463d-A7CF-5587F9B7E191}"	Setup_s34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu	baid.dll
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6671A432-5C3D-463d-A7CF-5587F9B7E191}\InprocServer32\ThreadingModel = "Apartment"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{951A869A-1003-4897-948F-D55E570871DB}\ProxyStubClsid32	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	sdcnc.dll
2812	sdcnc.dll
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe
2284	RunDll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	sdcnc.dll
Token: SeRestorePrivilege	2488	setup.exe
Token: SeBackupPrivilege	2488	setup.exe
Token: SeRestorePrivilege	1740	cdnup.exe
Token: SeBackupPrivilege	1740	cdnup.exe
Token: SeRestorePrivilege	2388	pcast.dll
Token: SeBackupPrivilege	2388	pcast.dll
Token: SeRestorePrivilege	2852	itadx.exe
Token: SeBackupPrivilege	2852	itadx.exe
Token: SeRestorePrivilege	2744	baid.dll
Token: SeRestorePrivilege	2744	baid.dll
Token: SeRestorePrivilege	2744	baid.dll
Token: SeRestorePrivilege	2744	baid.dll
Token: SeRestorePrivilege	2744	baid.dll
Token: SeRestorePrivilege	2744	baid.dll
Token: SeRestorePrivilege	2744	baid.dll
Token: SeRestorePrivilege	2744	baid.dll
Token: SeBackupPrivilege	2744	baid.dll
Token: SeDebugPrivilege	2284	RunDll32.exe
Token: SeRestorePrivilege	692	skinpacker.exe
Token: SeBackupPrivilege	692	skinpacker.exe
Token: SeRestorePrivilege	2920	sogoutb_setup_pp365sosoft08mini.exe
Token: SeBackupPrivilege	2920	sogoutb_setup_pp365sosoft08mini.exe
Token: SeRestorePrivilege	2192	sdpig.dll
Token: SeBackupPrivilege	2192	sdpig.dll

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1972	iexplore.exe
1332	PodcastBarMini.exe
1332	PodcastBarMini.exe
1332	PodcastBarMini.exe
1332	PodcastBarMini.exe
2288	regsvr32.exe
2384	wpsdls.8824.10.exe
1972	iexplore.exe
2384	wpsdls.8824.10.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1332	PodcastBarMini.exe
1332	PodcastBarMini.exe
1332	PodcastBarMini.exe
1332	PodcastBarMini.exe
2288	regsvr32.exe
2384	wpsdls.8824.10.exe
2384	wpsdls.8824.10.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2192	sdpig.dll
1740	cdnup.exe
1740	cdnup.exe
1740	cdnup.exe
2700	qqa02_u88setup.exe
1972	iexplore.exe
1972	iexplore.exe
368	IEXPLORE.EXE
368	IEXPLORE.EXE
1332	PodcastBarMini.exe
1332	PodcastBarMini.exe
368	IEXPLORE.EXE
368	IEXPLORE.EXE
1636	bckmsn.exe
1636	bckmsn.exe
2288	regsvr32.exe
1972	iexplore.exe
1972	iexplore.exe
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
1840	Search.exe
1840	Search.exe
1840	Search.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2192	1280	sdset.exe	28
PID 1280 wrote to memory of 2192	1280	sdset.exe	28
PID 1280 wrote to memory of 2192	1280	sdset.exe	28
PID 1280 wrote to memory of 2192	1280	sdset.exe	28
PID 1280 wrote to memory of 2192	1280	sdset.exe	28
PID 1280 wrote to memory of 2192	1280	sdset.exe	28
PID 1280 wrote to memory of 2192	1280	sdset.exe	28
PID 2192 wrote to memory of 2328	2192	sdpig.dll	29
PID 2192 wrote to memory of 2328	2192	sdpig.dll	29
PID 2192 wrote to memory of 2328	2192	sdpig.dll	29
PID 2192 wrote to memory of 2328	2192	sdpig.dll	29
PID 2192 wrote to memory of 2328	2192	sdpig.dll	29
PID 2192 wrote to memory of 2328	2192	sdpig.dll	29
PID 2192 wrote to memory of 2328	2192	sdpig.dll	29
PID 1280 wrote to memory of 2812	1280	sdset.exe	31
PID 1280 wrote to memory of 2812	1280	sdset.exe	31
PID 1280 wrote to memory of 2812	1280	sdset.exe	31
PID 1280 wrote to memory of 2812	1280	sdset.exe	31
PID 2812 wrote to memory of 2808	2812	sdcnc.dll	32
PID 2812 wrote to memory of 2808	2812	sdcnc.dll	32
PID 2812 wrote to memory of 2808	2812	sdcnc.dll	32
PID 2812 wrote to memory of 2808	2812	sdcnc.dll	32
PID 2812 wrote to memory of 2808	2812	sdcnc.dll	32
PID 2812 wrote to memory of 2808	2812	sdcnc.dll	32
PID 2812 wrote to memory of 2808	2812	sdcnc.dll	32
PID 2808 wrote to memory of 2488	2808	setup.exe	33
PID 2808 wrote to memory of 2488	2808	setup.exe	33
PID 2808 wrote to memory of 2488	2808	setup.exe	33
PID 2808 wrote to memory of 2488	2808	setup.exe	33
PID 2808 wrote to memory of 2488	2808	setup.exe	33
PID 2808 wrote to memory of 2488	2808	setup.exe	33
PID 2808 wrote to memory of 2488	2808	setup.exe	33
PID 1280 wrote to memory of 1364	1280	sdset.exe	34
PID 1280 wrote to memory of 1364	1280	sdset.exe	34
PID 1280 wrote to memory of 1364	1280	sdset.exe	34
PID 1280 wrote to memory of 1364	1280	sdset.exe	34
PID 1280 wrote to memory of 1364	1280	sdset.exe	34
PID 1280 wrote to memory of 1364	1280	sdset.exe	34
PID 1280 wrote to memory of 1364	1280	sdset.exe	34
PID 1364 wrote to memory of 1732	1364	Setup_s34.exe	35
PID 1364 wrote to memory of 1732	1364	Setup_s34.exe	35
PID 1364 wrote to memory of 1732	1364	Setup_s34.exe	35
PID 1364 wrote to memory of 1732	1364	Setup_s34.exe	35
PID 1364 wrote to memory of 1732	1364	Setup_s34.exe	35
PID 1364 wrote to memory of 1732	1364	Setup_s34.exe	35
PID 1364 wrote to memory of 1732	1364	Setup_s34.exe	35
PID 1364 wrote to memory of 1848	1364	Setup_s34.exe	36
PID 1364 wrote to memory of 1848	1364	Setup_s34.exe	36
PID 1364 wrote to memory of 1848	1364	Setup_s34.exe	36
PID 1364 wrote to memory of 1848	1364	Setup_s34.exe	36
PID 1364 wrote to memory of 1848	1364	Setup_s34.exe	36
PID 1364 wrote to memory of 1848	1364	Setup_s34.exe	36
PID 1364 wrote to memory of 1848	1364	Setup_s34.exe	36
PID 1364 wrote to memory of 1936	1364	Setup_s34.exe	37
PID 1364 wrote to memory of 1936	1364	Setup_s34.exe	37
PID 1364 wrote to memory of 1936	1364	Setup_s34.exe	37
PID 1364 wrote to memory of 1936	1364	Setup_s34.exe	37
PID 1364 wrote to memory of 1936	1364	Setup_s34.exe	37
PID 1364 wrote to memory of 1936	1364	Setup_s34.exe	37
PID 1364 wrote to memory of 1936	1364	Setup_s34.exe	37
PID 1364 wrote to memory of 2280	1364	Setup_s34.exe	38
PID 1364 wrote to memory of 2280	1364	Setup_s34.exe	38
PID 1364 wrote to memory of 2280	1364	Setup_s34.exe	38
PID 1364 wrote to memory of 2280	1364	Setup_s34.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\sdset.exe
  "C:\Users\Admin\AppData\Local\Temp\sdset.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\sdpig.dll
    C:\Users\Admin\AppData\Local\Temp\sdpig.dll hide
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\wsearch\searchm.dll" -s
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2328
  - - C:\Program Files (x86)\wsearch\Search.exe
      "C:\Program Files (x86)\wsearch\Search.exe" us
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\sdcnc.dll
    C:\Users\Admin\AppData\Local\Temp\sdcnc.dll
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      C:\Users\Admin\AppData\Local\Temp\setup.exe 00020402
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\setup\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup\setup.exe" 00020402
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
      - C:\Program Files\CNNIC\Cdn\cdnup.exe
        
        "C:\Program Files\CNNIC\Cdn\cdnup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1740
- - C:\Users\Admin\AppData\Local\Temp\Setup_s34.exe
    C:\Users\Admin\AppData\Local\Temp\Setup_s34.exe
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\stdup.dll",EasyFunc
      4⤵
      Loads dropped DLL
      PID:1732
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\stdup.dll",EasyFunc
      4⤵
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      PID:1848
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL",EasyFunc
      4⤵
      Loads dropped DLL
      PID:1936
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL",EasyFunc
      4⤵
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      PID:2280
- - C:\Users\Admin\AppData\Local\Temp\sdreg.exe
    C:\Users\Admin\AppData\Local\Temp\sdreg.exe
    3⤵
    - Loads dropped DLL
    PID:936
- - C:\Users\Admin\AppData\Local\Temp\qqa02_u88setup.exe
    C:\Users\Admin\AppData\Local\Temp\qqa02_u88setup.exe
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2700
  - - C:\Program Files\Internet Explorer\lib\U88.exe
      "C:\Program Files\Internet Explorer\lib\U88.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:1156
  - - C:\Windows\SysWOW64\explorer.exe
      explorer http://down.u88.cn/qqa02/u88newqqa02.asp
      4⤵
      PID:2432
- - C:\Users\Admin\AppData\Local\Temp\ly2_03.exe
    C:\Users\Admin\AppData\Local\Temp\ly2_03.exe /S
    3⤵
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
      C:\Users\Admin\AppData\Local\Temp\remotesetup.exe /S
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Drops file in Windows directory
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\pcast.dll
    C:\Users\Admin\AppData\Local\Temp\pcast.dll
    3⤵
    - Manipulates Digital Signatures
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
  - - C:\Program Files (x86)\pcast\PodcastbarMini\start.exe
      "C:\Program Files (x86)\pcast\PodcastbarMini\start.exe"
      4⤵
      Executes dropped EXE
      PID:300
    - - C:\Program Files (x86)\pcast\PodcastbarMini\PodcastBarMini.exe
        
        "C:\Program Files (x86)\pcast\PodcastbarMini\PodcastBarMini.exe"
        5⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1332
- - C:\Users\Admin\AppData\Local\Temp\bind_8152.exe
    C:\Users\Admin\AppData\Local\Temp\bind_8152.exe
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\itadx.exe
    C:\Users\Admin\AppData\Local\Temp\itadx.exe
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
  - - C:\Program Files (x86)\bckmsn\bckmsn.exe
      "C:\Program Files (x86)\bckmsn\bckmsn.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\baid.dll
    C:\Users\Admin\AppData\Local\Temp\baid.dll
    3⤵
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\edmtd.dll
    C:\Users\Admin\AppData\Local\Temp\edmtd.dll
    3⤵
    PID:544
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s dtservice.dll
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2288
- - C:\Users\Admin\AppData\Local\Temp\duisc.dll
    C:\Users\Admin\AppData\Local\Temp\duisc.dll
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:876
  - - C:\Windows\SysWOW64\msibm\CFSQdll.exe
      C:\Windows\system32\msibm\CFSQdll.exe 20
      4⤵
      Executes dropped EXE
      PID:2224
  - - C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe C:\Windows\system32\msibm\cfsbho.dll,firstGenGuid
      4⤵
      Drops file in System32 directory
      PID:2680
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe C:\Windows\system32\msibm\cfsbho.dll,regUser
      4⤵
      Blocklisted process makes network request
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      PID:1548
  - - C:\Windows\SysWOW64\RunDll32.exe
      RunDll32.exe C:\Windows\system32\msibm\cfsys.DLL,cfs
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- - C:\Users\Admin\AppData\Local\Temp\wpsdls.8824.10.exe
    C:\Users\Admin\AppData\Local\Temp\wpsdls.8824.10.exe -t 8824.10
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2384
- - C:\Users\Admin\AppData\Local\Temp\sogoutb_setup_pp365sosoft08mini.exe
    C:\Users\Admin\AppData\Local\Temp\sogoutb_setup_pp365sosoft08mini.exe /S
    3⤵
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
  - - C:\Program Files (x86)\P4P\p2psvr.exe
      "C:\Program Files (x86)\P4P\p2psvr.exe" -i
      4⤵
      Executes dropped EXE
      PID:2240
  - - C:\Program Files (x86)\P4P\p2psvr.exe
      "C:\Program Files (x86)\P4P\p2psvr.exe"
      4⤵
      Executes dropped EXE
      PID:1732
  - - C:\Program Files (x86)\P4P\skinpacker.exe
      "C:\Program Files (x86)\P4P\skinpacker.exe" -g 00000000-0000-0000-0000-000000000000 -x
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:584
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
  2⤵
  PID:612
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://down.u88.cn/qqa02/u88newqqa02.asp
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1972
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
      4⤵
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:368
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL",EasyFunc2
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL",EasyFunc
        5⤵
        
        PID:2664
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWow64\stdup.dll",EasyFunc
        5⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWow64\stdup.dll",EasyFunc2
        5⤵
        
        PID:760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:1061895 /prefetch:2
      4⤵
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2104
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL",EasyFunc2
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\PROGRA~2\MMSASS~1\MMSASS~1.DLL",EasyFunc
        5⤵
        
        PID:2076
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWow64\stdup.dll",EasyFunc
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWow64\stdup.dll",EasyFunc2
        5⤵
        
        PID:2112

C:\Program Files (x86)\P4P\p2psvr.exe
"C:\Program Files (x86)\P4P\p2psvr.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\P4P\ToolbarTMP.DLL

Filesize
368KB

MD5
ecd46f74c062a44f2d1a891b3a232bd3

SHA1
69a1b6919dfc959624fbbf20ab941e5b1c78c26a

SHA256
465e5736d0883d293beadf51fc1f76b8f63f28a1048230db76618fa95925c825

SHA512
285a94542a620d57b7131e641d46594b8897971d080bbbdbc9f4fc8ee09ec66e2676fead46e6fba6b9e20179181033d5a6c47237b71aed3079351efe0a027e31

Download Submit
C:\Program Files (x86)\P4P\p2psvr.exe

Filesize
88KB

MD5
0d179cdd9880a200a8b173be60e6cd83

SHA1
166a298fcbba0498013084668a74991f29d7e895

SHA256
feb33749950db4435f243c14b9c2764eb60d1db73f77dc8c9eee94151b577854

SHA512
07be3e9eade2b5f7f6ea96273b8efc5eac3617f9c29ea16a0f34cd15fb4161d1be36ed50263ac3b4a152fc16a8fceb33695880e2b96175d5795d7e27e557768e

Download Submit
C:\Program Files (x86)\P4P\skinpacker.exe

Filesize
80KB

MD5
1dcc2e157e33c273a0dd0baa2e31a5b8

SHA1
2467bb699e58a3b8f625e608611401a44617f249

SHA256
e4a8aea075037aa152190c9ac65e619aac505745566594363ae7d030685b6a4d

SHA512
2b5b33f7fc56f461564b903ac674a4dd1109035d021effb5a04fbf4254f6f873cfdc71c45275b60e8999dc0035eab9ff03cae86685edd1802b869f95fabe0ed5

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\1.bmp

Filesize
852B

MD5
cd17af59183b795f5b7c62506df9c07b

SHA1
0ddf98505dc3d2168136bf515eed48577a2fa8dd

SHA256
4f9aa334d45c23933cbaa167d6b26860f800f0a15bbf1b3051df86058fd23899

SHA512
47626025f0d92ef66433d6a3c8d2700c320be7b5619bad397df6083a5601c563438c22fc0d436183fcf8f738f0893fcf6e937c93c17c04b17115480d617cf834

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\2.bmp

Filesize
5KB

MD5
a647055a592d648769c9ba8507120202

SHA1
9c49f94d1f8ca4287f84061231363b8abfd03590

SHA256
ca5dadc746f3680b7cf464e72297fe62d1b9e72ca6751f8ff85bb52ea234bb4e

SHA512
c8c85cd73a98e9728bd7e61304c6645855b2bc678d5324945096022ad843c25b702f0975230762d7c10c3893417eee7e730148b901a0cb75b692e686cef1db48

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\1.ini

Filesize
564B

MD5
3067a2a1a50fad9dec2f9656a55247fc

SHA1
861e6a85ea81eb803ab6d17d35e6029a204a1aa6

SHA256
27a0f338157f9fdfb624fda51fcaffb9650be990cdcfdce6781f947e04a8cedc

SHA512
c68b7fd2bc33146252bfcba31a9c76b994d9d5271a72c54c1b0cf756b454b5a94bba67f1f33b19f40206e326da46b651ed7c87fc122826c03c0bc8d9b1e7a97b

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\2.ini

Filesize
590B

MD5
62e03e40eccfcc56babf554ee4c5f5cc

SHA1
3bf7d3fc3bfc90a777fb22467f7b5baf46638aab

SHA256
8ebbb2ee0cb8c26ccc4b74d2d6f0230c7e4e609dbf216a36fc651a0f4444a0cb

SHA512
0fb81a4603325bfc64d6d17797643ca4f63fa671b0a9b72039365f30e40e0d65e8c189f91585a42699aa846fd15805ea2487e7ec02b90d4c630c1b730c25ef0d

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\3.ini

Filesize
446B

MD5
bf6e47dcf5bc9abb96239b5b778b4f6f

SHA1
78fa7761752ff321bd30bb39fac223a506324bcf

SHA256
22bafe56038fe4adb2f9457721702787f0cb171124676d43fdc62d30338975f7

SHA512
25e2f7d3664928e9d9ab064c89410c7a3ceee2ad70f88ed021e07edfd11a804e9b1932952f5b67588e9403bb0fd889794bf8dc65433fa83ef3720289f663bdfb

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\4.ini

Filesize
452B

MD5
89860f4006026169278cfe36dc745b67

SHA1
5f3bf88632a6c0507efcd0f65d525b5edc5b60a3

SHA256
95a21642ed26d8e4412b18a660915a1ec47eb5ac2f1979e02cf043f1c159ff08

SHA512
f94432a716aebee7987d1474550401404c822639fd349537bb285c66516892df64b2588a9e9b13a800e6caa637a4490d69b64dbb963ccfbbf70728d4241cf40c

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\85190a08-7b40-46d1-ab1f-0436c6e906e2.ico

Filesize
1KB

MD5
3bd6a747b310effffd7aa8e7d5fba48f

SHA1
cb08b8a43ece74cc6d86dce2ba78bebe1322c456

SHA256
227422a09a262080194b031e2ca0691056c9bbe977003b78f8357420a1651705

SHA512
0e29c30931a5bb9777689a249476a1ddb79db2e431918f89599c0967a404d0c81bdc1a44caf4577292d95e16f41d02bc7faafcff762ab39a1a0516e037981730

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\8b57e939-74f3-4168-9281-67796df3a410.ico

Filesize
1KB

MD5
b68a9f21e3b45ed05f093c327ab4892a

SHA1
173fe1fd9c436ae81a45bd6a37bfa5fed315d0e2

SHA256
b446f849d73776508b015b925ecc1b04af5e3f04c0e95c9086f1abc8f15eadbb

SHA512
892ae348b441ffcfd5c925a7ebf0ad19168acb876e82939fa2ef65eeaf1538298d28a487c07cb05ab69067dd43bfe3a2dcf2868d0a22d2324351e272365c3038

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\c1ba2e53-3bfa-4426-9765-00459c0b8a25.ico

Filesize
1KB

MD5
b18f780f7347300cb95c0ae89b125cc6

SHA1
e6c7f08697a9efa45d4bc08ce13a3b1a6169b7e5

SHA256
a5a57de5e5cab4adcc945fa34d5c23c0dd350d7615b73ccf21ffc806209b933a

SHA512
d51584c4dbca10f464283886cc4b8b42b18851810b0f59265ba72f02f7e2f0c858d61db42ab81fec6b67b71525ce976e24b7da6d38703362027aec8be5a568ad

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\Plugins\ec3dbd81-fe29-4312-83ab-2af6a79ca3f1.ico

Filesize
1KB

MD5
6c8360ea81447da8fa1524f445d8eb4b

SHA1
f4870a577bb016e29bd9271a9551024244a2d451

SHA256
68b79c5eaa057c7a5e6f8be86c81495e773482a67708e0c9540aaa1078c2acfc

SHA512
d24240ca6f66d98f09783d4a13d033c80d7718bcc06e7207116613829fe99cbe046b0f9e2b22908d5a743ed657275d7ee52be43d8bcd923416d266b439b259de

Download Submit
C:\Program Files (x86)\P4P\theme\00000000-0000-0000-0000-000000000000\theme.xml

Filesize
882B

MD5
77b7208d2e9aed3881206a1b81cefb34

SHA1
5580bb1c8d7b5a1f193da3f7442dc943aa8db9e9

SHA256
0d818d48686cce4760c5059f85d3c09c207c2c4239e0ac3708162f37e20acf9b

SHA512
f19c88c2facd68a266b2476b76397a71fcb38b4d831ec6f55fe239c192700ade34ddb8bcba80c4f71eb1720441f016b12938f244645c9d0efe3379a0245209e3

Download Submit
C:\Program Files (x86)\bckmsn\bckmsn.exe

Filesize
237KB

MD5
ef5ec12bc67a3391646e48810dd2bab4

SHA1
b57e0aa8ade39642f454c1a179be4ff94f427702

SHA256
5fcaee3ea4ff2b50085af85f3ddd7ae9cdcebcb7a819c5b5d744fbe91a4293ae

SHA512
504702736ced85c8ca01fd7f36a5cc30706254b5fecdb45c05f494d3130f6af08ebc468923aa89a0f95b7b9091f3aa390ff2d5cc5378bedceaef9b4cdd46fcf0

Download Submit
C:\Program Files (x86)\bckmsn\info.dat

Filesize
4KB

MD5
b879cab8736199a150f07f551dfc8f2f

SHA1
f09ab4bbd42bbc80d5ea7f1c44b2cb54c3541018

SHA256
ef6a059c7165ad3bc6060965eb3440544066c10f920045be0a3793970a8843e1

SHA512
7a390cd4ef77f1c1685a9d584873e22288ee4fbe7d64d42b2aff3ccc9a307eea6cc4348798bea64e84dd861c77adb0081c9d1b494fe87d405505a92637f92acf

Download Submit
C:\Program Files (x86)\wsearch\Search.exe

Filesize
88KB

MD5
610595ff326d38e997796d9725c1db1c

SHA1
a2c4e29148d1b2a3cfc4f88938a39d60791186d4

SHA256
983652684d3cc24262fdcc587f3f2a7c1e2118b3d7ac4ee760d876a1ef03a86e

SHA512
021d063aeb23134c2332986c0a800c64e7a9f660018f3ec5ce1f5e7f487de6cf6b329908869a01b20426cc119c90a3daa880b82bbff86587eba5aaa7538e4a43

Download Submit
C:\Program Files (x86)\wsearch\searchm.dll

Filesize
32KB

MD5
1347396bc1c22564878cb94f3b810404

SHA1
d92d425ba15404c081a2e597ebdd74ac7cda17f1

SHA256
c928218d0244e1c8f8b78ae474c0d8805d1ab1033ef437dbec60c730993de6c9

SHA512
a37f1637ed55cff8280b790632f023cd4c3b6bdf98eb5d95e4a2a0aaa6a56e2e2ba48ca1779c8cbf92202304ff3dbc6627aaa09bb4a557e419830c5bda15c238

Download Submit
C:\Program Files\Internet Explorer\lib\u88.exe

Filesize
44KB

MD5
c9246c85265ce6e0dd271aaa77d82a50

SHA1
bbc1231c67b80dee1d786beebee2bc9c021b6653

SHA256
87b20beb01bb6df45f85c23c53b13d92e2db00a8867dbeab1bc410420f3eaf1d

SHA512
bd63cbfce8302f4c376831c28c0b6cbc9e15bde54cd0cedfe2590afb55d8662d3d9d406101b77cd56e7f5f615b9d4d07da0f8af82f3758eaa00bb69c265a40cb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\°éÂÂµ¼º½.url

Filesize
126B

MD5
92218e26c5dd37e660e1bb95ddd63b9e

SHA1
f6f1fa7897b6a868e3fb22ca86f2f6fcd4b6d0f0

SHA256
c2ea7aa75bc456021b9d81612176481a077a9db465d86fd5bb5cec8eed192142

SHA512
0646d32bed716ce4796568a0a8ae759f57879006b420d26b3f1bc84c25fa6608950e83a5b45926df2b99b1ce8f5409ec9ad52db63b2634bc6b7c28dce7a9e538

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\°ïÖúÖ¸ÄÏ.url

Filesize
127B

MD5
d10620d94a4bcf18082d42c4171ca514

SHA1
4171adbf386ca788ad3b2b28a9d22717243938fd

SHA256
a3eda9c70339478639a0159a97fac437472595eeda99c07767b33a43850dc92b

SHA512
fc4fb3af2368840f0be621de128c84e2092c39aa835cbb6a282cb692b15f00a65c43ec303662ade23919cce64dbe10344662abe64470269824f507153d2c7ddc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\¹ã¸æÀ¹½Ø.url

Filesize
123B

MD5
3e467f2735c1e58d2634c3fe8f436334

SHA1
cea7862c5f9f31492c1dcb2bca4cb25787df565a

SHA256
85de95bf7dd047e20f10c0a47c12b21655c31657e72539a40d2b7aea044b301e

SHA512
1130fedbb8403bc1e68b51361f615bd8acbde53bd5a30c02e4e5ed7dc87c160a7237fee96fe58e16011f64e7e9e19b01e25e027c2054fb2cf5816a8f5dd69ad0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\À¬»øÇåÀí.url

Filesize
126B

MD5
d95495e899435953a6783c0314c1350e

SHA1
347f83d0dd498633d4be0e6690126c8313169d23

SHA256
2829ea044762270b03bb27322b72df3ffc81b4b94deccf185876b9408f5ddbaf

SHA512
3d72d2b3780c4b11d2155c4cd74eadd31cf7ae037052a9432d942f08f8d7bf5f369e59885d7e1cad14dd846bf82cf358f1de96ae18da9f882b474b16ffff4624

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÆÁ±ÎÁÐ±í.url

Filesize
123B

MD5
6e29562229d283003f210be1a4ea3b38

SHA1
18979d48c82a88208ee55a4f57a39dea05bfeec8

SHA256
38daa5afd215c1c99020beafa4ba37c7ba88229fa3702f7b16b3901bd61750dd

SHA512
5ac1d3ba17b67e1ef483b7b03e8da9ad0f95adfea65f1d7393815e176cddb07461fe114ee612b4040eac17a6c644af6e4a2996da8e5520c9a222eb23e411e0d5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÏµÍ³¼ÓËÙ.url

Filesize
123B

MD5
57c64c9d4155ae2ffbae9647f233bd16

SHA1
7cd3d4e8f2b5008eb1811208d75239082b5eb7da

SHA256
643ca07421266240b5331e923b4f7a30be3144a550637bf9c61f9e9973d957aa

SHA512
f28eda995d6abdea3eeda02909dafa331639b5664e71ba53fd7761068e615e23b7bc2b7993f0b7a677d94494b44439b1816997c1523a548d38b0679f366d7cf9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÐÞ¸´¹¦ÄÜ.url

Filesize
126B

MD5
0af1d9ee3aed5f7b34e7268134ea416b

SHA1
f981dc2c1bfb6172c7d527d8c9c273fb1f2ea856

SHA256
276b59b2946a0055f5e96bb06b7dc2b33b64b682ea5389b6d2d8918ca27bc38c

SHA512
15e44e2341e04c3248462bf2e24016e66f1ac498cd29e752ee7f963e3d7b297ce9329f631282dfeb016fd80e9a8260001bfa2dc5e649dfcf44b240bdcc6016dd

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°Ù¶È³¬¼¶ËÑ°Ô\ÒþË½±£»¤.url

Filesize
126B

MD5
32999fa80e4f6c6561346a99595a8f23

SHA1
47880460d7ab5cb47c0b5aed6a7f2710cfbf4dd4

SHA256
73bbd206aab8a1775ead488d8004b87a6de5d74926aad0f19084e6eede7b09bf

SHA512
afd3caee0c4bf56c91ef5af0cc4bff55b55ec251399e7b0ef4543fc23e6e264fa625935b845a3a74e7902726883cf9406b0d969502c0c0432bde0953efc8e97d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61903c028b5613b8fdcad111920e2a20

SHA1
076f3737511c486b18e46f969312ae5de28a8f48

SHA256
b52749b780fac230fda6ccf76a6414ba46bdfdbf12d353cfd4aa7091be831554

SHA512
38fc05b9f19447040c5486bd6b832cf0afdcb03feaa77d6a5ddeb8e0552d9877e399d5ee3685cb71bfa644fbdadbdc7b1c8d00112162ef12a8eba5a9f01377df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64b1365e5c4b0f7bdd3fad6039743228

SHA1
8097c7a8775596c7477a490a149b6021774710dc

SHA256
ed26d47442fb211bd83acebe7cb97c9329d52d3962aaad943421cf4ebc512152

SHA512
460c8ab86de790c4c3881e763fdd55c0291cf94331a1818267f682eca5748431fd7b22a91a5efa39fb4bc979a1b219d15ece3bc020d12c280352d558b8cbf455

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
000a0c186e88d2b589c0e56008a820d9

SHA1
759dc82e01fa41bb1add3e757193c42f3b2be928

SHA256
c1c3cbc3437961ab0c3c3dda5d92f663962a0426b1c6f351e326c8b9b54a113d

SHA512
7638dafcd01d3409b5ac5a628817560088bec332e569bc7706ab28e97d3e7a261a72d9faaface10386540c38b0e82878e14ee82224711171a9e62e8385c5bef1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b04d65c8cdb6afcff45be6848c380632

SHA1
2d80a72b78b5686fea207ee5ed0a20bdb7095a26

SHA256
0e7ff4a7a0d8cc072110f86aa7e322657904cfac189a7f96a2f3ac1504edd651

SHA512
51b1159e485d0bbf3dc363d586b4862508b5e3f82d072f5229df7311b0730c04c681be97d016f1217cab660c27cae3cfc7d33937d320f0971dd6bd5824eac6d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee3e77566b5ddd34a5cbc6d1eccfeee3

SHA1
47f0492b4068b34979d045ab6c3ac8fc94648b96

SHA256
cb47a832e9fe1e5669355311671533ee518e0b3cde3436bb276d21742eff2c6f

SHA512
4b4fb576aa344aaec018401e8d34cea21b94e68f5385cfaae195c8334b3dbb4ae83aa4b14c351c915541f355a662eb4ee8ab82a282f3a4765a0b215ce612dd7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b2b9d1e091a9412ac32152db265a536

SHA1
3397d00144fadd15f43bc386793805d723be56b9

SHA256
80d33fb03d0689cb20d113c0b6a0e506007d2426b42d4d4a825c3ca80fa3584a

SHA512
46900c8f5977b8f847d3359534469905258b34341f0d1c381d36442c914f6aecea066cb38f8180ce171e44777fea2f2843bbb355a3a06f935e76822f9b67ed9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa008860cddb316f72a53485b047baaf

SHA1
f6f045df25bf0d58f845f091c48027c297a15964

SHA256
a482caeec621762539007e2bceafaa8a9e873de7691033ebea0d195dcda4a170

SHA512
4a7bf034d801a8d53757b3c0c0b55736c68f8d9c31dae8fe0da40d9af6c15b673d9876820d44714a7eaf9f9fbd7c26b74d54ef2a0905a5e1e20bc0c46e9ccff2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2029f21b110565b98bf2eff8d973a3f2

SHA1
a61deedf47aff7ab6208f5e6a945db3fbe28596a

SHA256
a6bb484932b4bc3bcb2a2e6d3b2cd3eeeb40f36fe557210c286ca6e7333e06d1

SHA512
61fc65e62fa4bbf290be8e875d5e6855aaf0f941a8cb6e563ec63f2afd4c63c48c34edcc73b94e3627085ed4269ff1af14e2edb5f5ecc93e7a6c2da9a336bdc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6647ac162545c27a59b08e7a68f2928

SHA1
1d8dac43d5e1d92066c4bb024777635e17ac7e7c

SHA256
4091c8d95aa3336950cfd6437b4d529f52b448bc99d53926fc6e50c9622034e7

SHA512
bf310b02aa0464d1d35acf4badc79e22933c5c47016aeed2df0a0ee531e77f52c0b0eb2ba8f2a888a133589eda2405fa071c65b4086ce316cc7ea1fac5258479

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a4e3148b52c381c5ee20f5886a5765f

SHA1
b70c618efea4c05bd8e707e85c7255c3ca819db8

SHA256
13608c9c2f81a5c5da75ae0255a0266e0a447394db9d22796a5643e6e32a06e6

SHA512
7123050498f6024e26a4aba3981e1dffb8044b7c2080494e92b3d1b3638988e9644ec0c7dbbe5d2b32b21f2fde876968ed663e936e9c8b01fc81d09c0b44b369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a09a1af9e3434ddf8d89ce42c16dd1a7

SHA1
0cb278729931d827ea7115b6b6b8df5e3d9e5351

SHA256
e8cb931b1c896f606231aa1d32417791b271b1d746615d8cda81b7884f3e3c51

SHA512
292fbe06cc6c0823d541004b53435789bbbf62777859aacff37317b00180e8e8f0eedb96c23ada741f4edcd97748321a7692f9915865d478a24c77f572b93978

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c74c0848f9ad24def641ce3277467d8

SHA1
8383741d4b147be23edaa5c45ac665bc4d75a594

SHA256
ca4c33b26d1fe74db1db2bc6ed2c9b74cc0c81333bb08dc37f114219043a8bb3

SHA512
9fbf459f06209734949dfeaf04e5cdde163ace6bd744ba878f44ea157c83a8097709d568e0b5fa7ed317daa6d9e60a4d5d636363366ff61e4af1163d5ae2dd80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b5945c590a978fd449c1b4a8ee3eaba

SHA1
d098cd905ecd6a9ce1d8872df08f807bbd87f9b0

SHA256
78f9da9af3b81ee97ea4bbfa931818228cfc6f474effaa5bd44488a62eb238eb

SHA512
58a0c68e8605c367cf1a3180f84ed083d88e9149bf80768994fc04badbefc7f87538a026709adca1c98615ae0538cb07c7057673d10e3e135be9eae6fc0ffcc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e48bbf7c0bb027568f315c7f03d243b0

SHA1
e2273eb707372a3dd0929b90b5376ab0b8a799ed

SHA256
6294e6132c5fa6992bef07733c86754e08eaf0ddd59b6f1da4b89babd0e9df51

SHA512
81d939b8b0f638e2293932c149cc8a89e7486b26e5abcf9ac908320f005d0cdfaea7e8a59c15d716d1f4bbb09976654169652061e7bbb4b8440995b6930ed48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac9cc6615961c9f28bc013a362d167a1

SHA1
c44a9a2b669bef95b4ca18dba7deb437c3a6bc94

SHA256
1ca9645941b97c4987bc86ce20e17c6951c7d5ca1adde5ea5981ccaaa87cf181

SHA512
2749ccab03c0e5b4eff6e11458cae6386d09e3e9f760836987786df12b7aa6a23547dedacc443df245506442037589b88471a66267689d4ee93216cdedbc1a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a233fa22ddee94b7a8bd4c9ca8c3e065

SHA1
457724c6a18c055a21ce611c214c234c001dc786

SHA256
db04f76e140387fc441d2650aef9203aa86fdf66c34190701578e8ef1fc88b44

SHA512
7d915bb1d94e49c9966e9fa8f1c74d74f6d55d1d8e309cd5815d7877216c866d1a5f9694da6dc51566116893735db6274ce64d0fa13206b94dbe3fb3fa73d931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63e731c86026e84d89cffb20cd297613

SHA1
f0fe54985dc6e51b316127beb9a1e175c205ec2b

SHA256
8a4c1054a907a6bdd2876b7bc119d24592c536120ae4183e04aeaacc83f21334

SHA512
84a388f5df86b097eac3197bf10feaf969b689e3afaa88fe5c5e1bc3c3e9c76097b7ecfa23c887c74d9cd20a32d0b0111b21b53ef9eae4cc420bfd11d561fb29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5cd6f081ef6ec080f05363c63c3a5412

SHA1
009a0ce52d115bbe76f1ffdaadbb5f9ce15a69f3

SHA256
081a77de94895d9f5fe9284f85f31dbe70686e405d0f47c26c261f42cfc52fcc

SHA512
28d3afe278f1d94e3d84003a60aa7aea66d23a592c1f239d3fd02ae959568b10fc3b165e4c4ed8e1ccf340d349ed35c7020bf89c2fda4942781a60478f564cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5e187de891cd7dbe4d7dbd7e7fafe81

SHA1
d9902533ea1c7896fc56e5a0e73c08f23bb6319e

SHA256
54cecc4972f0154bfa9075109bbea8aed14ef0287b1378847d2d2ef1b59d7240

SHA512
8fc1596794f1cf7373fdbe41f250663e124ea5fc94bbe39740c2242f682ee6d0414e273fac9dfb229fc5981b51fa2b272534a377dc4566a8e10815c64006db76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7523.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BaiduBar.dll

Filesize
432KB

MD5
1c605a9a4ce467fe73532b2b3fbbbf49

SHA1
6097ee69da8a9324eb5b7042fbb54c1e560e2017

SHA256
0a62010ececbf510cf1976c337ff81ab13d0d6cca5fae03252a198395bad8249

SHA512
d24a8bc2d3c0d804e5e091f03ff7a6d8eab73d05afc14f3ccf4d079c6f39add29b74b1e940151dba93cb46b44e8e339d03b47756c5b27b7a95096ff61839324b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.inf

Filesize
587B

MD5
0c3994fbab1f2de3f85bc4307eaf807c

SHA1
0b069e8f556ccb1bd8e25cffd7dbeed004a19af8

SHA256
1f0d3ec96e317b505d6ed2e73f2f9af7b885214f2693d19eed61da2a764b2661

SHA512
a51ac973bc7b3987e572d26ef03c704857790f94dac445bbcb04d33733ba468599b2373a75357694c205d762e096e23138e9edb497fb5dc3ffd8a67e3bbd86dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar75D2.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse8B70.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse8B70.tmp\nsSCM.dll

Filesize
5KB

MD5
96c2f66086aff56cb2b4d3acced2f378

SHA1
36e27b9df1e1b02b90be2dfe302520a78b2f96d5

SHA256
2f19ca93b60542fa814d41238f1b79ad450bf935fc0f45127c5a403283790dc4

SHA512
ac616cdd2e6c59cf088891a9b450f4d5607747b2ca5184f191d4ff81a19e87dadd4185ca16533165f0dc255aae6e19c17e0670ceed5bcce8271746809d7ceacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6395.tmp\NSISdl.dll

Filesize
12KB

MD5
ed1a0e9f2e43d0b9911c20830bf9c70b

SHA1
6dc197bea1dcf81444148fb7cf963dc5f0fdda7d

SHA256
eb2aae4b1168d2cea71975ade37869988fab95346b8d4e8948dfa5b102f62f69

SHA512
6fb0210958b7579656e9f793adf4a03e2d5619ac6d76ecd2ce7ad8402bfe3273db68a04e551d8e3e76b6e9fd4fc09b5a3714db1e2da61c023ed998365427bed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6395.tmp\System.dll

Filesize
10KB

MD5
10c44246d99a1c2e5f5e6b52b111a63d

SHA1
0f41da79c3e789f4ae38738e3a5d73c538f8af4f

SHA256
7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8

SHA512
e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdn.dll

Filesize
32KB

MD5
d2829f213225e47ef57798652673b79d

SHA1
97998fa49efe17d383a91839ffebc3ca2dce67f0

SHA256
0ca6f98d230813f05019f5ecf67b8b460aea421b3a9020e3e4d3bdf1d8f01988

SHA512
405d5f18bec74f95ed0b2d319ac89e8e4d62ac7296f7d3d293882e3ce5f4d38836d871b0fa59791afade2fcd9fad24135a83dcbef8c1bf286c473cca9e88397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnaux.dll

Filesize
36KB

MD5
a7a7b73184d80b802d8f324b29c7574b

SHA1
252f64ab7d06c781dc782e7dd51440a8d7d1427e

SHA256
a168517f1428b8926cf4c161b6c1cca1dd17b85b98766a15f2d582391283221a

SHA512
48e2d1c2b0e678feb73c32dcede5befa5ed8a86dc23ac3e1ff82d89edec4a668fa5e5145f0e47f2e511f17b8138d855f13013fe08ab03c60cd7ead15dadfd9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnctr.exe

Filesize
56KB

MD5
3cdcd6d87cb6fd238fd4ef3c20d51cd2

SHA1
8eb2c6e1b1b397fa0fec67eeb0e531870474bee9

SHA256
8b4ed9ae5cc04ed0bfa36ac0c7f4853e9b3d03078387fd33cb595b3a15ec4443

SHA512
7ff586ff8729b7359081737ecbf42bcd9d69f45756715d1f0c2fd8f902c37dde355583ecdf7362720f253d576508fb450ad73d64799ba5582a7b7f2a15867ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndet.dll

Filesize
76KB

MD5
a24feed08d91dde5aaa97bab14808175

SHA1
e0fcae94a2cad1015e27e5e4466e076923a824f2

SHA256
fae04d0e4f5a0d4319f50a0163aab03c739e4e3bd48347f1bb6f54a0ebf93c26

SHA512
d0b143d3a7493f90319894df1559c307799a00ee4f967d5e85b1e49fed441d4ec98050bac524b57d74aeb68b80844a51be3ce842176ea7c557a0381848ee61ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndisp.dat

Filesize
408B

MD5
c446ea5f7758e07542e47c5353a843bc

SHA1
ef4db3fc423e539f32ea4625538351f46c0149c7

SHA256
d834262537368b143c1e39801122c7045bfe1da14f708a935e44a46963deaaed

SHA512
133895206340747a779fc60cd8adea33fb7298468f908c30a2283c089d6387452ca7bc2ab140b73e0d5f8291edd198fe01dfa54913cde401c8e7a833396b908d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnglo.dll

Filesize
84KB

MD5
6fa516fc990b1e06e2d7e9ba328be19c

SHA1
eabcfccfd669408825b8851b397dddf2700f8380

SHA256
bc1552201f7cf45185c78540d2a894e6e23250c4187014fbd18b123e5429ded9

SHA512
aece891396c20bbe6608620c31550b2a8e08f1ebf4f9125545ad11464c35aa7338619a38bf33a0efe2ef4a657101d526819ec799fdeaa614a3b694ff2e672f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnhint.dat

Filesize
617B

MD5
9dfcd4bdb68132d89824172847db86e7

SHA1
ca3671ad08c33487b4b685f5c166934362ef877e

SHA256
608a870b870ac5beebdf9d9fa6f85d5abde08274c550ab968403b0409d65030a

SHA512
daa209322c78eacc9ba2773c3d2dd7f66bcef88d41bc818b426cf358d290282d4b1d1ea130fd9ee2f567915cf7aa68976a0216d0ea2d95d211b2001cd3e88d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdniehlp.dll

Filesize
112KB

MD5
6d684c72ae70bc2621408c7389a77d12

SHA1
f6a073aa45954be4037f24c4e27eecf7f03f4cf3

SHA256
a71ace180d93d9dfd8d9c3027c051a8e2d4cb39db26eb7243cc349e8760e489c

SHA512
e43efb5c2f228d8421321fc98a3b4db68208887f9ba04c81c7f41442015331c5c32594d54e3ee6fab781216051fa72ae7cddb3e3a3d594d5b7f211ba8e7938d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnins.dll

Filesize
72KB

MD5
ddd3eda4b579e482e23aa3c5132cc14b

SHA1
9b88c9ea2175283f48d4152b9ac24a63bf2c217d

SHA256
871888a6706c56fe3441dd4e2ad556348b31c9337e3984a24fe40ee14bdff60b

SHA512
7382f548de6239ff5ffa6a0689d6f77e7b13f8ef6b21960e9a4d7f4db0e577b7ea156d95db3cbcd400ec1f68ce8666e4c53009e731ff250fa2ae1efda6cc9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnns.dll

Filesize
22KB

MD5
b9ec30062a67883d1ffdcc498d17ed3b

SHA1
a74722a2196e77dfe8bf85deb5942269e0e9f4bf

SHA256
23493233c886b2e02e48c4b47177b814aaa988c0f0f3e4ec8f168242fec1e0bd

SHA512
a8f306b286f6d36abcb20b2571de3f8aba1eb075b2f2334bbc2c7e8f462c69448bd9a6297c1d3117ac8d0a023fd4a8bf344020a103a3ad5224b377b3e92ea889

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprh.dll

Filesize
40KB

MD5
6bf77aeea07670dcb9b7507573d93489

SHA1
331aa409fd345fdb76877928eda7f1ea97a8f358

SHA256
17b60d34722ff32014ce272f568b30774f1607f5230e24b88381ab99aed72d5a

SHA512
364109d674d8069cb476f52db7e059c746b475c8ebb6b0986cb07ad9b7df232edb1744cc37f8d048d7725aabb53274e0dd1682208846ebb817ac0990a1cc0ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntdns.dll

Filesize
64KB

MD5
33000a1da78887ec0c3395956dc73625

SHA1
4e95eb95bc0a0748dacdd83ea0e00128580306f3

SHA256
fae2c6765a6643e4779900098d723bc08265092f47e07ab4ad808c8d27cfa5c8

SHA512
ea9d381775f1997e6261de44e1958f1f2f8329096f318326febc55c3946a1c115d8143627275ed2f775b58685973473daf97f683e91063448dfd2505b77337e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntran.dat

Filesize
1KB

MD5
496b846a17146316874633bc503101ca

SHA1
cc3e8247268f74bf26d8c4596ea62b1677c715a0

SHA256
be84e1f1216979f765c048617636afbfc8092338800348456051f81bfea2c838

SHA512
5b7aac5f836e1bc9cbf49e0275d66136649bc20dacb2a3c3fb8edeb9ec87109b870b1a8a1ec1c8f8bbe64319e509f1f879360478d0d3513976ab8177189a9358

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntran.sys

Filesize
12KB

MD5
c61fcc6e2c783ff55ba22ca296b4d11d

SHA1
3a7cbb7083fa35fcb338ce486899fa22798d50ab

SHA256
9c6a75ea1e8198efaac0d037e5b9fd41fa1e84a39dda80457dccad03a190b167

SHA512
dc95b8c0d993be32acae2a4b50f9009730685aec8cce0e0f02dc38a60c804deaee091a191e081da1a9be6ca4cfb73c210266611e49916765acf53fac9f2e763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnunins.exe

Filesize
68KB

MD5
182330b5766815c8727e9ceef6bacb72

SHA1
8b96d4c0ea04e1791bb1139fa0287be8e6993c7c

SHA256
bee606d848d460b632d3be66dba2b88ce45b16695bb6afc0905c283764973b5f

SHA512
bc3a57848871546bdf29509cf37b05f00c1f676bb068c24309d914d80e0da93ea0620d1523b75a4d7f17ffb147c7e96aa095f084e1851d5ec2590bf29ae72cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnup.exe

Filesize
68KB

MD5
617ede36c58e86027da051debdaf4c81

SHA1
b94ee8a31691ad9227138cdb14058e6c867b4a75

SHA256
d499ed2f18b0fe4c8407b54bc2d53e6d8f3d99e398c42bc33fc3525b10697b24

SHA512
1a02e337d92d5f4f694714bbde8c60181a15a73a5ee4544d98335911ada5dfd7300e39ed5972659ef6f17546145ad26d1b5c926541a368681d2b5abb1bca3a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnvers.dat

Filesize
1KB

MD5
323623a4fcd34062cf58e4160494304a

SHA1
8511717e6d51abdd10541422ce1f0d33cded424a

SHA256
3cf66a39c25ea39c03237a955d92690907d91a28c3d1e92a36dcaa12fbdc0f3c

SHA512
88c56766a74ff2f6fefdc36c59339f6d3a35f2cb173d13405f5d92da4f87259cf5cbd4c29894e55b38b186ffb9dcc9d9172bf59d93f05f64a92a4e552f192f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\client.dll

Filesize
40KB

MD5
310cc33829f149c0913ed5f79f213ec5

SHA1
1f22f940c5f0905b8ddbf452efadb23d5c942ccb

SHA256
1551ec21970495f40f423341bcdcbde5744560418e47c01c6cccdeb74f6e6946

SHA512
94325996d4f680ff0a3a0fbd41e289e559d1e9a3de8ae634ec1f4d64ec281ec5deb41a9e6d55e66e02a39fda3296c0f15c5b86b1e7ad16309335730c0c5a7a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\idnconv.dll

Filesize
228KB

MD5
53e69b76bc93941c0eda58d85f6e05f9

SHA1
13bb7ed0edfb943f7c981fdf9df8487878a151f4

SHA256
55d8110ebe08d94c63ce16558fd7e897cc7c6aedf1bb3f52b0d383b2d17dc576

SHA512
2acbe0f0ead481be94aedd9be57e88bdcfcd0011088c63c48f7aef438c3833b1246656ce73fbb0c705212504d1e4375725f730cd2110a32a094845dac53fb098

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaconv.dll

Filesize
36KB

MD5
925383c03b330f2416f6efbeaf0e61e9

SHA1
e17ad03b6e1fd3c5788f91e2a432bfc324a810d3

SHA256
862f5ea1d81c1bd4a5e8bbff75a7de1cbac7085bb5f2e822d90a7318783af924

SHA512
c2fb1396747525dfe80b91cd65e02dca62d5d48d7453725100fe86fc8975a0bc1d43a770ae303cb380d473ea343d6315ba5239ea0b8e667c59b4c56acb36b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaoe.dll

Filesize
52KB

MD5
58be436dd3309680ee2818bdc1c20041

SHA1
d740fa64c3b67852b08ff0221911eb168a8189cc

SHA256
ef08403922e31c5bd2bd85500b7292dc60cd75786275625e2a51df96e992feeb

SHA512
1de0705bf2d3c28dd5115ab5d39653255611b4eead37bf63a8ae7508799259e6e52f409b9bfe77427aace559b56cb904c2dea2e9d72b9223a98344b97386e6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaol.dll

Filesize
92KB

MD5
915c0235920f915d7933058eee08858b

SHA1
9945a0d6c29c67fa46cd7359d5b155a914a404ae

SHA256
eda38c4311e2780d0df7d6db8bb9ac158eb8626aaca1aeb5fe44dc6d580502a6

SHA512
68c3db18c039cf17e3e3c9ec15b91419de9fa65321de842e937dcb3f8f9f0d46ad689ea90f6988b0cd63901dddcd9f76f7996b8294a2927b09867be05d781d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\src.dat

Filesize
108B

MD5
3d1e6247dca24e137db01bec3807fd4e

SHA1
7d688d34e816c6df76ea6d55408f219cb9848ed4

SHA256
2ad6443412edba331f530cb40ea48bfba65799e8ddcfd5a0441c3c79399b3a75

SHA512
692604568c924d2d106ac021af8a2905c68aa3a79b6f875cf9283a2c3343b21c40e9ac8bea04b3bc0a9979120af90d95db0b379af7d7839caeae2b50d092b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\src.tmp

Filesize
108B

MD5
06840df73cadb32dc3f971656b20d7ea

SHA1
26c0e4aaa7490547dbf8a3f1e4a93a8cafabf2ad

SHA256
c8d55e8ed228803b2763fd535a93803a4a95eca88780fa487280a6a7ec69a250

SHA512
597305a7dada60a9161eb7a5a057f22f223b58372c66907eafc9209601deb7cf51bb933a8473808a8b43f33192c22371e8c50b14637c7e939c38db03054a82ec

Download Submit
C:\Windows\SysWOW64\msibm\CFSQdll.exe

Filesize
22KB

MD5
445bf68113cac1d07e9a516b7ed830f0

SHA1
1598230ef36de04c49dd2e686f900945e9cb7fe1

SHA256
bf1c8e186191be9fc93626424b834982b7fa1fde7e8f659fbb72982991746f90

SHA512
3919c36ecf075d35051e185b8254acbeeed54a1c76004dae5ba3f09fab4bec50e6c29622269c1c892e927e52cff8dd8a5f7851e780d9a67d58b369bbff194184

Download Submit
\Program Files (x86)\MMSAssist\MMSAssist.dll

Filesize
35KB

MD5
058ebd4e17690cef3297184c47d61420

SHA1
f68f8f86377e48446ad236feb758aa9c90480e3f

SHA256
2d5a83b130f656a03233960c913f5eb289977cd56feb43d935ed33c6ea808cc4

SHA512
8eb2399de7fdc56576c75a85ae97e147d8a59c7f1a2adfd401983e924a78e6ca35bbe69e13435edb9dd474915d7523d8ad70219906b92dda1dbc09570f6c36b1

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
fe10c09127fa45b9b6c6bb4007b104d0

SHA1
99384f8cbdd30d2da2c5bd5206c40060b63eb65e

SHA256
11bb1df884ef535c1cdae6a4cdf47d667c0638769fa9c286a162f3b82df91926

SHA512
c0b21991776d622d1b8fbb4af95fea46706e830a517fb6d1fddd1c141a3a397102621a09ee0b3fb502facd10b67e91678a190d5ade069a60612924762468694e

Download Submit
\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
\Windows\SysWOW64\stdup.dll

Filesize
22KB

MD5
dd7f9470045b4b6338fe4973f3eb8aa8

SHA1
446787465be7c52456b56061f7c31b24df730528

SHA256
a76dd4978df85edae624992e4eb95366b74e161965059d33553763f4489dd15b

SHA512
6bbfed3126866aa3d1cc21240df1d191b0b12f225822211cd2cf083ec04a90ac1dc27f2dd1998db89f15c87807666f340bb7124611b548c8aa9fd436ca5640ce

Download Submit
memory/544-742-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/544-731-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/544-795-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/760-947-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/760-308-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1208-913-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/1280-946-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1280-730-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1280-52-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1280-914-0x0000000000330000-0x00000000003C5000-memory.dmp

Filesize
596KB

Download
memory/1280-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1280-663-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/1280-50-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1280-917-0x0000000000330000-0x00000000003C5000-memory.dmp

Filesize
596KB

Download
memory/1280-342-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1280-313-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1280-928-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1280-929-0x0000000000270000-0x0000000000293000-memory.dmp

Filesize
140KB

Download
memory/1280-264-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1364-203-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1364-187-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1364-214-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1636-1311-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/1636-951-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/1636-1310-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1636-718-0x0000000010000000-0x00000000100FD000-memory.dmp

Filesize
1012KB

Download
memory/1636-1300-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1732-238-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1740-261-0x0000000000490000-0x000000000049D000-memory.dmp

Filesize
52KB

Download
memory/1740-262-0x00000000004A0000-0x00000000004B4000-memory.dmp

Filesize
80KB

Download
memory/1740-260-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/1740-263-0x0000000003C10000-0x0000000003DC1000-memory.dmp

Filesize
1.7MB

Download
memory/1780-310-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1848-231-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/1848-230-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2076-952-0x00000000000F0000-0x000000000010C000-memory.dmp

Filesize
112KB

Download
memory/2076-950-0x00000000000F0000-0x000000000010C000-memory.dmp

Filesize
112KB

Download
memory/2076-948-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2256-949-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2280-240-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2280-241-0x0000000000170000-0x000000000018C000-memory.dmp

Filesize
112KB

Download
memory/2384-1303-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2384-916-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2384-1312-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2488-190-0x00000000037A0000-0x0000000003951000-memory.dmp

Filesize
1.7MB

Download
memory/2488-237-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2488-169-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/2488-150-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2664-309-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2796-307-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2852-684-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2852-679-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2852-683-0x0000000000240000-0x0000000000263000-memory.dmp

Filesize
140KB

Download
memory/2852-695-0x0000000000240000-0x000000000024D000-memory.dmp

Filesize
52KB

Download
memory/2852-694-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2920-953-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/2920-931-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/2920-1294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-932-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/2920-930-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download