f75b415a68f6d0b292a9f7f2a77bbdb5ca23a78bffac69665a42a7fbe57577e1

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
Size

826KB
MD5

079f56ead49c756a3b3252c448b9ffd5
SHA1

591dc67706272cc3301c19bb96b10d22e6cf5573
SHA256

f75b415a68f6d0b292a9f7f2a77bbdb5ca23a78bffac69665a42a7fbe57577e1
SHA512

63483b8d3a4325cf7df0d3ab1cff8af1ee7bf891e9f467771ba58441ddcdd27c06898472ada9ccab9d25d9b2a479204a2fde47876484dbace6982eb663c18b92
SSDEEP

24576:mKsoFg9ZYBcIZld7XgcTmFZO6mYeVfuS/t04u1:IoFdcm8O/hnF03

Score

8^/10

adware aspackv2 discovery stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\cnprov.sys	setup.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000900000001451d-41.dat	aspack_v212_v242

Executes dropped EXE 9 IoCs

pid	Process
2832	m4.exe
2796	soft256.exe
1964	cnnic_1009.exe
2820	setup.exe
2344	setup.exe
2844	idnsvr.exe
580	loader.exe
1520	svchost.exe
372	svchost.exe

Loads dropped DLL 42 IoCs

pid	Process
2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
1964	cnnic_1009.exe
1964	cnnic_1009.exe
1964	cnnic_1009.exe
1964	cnnic_1009.exe
2820	setup.exe
2820	setup.exe
2820	setup.exe
2820	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2844	idnsvr.exe
2844	idnsvr.exe
2844	idnsvr.exe
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
2844	idnsvr.exe
1220	IEXPLORE.EXE
2844	idnsvr.exe
2844	idnsvr.exe
2844	idnsvr.exe
2344	setup.exe
2820	setup.exe
580	loader.exe
580	loader.exe
580	loader.exe
2832	m4.exe
2832	m4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}	setup.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\setup.exe	cnnic_1009.exe
File created	C:\Windows\SysWOW64\setup.exe	cnnic_1009.exe
File created	C:\Windows\SysWOW64\cnprov.dat	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File created	C:\Windows\SysWOW64\m18eug87.dll	soft256.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\OCINS\usrcfg.ini	idnsvr.exe
File created	C:\Program Files\OCINS\idnsvr.exe	setup.exe
File created	C:\Program Files\OCINS\cndsv.dll	setup.exe
File created	C:\Program Files\OCINS\cnstc.ini	setup.exe
File opened for modification	C:\Program Files\OCINS\usrcfg.ini	setup.exe
File created	C:\Program Files\OCINS\kwacs.dat	setup.exe
File created	C:\Program Files\OCINS\convs.dll	setup.exe
File opened for modification	C:\Program Files\OCINS\convs.dll	setup.exe
File opened for modification	C:\Program Files\OCINS\ctrcfg.ini	setup.exe
File created	C:\Program Files\OCINS\uninstall.exe	setup.exe
File created	C:\Program Files\OCINS\config.exe	setup.exe
File created	C:\Program Files\OCINS\idnsvr.dll	setup.exe
File created	C:\Program Files\OCINS\ieaux.dll	setup.exe
File created	C:\Program Files\OCINS\cnprovh.dll	setup.exe
File created	C:\Program Files\OCINS\version.dat	setup.exe
File created	C:\Program Files\OCINS\cuscfg.dat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f550b52cc3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DEB13DC1-2F1F-11EF-B837-5AD7C7D11D06} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}\Compatibility Flags = "1024"	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000b6b4156a6cce5fe3604ad400c9b7f56f747bc18bf00cdc3f7d814c7029454517000000000e80000000020000200000005a5ab7203bd5128911799cc0f6e1d2fd84f86de5a64dcbe7e984cc2e38018cd52000000059d582273449c471c8ffdf265bfb9c173f9ef5b2f379334b2d478b5b9b1278b740000000810a055d788d2b4da03f7aaf3006f75f4b74f978d1a8a43907b5060fa76094c3b696ea184abee3bb3645f9c12b54b630495b6abc3f21594bdf48b656b816dc58	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 404b66a12cc3da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000079f08873fc28ab7d36ad2a90ca6a13c7c16d3c3d9d14fa8659bb7f343e31fa31000000000e80000000020000200000008197b758613ddbe978e7e35c180a49dfe6a302948312d36e727adb48e26ca46a90000000ce7d7a23eda16304d0a7f39abdc70270fc0369fdba2ab2f30444ffcf965a2315c672cb6ac73c79d775543df8481a55b03c6c8cbb2050ad51e9ae35195bf10078345643989f16d483c356df1d1a1abc9f1c1bc74be5ba3b0d637f54957d15503039190a62a83243b38ef9df32fade6557ba39442ab0a0f800dde953434939744e27162b48547e673b47ad6c4c6a56719e400000009d2db9e26bdc49887e267ba28aff5becb5decac8d307604dc896d00efe6e59c43619d3aa0b8b1a24ce98a51b8acf2a86abde9e524d205228a0be984a64bacc40	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425061807"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\AppEvents\Schemes\Apps	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\AppEvents	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\AppEvents\Schemes	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\AppEvents\Schemes\Apps\Explorer	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	svchost.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\ = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR\ = "C:\\PROGRA~1\\OCINS\\"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ = "IIEHlprObj"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\CurVer\ = "IEAux.IEHlprObj.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32\ = "C:\\PROGRA~1\\OCINS\\ieaux.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32\ = "C:\\PROGRA~1\\OCINS\\ieaux.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ = "IIEHlprObj"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\CLSID\ = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\ = "IEAux Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ = "IEAux Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID\ = "IEAux.IEHlprObj.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID\ = "IEAux.IEHlprObj"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\ = "IEAux Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\ = "IEAux 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\ = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR	setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1912	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1912	iexplore.exe
1912	iexplore.exe
1220	IEXPLORE.EXE
1220	IEXPLORE.EXE
372	svchost.exe
372	svchost.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2832	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2832	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2832	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2832	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	28
PID 2440 wrote to memory of 2796	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2796	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2796	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2796	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	29
PID 2440 wrote to memory of 1964	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1964	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1964	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1964	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1964	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1964	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	30
PID 2440 wrote to memory of 1964	2440	079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe	30
PID 1964 wrote to memory of 1912	1964	cnnic_1009.exe	31
PID 1964 wrote to memory of 1912	1964	cnnic_1009.exe	31
PID 1964 wrote to memory of 1912	1964	cnnic_1009.exe	31
PID 1964 wrote to memory of 1912	1964	cnnic_1009.exe	31
PID 1964 wrote to memory of 2820	1964	cnnic_1009.exe	32
PID 1964 wrote to memory of 2820	1964	cnnic_1009.exe	32
PID 1964 wrote to memory of 2820	1964	cnnic_1009.exe	32
PID 1964 wrote to memory of 2820	1964	cnnic_1009.exe	32
PID 1964 wrote to memory of 2820	1964	cnnic_1009.exe	32
PID 1964 wrote to memory of 2820	1964	cnnic_1009.exe	32
PID 1964 wrote to memory of 2820	1964	cnnic_1009.exe	32
PID 1912 wrote to memory of 1220	1912	iexplore.exe	34
PID 1912 wrote to memory of 1220	1912	iexplore.exe	34
PID 1912 wrote to memory of 1220	1912	iexplore.exe	34
PID 1912 wrote to memory of 1220	1912	iexplore.exe	34
PID 1912 wrote to memory of 1220	1912	iexplore.exe	34
PID 1912 wrote to memory of 1220	1912	iexplore.exe	34
PID 1912 wrote to memory of 1220	1912	iexplore.exe	34
PID 2820 wrote to memory of 2344	2820	setup.exe	33
PID 2820 wrote to memory of 2344	2820	setup.exe	33
PID 2820 wrote to memory of 2344	2820	setup.exe	33
PID 2820 wrote to memory of 2344	2820	setup.exe	33
PID 2820 wrote to memory of 2344	2820	setup.exe	33
PID 2820 wrote to memory of 2344	2820	setup.exe	33
PID 2820 wrote to memory of 2344	2820	setup.exe	33
PID 2344 wrote to memory of 2844	2344	setup.exe	35
PID 2344 wrote to memory of 2844	2344	setup.exe	35
PID 2344 wrote to memory of 2844	2344	setup.exe	35
PID 2344 wrote to memory of 2844	2344	setup.exe	35
PID 2344 wrote to memory of 2844	2344	setup.exe	35
PID 2344 wrote to memory of 2844	2344	setup.exe	35
PID 2344 wrote to memory of 2844	2344	setup.exe	35
PID 2820 wrote to memory of 580	2820	setup.exe	36
PID 2820 wrote to memory of 580	2820	setup.exe	36
PID 2820 wrote to memory of 580	2820	setup.exe	36
PID 2820 wrote to memory of 580	2820	setup.exe	36
PID 2820 wrote to memory of 580	2820	setup.exe	36
PID 2820 wrote to memory of 580	2820	setup.exe	36
PID 2820 wrote to memory of 580	2820	setup.exe	36
PID 2832 wrote to memory of 1520	2832	m4.exe	37
PID 2832 wrote to memory of 1520	2832	m4.exe	37
PID 2832 wrote to memory of 1520	2832	m4.exe	37
PID 2832 wrote to memory of 1520	2832	m4.exe	37

C:\Users\Admin\AppData\Local\Temp\079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\079f56ead49c756a3b3252c448b9ffd5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\m4.exe
  "C:\Users\Admin\AppData\Local\Temp\m4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2832
- - \??\c:\MP3\svchost.exe
    c:\MP3\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\soft256.exe
  "C:\Users\Admin\AppData\Local\Temp\soft256.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\cnnic_1009.exe
  "C:\Users\Admin\AppData\Local\Temp\cnnic_1009.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://tj.kmedia.com.cn/new.php?agent=CNNIC1009&version=1.0&ca=ms_sstpminiport
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1220
- - C:\Windows\SysWOW64\setup.exe
    "C:\Windows\system32\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\1027\setup.exe
      C:\Users\Admin\AppData\Local\Temp\1027\setup.exe 00010802
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Program Files\OCINS\idnsvr.exe
        
        "C:\Program Files\OCINS\idnsvr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\1027\loader.exe
      C:\Users\Admin\AppData\Local\Temp\1027\loader.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:580

\??\c:\MP3\svchost.exe
c:\MP3\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\OCINS\ctrcfg.ini

Filesize
314B

MD5
b4a2252bc27a6e5f54a3ba04448fc7b1

SHA1
73a646ec50689b1ebdc3e3f97f2e3e8cb19229ac

SHA256
fcd41a93a6f9ad38ca3135b06bd0ce84030dc3b45780cbbdd761e840c4ef2c7a

SHA512
23a5923b4eb938fe2ddf1254e003138909b1fd1b7f3ab0f7e04542382a417b9d34cdbe0d3c9a0b71e9149b4153e70c01ac335e7b95e0ca3f8fa73d026d873ce0

Download Submit
C:\Program Files\OCINS\ctrcfg.ini

Filesize
301B

MD5
92c547117bf04280e270035e21cc1429

SHA1
d302d250e7ace0f9a39c7bee14ede6e08e46c41d

SHA256
2574cc7bcb8c07977619f2b9fff5f46df9b91bfd378a286077a33b4539eb87ee

SHA512
8d9d29f9a036ebc46d42b99652fe9b9c0319b1f90527978e243a2384dd2f7ea4519adf2c3b35dca546190c5f7aa1ae4833811eaf4af57e990231c6397ccb9584

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c8c6113dbf0fcf91c7ff448b12a1ad0

SHA1
7a48f64fcc80f7d81281a004859f8d3823c2419a

SHA256
1c7f29d93f0cf15053ba8f5876b23fed597ebcea7e1eda636c9c76d8325c31ed

SHA512
d73a49e8b52614efee797140b311174cd3d100aa577b378fffb489091e4ea23434d1050c5e1aeedbbd0d774e8f3ada1b748aecbb344da88fc1eee750bf23e7ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4b307a95bc5cb95baf4d00a1bc2fe7e

SHA1
37909971893e9188b45abaefa74dbd774021d323

SHA256
53df46d695832360e8cfc07fc9e62d6bf64e28a748aa54637a49cc97149ea8e1

SHA512
209c162f784685ff234707f25eecfff6fc0a259b2a5fdf9348a59193f9d10f43350a788ec876b2d7a171642ef2f71b6ac375f536017930b575ed390fa26633c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef8579faa4c2e32b994e36f4a8cf0105

SHA1
4fcbfa0105dbc64ad7971118bac4e13ef825770a

SHA256
f4e74a07d0e4efb47556d254d13ec3c3ecea6df597474d3cf9abec0eadc17e9e

SHA512
0cca7d43c2e072985c7832cc63b364e1ea9533690a442714146e1b8c318d2c1f1105aa538424f5348483b57d1f1170bf3d125a3ebaaf0b9e814fac726501a60d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64054fb6506a838bbfded0fcbff5c9c3

SHA1
0aa1ab828432004ed7b328104b10e04c79034990

SHA256
df36cc8d25810df20eec7805a0363b11bcca2e1ca0b83b0f0ac09d078a80e674

SHA512
7b1e4fb77d82b1b03edc7fd239e2879f7f62f7d5602993aaca71c698b4cc81c4926affa73083bef83a897eaf945db6a0966b5f15d382e38af3f7245155f1a7f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8886dfd10c1fb91c73756b5ecaaf690f

SHA1
edcc3230197b39358909280274fd1b3c6b40b918

SHA256
b420a61869b48da50047eb4bafcf7b157dd3c96e9e20f5e8b277856c638f1e3a

SHA512
33a0de2288a99c53bc06dca2318c8ee9491247208acf8a49e2da4da4778256a21ee0acafa3b939b673d4fde45959d205c350ca12fda43e59c1f2efbbeeb42afb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28f6950ff78a589cd5642cd21515b97b

SHA1
160c7fddc1761bc1f29a92eb7c60f65c9d5e9809

SHA256
83148b85d2b2cd0e2acd9707da27da9d7967def324205092e7b31d25f503f3f4

SHA512
afcf3b2a5c1cc0520da36c4df40cadb740d8d682c3ea941634ef407b756a2d50d28972f3e344b70cda64eeabdb3f29514ea4aa723ee648d0c2c7f8803dae3a34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
344409db671339acebb2a2bebfd7c62b

SHA1
e4f3e2dd1d08a56f8934655bdd2b4b9c11b2ad6f

SHA256
c2bacbd07800e3f119a6ed4705b7cc1d68ef02e78f2bf64355f5a07a6fe73839

SHA512
0dc77b6c196008a461452f9f231fa6790955152fea3a0e8f2a1a90e4979d728951a03db32fa50c63d43d8fd38af68297daf8e46777718e01f92e85f4150e7211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8611b564de021f6da5c6d320d6ee216e

SHA1
462676663088052a60834ea48a9877e3c473997d

SHA256
6c31041e6141f9a2375fea138356065dfd861182287bc8daa9731d100493d283

SHA512
14b04bb62a3aa84bf45d765e2bb4b8c966e1a994385ea3510f0a74c12775340a315a7900ac20ee65d3d70fb9b12c01a2059ff40322702fce81738a3b42ba85ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95f99a3107db44ae70f31afbf1002ba9

SHA1
57f78b7e3145282115def94199641bcdfe177cce

SHA256
2291adc8c12770b60a17ab534a825f6b7ccd4730d6c56f8b188f155298ce8f27

SHA512
f170f3ba48c96a517e0cb280cb8b46b4d2713f806fbcd8d22dcd75056dc6166062095d40969ef4388fc8772c4e9a15991c97451a80e746312beaaa48a8edb3d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1c171c13d70650165d94fcc0e4b8211

SHA1
be8a9b40ddb5b42fb8b9ce5641f60ce59b6f58d0

SHA256
e86242c0d0fbfdd48ec99db3241cff81a53c04d6fd0d0e445e491a3be19a2f81

SHA512
363f578a7a0b5da91ef7554439a875778279dcc31c7c932f8069ba86acc9ff83ce2744616d17d8c3cc48ad70263b13bd6e262300a90b77d70ab119fd426a4b19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b72bff1db3ddfd8197d810d6e4e84e16

SHA1
2e0f06582da749e8a8c9e02911993df630790f03

SHA256
e59e290fc8627d641849d970b44b9225a96643c50d5d2c8b0effbe5882c7d679

SHA512
085f7da5ab263ca81c64fdc1d7188021c66be154f57ec07655d9d111f8b1d2c2f2263c57ae2c8ebe1ce9310fa3d06cca851240672bb50b2800441b2184fc029d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32d988e8c4f6bfc6ae56173150d9b69a

SHA1
c13bdaf9e59d9ddd1547c84e4b0c034c557323a9

SHA256
0c2a16508b97afdb03508cad0914aee0a614f774851803088f666cb80175d34f

SHA512
8427f7719c310d92dc1db55d8c3e680d6e0a52156fcecfda9e31949125d5b6381ca9b60b27101b99a13a5b9c0f6c6ebe2594b0e6d0d52d6e853c94ff8ee07964

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b618eac6aad71bbd20f953298f97ecd

SHA1
7eb24885587ea27101d05cc7afe589f230049ef0

SHA256
00cb6439b4a7a5af40057ecf0193060f61a0b2887a95ae0c9cec2d5486485c30

SHA512
56d76671674030d38d4a3692e06088810b90a016dc084c115d041a3639575292f3365ed5d23e7d4c69a9c346b56aea50124e62d85f848323d4b85a4414ab561e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e51e75d0b15525d526956a09444f83e

SHA1
f187f22385408f8f56886d404743a7eb500e264d

SHA256
396c47bb31add694866d65aaf39a610374380337392f3ead6fc2c1c131d05932

SHA512
77a2b48a06a22f36f87619362c80eeb3273103115232a6e04dc3002628ce0a085e537885b165b434fda8ccb1aca4e69481442a116e372fa678270e9913d27985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aec3bdae094771a4804d4daef556b9df

SHA1
126397f0234ae24614df2a03d62015d87406cb8e

SHA256
bc30037160ed925f9f1765fd40557da9e2e3159cd097bcdb8e95ab7fb388e6a4

SHA512
f420d02a4360884d5fcacd3712094b12c9559b7976366a97abf70193566d0e6e25bab976c59a4c0a04662c623a3249121674b8849f0504d3c304f48dba51078e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc0dcd5fe7b311f81ad1c8f6839c20ea

SHA1
f687219cb5272ab865f11bb5ecb5bbb4ace5986a

SHA256
467a23f6c199f17472b7b305e7f9af5b004719302d436a70a39ddde64c506b54

SHA512
4056c4c7802a4491ea9774c17a6e6dcefce68906abae61a1aeb92bc635974914ed92e2b15c512a2db079548448e93d9d10821c59eaeefa887c134376551e56b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00b2a102a896f30c27c50e74a0cb03b5

SHA1
c5ac2d903d94d6b2061d945d8f31bae201874f2d

SHA256
3a267d5108efc9a208ef76a55519c401ccbe2ff8d9d23df29fb945f818e02a0c

SHA512
82369b4d4e2f02ed3cb43d431cf39f2ad8df8c7e2dde3b00eb788f771e437640fe455c64da42202bdd0fb34925fada303c3658db46e038c956741c77ddf64986

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\cndsv.dll

Filesize
72KB

MD5
9f230f967a8607b7565cfcb83d963a96

SHA1
26d9a68c80bdf295fb77c13da638f5a837b44f65

SHA256
059c575fd355c00fb43f011dac04be452fb68e2e389cff5db5602ba59643c8eb

SHA512
8b574cf07124dbec0088ae967814063bd0a4ba0e5f7cb958a990c5a671d44aa7fe26b6cbac793bcd8805f61801d1e0cdeab91b04430d5ece41e336de7b57aeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\cnprov.dat

Filesize
1KB

MD5
8d7910052a4a6c16c546852504a12d01

SHA1
e6457a970120eac337833923227f0ec5ea413f28

SHA256
6fd2b3b8d66aeca486e5c7a62d5b8d065741e6921920bcfc49f5b07acce94774

SHA512
900e11b325ebf6a2af6045578124e75d440148123bba0e4f283dba3a4dd6248375beeb3818144923d167ae435a6b7ed2325922c2696248d1588d4176d23d6530

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\cnprov.sys

Filesize
183KB

MD5
b06090ee2881c1bac0d275b17d140d3b

SHA1
f319594ba026cac467da265d2a87c76168fe5375

SHA256
5e582e17a9c787cc717a61b1bca96c1fa13919d57241040998a0b994142ba482

SHA512
666deb0e4d082644d62f96a1fb9855212f1db2dc717d2ac54aafa7822269e1cfd222695f04addb2ef49a8d51d93cf827837faf6663ed15a278b0bc2a43977c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\cnprovh.dll

Filesize
72KB

MD5
3d8a11f1dc9127afc415a3c5aa0f4ab8

SHA1
fd0773db131ed9ab5a366e0a99a811d4fdd683cd

SHA256
f2f89bedc3a84fd261910c96d07219985db61f2e7d23bbe52cab034e3b52dd28

SHA512
19dfbb2542335fa10e5f151143a414623d780105ee424f2a1245f5ade5b71fded7c2559b35f7acb4bb2c76acb70ba2b3f46c97812241c9b5297de2416e4aab3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\cnstc.ini

Filesize
1KB

MD5
14c13b0909bd6605a3c00bdf8fb76c54

SHA1
479e4599fde1cfbc76cb472718595aa2ca54f2a4

SHA256
462820dfc6b5465d2e4aa64e039efc1baac86cfbd5a5170e4e36e25ad11487f3

SHA512
1d51e6a25d6713a9b77e8a083fd196921fe25b30c008cccb1766b59939e325f6590f80802f1439b7edadedfd6b0dcabccca5ed884f3239684bb7afb61115daa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\config.exe

Filesize
124KB

MD5
bc69dffa76af3297b653bfc814f7b87f

SHA1
7f1284aef70bba9ce2756b9d43674a41f439f717

SHA256
66a977915f1fda86d6a8e3e6cd3372aa61908ebd1d198931d856298c3430ff61

SHA512
6c530b229fde28544cad846800df291d982780655eba7e9d1240e9abebb6253be4247949e9aa5bd325e2b8b6f84b2c732e441bdb6092e21a623434293327138e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\convs.dll

Filesize
68KB

MD5
57b46fc2b9cb59275cdcfb5e1722f48f

SHA1
e984165bb7b8b9975d7c4007cb2b37c384f322fd

SHA256
db16cf6625fd786d0cf6a4691618293a8f104f32154262f4a7bd050f953f7bd5

SHA512
ad29ac58f2a9af5690a65942a4458e44ea9844aa2bcd775c02a5e66f31c2410929bf6044b6f5313250f4ddda0c06bbcd66d6e0d93f4ba34e6e8cda0a33e3c6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\cuscfg.dat

Filesize
148B

MD5
b2a535b4bc451c8235816ea28ee6a985

SHA1
cce08821e54ba633edcf454137b57c825ccb8291

SHA256
f74a08e780a5d72c3e85a267209053a2261b50b306089ffbfa9925c65f386843

SHA512
e2ec531c50853a6b16781927bdbc1452e898e76dd10afbd20cec6e2a323a4d821a492a185740690c289014c2b99c074cb8235c0fbcacc5907acaca5be564a314

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\idnsvr.dll

Filesize
76KB

MD5
70019002fdac4580e81d7ff75fb598db

SHA1
53aeaa509dcaab85faceb62610226e6b8ff1f1c2

SHA256
573fbbbb4ef33a6962295cc45bfc80e86e590e4ebe4a26183339c89b15987935

SHA512
105a3601d23af930abb6c94aeaefb239b42fe7eb8fa451db09e207095ccd5cfa71c7703942921bede3a3f9f909f50b1a4219587283635218554bc8b40562995c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\idnsvr.exe

Filesize
83KB

MD5
2312b02cf8c50bc32cdb0686a9c3ac96

SHA1
8461152d2c7cac6ef022d1bbbf37a51d5643fc0a

SHA256
3aa5ff904e88601e6b7bb2d35f275f4a58486bd0e61cdf160cc48417bc6a529d

SHA512
550ff69969150b5ceb96a169eecaacb1fc8c1349fd79d2137683c2aa1da6b46d724c03c3a58f84edc4b8b860e04b9f077c233c35a599f5a71c70acf7c13982b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\kwacs.dat

Filesize
16KB

MD5
9257560aab0a5993cb6b2cb533b34511

SHA1
4debfd9679a4c64395cb4c2beb12ec83ca9b41a5

SHA256
538cb1597ad80408f10cb487b58508b4390f22e5e1e03cfe01d6c94a0a3aae25

SHA512
35949b5c23d1767f998eed59b300ec5078f7bc425789a2cc6975aa962cd641eb465fba7a9cd4b8fa11c71d9f7c1e4ea842dbc5b7512fc63d5be42e7d11029f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\uninstall.exe

Filesize
144KB

MD5
5af44e42174649b95758b0e5ef79adf6

SHA1
54a46171e18e28d209323816dc75d73da1b019cb

SHA256
b8d2d0987c28cc8385930d97c2cd40003673977d07ae2f336a1d9476d9b2eba6

SHA512
1f5ae69358b424408e196bcee452b578d653ca908b1d2e0a89355529268d10830951bbda575af0d7f129ded71daf3b1d43f117cd35aa2600e8253f537f6b3592

Download Submit
C:\Users\Admin\AppData\Local\Temp\1027\version.dat

Filesize
479B

MD5
b6dc48b82c701dd676c4350890534991

SHA1
c56c8c37152b509b5a4ee73bad7d2eb409ec3dea

SHA256
46568287f15cd3fbeb8458938c55b898624dc67213c67ee8bfe3fe7942218421

SHA512
18c2030012612500b152e7c9cacce062dbe2b1b796b4cef4f8ad008ca37fd72a2204ae5167dbff1aca0f5adff2694aafcadb4cacb7a48cbe782f88caa2ac7302

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3363.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33F3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33F6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\soft256.exe

Filesize
132KB

MD5
3872b1238b8e6c1b92c20e63b6560009

SHA1
2feb195222bd6cbb4b8dcff5da91b281da21d6a2

SHA256
21f78e1451c84270533f30e09cf163ae6110594899909f23cc2474019d11cbd5

SHA512
82db9e8dcf58b3527f06e947d5d755c701436f0e1b4928a7206c56c53d8bbe875cdf60f74eb4b7b043114c2dfcfb1e44d694a0c928519e0b254c24f6e806480b

Download Submit
C:\Windowsclient.exe

Filesize
88B

MD5
bcd8edb015ddc9e31e8e1b4657c3df43

SHA1
d320e044bc0ed73e557a885a1a47714b8c85200e

SHA256
37646c67c0e8429e6fbfc56678a20fd311cb48d0cb19bb5097078968f0673f37

SHA512
2a1497b35930c516a0f5bf75be460eff986b08d2ed0331dd702be5533b88198a59a41f39252809ef83b455bcf4d07ab0d9723494e8008a9578d0509a643cd6cc

Download Submit
\PROGRA~1\OCINS\ieaux.dll

Filesize
179KB

MD5
59edc983e52851d195e7c61e8efad602

SHA1
1dc1ee794381fa1b5acce47edb051208336d8d1e

SHA256
5afa252752ab6ed4df37b46833cb35274c3755da48d73171f352caee9ba3a30e

SHA512
e78e75ccbd86b2e887a95e6f6c0d904c9d1b75de9c83d2a3419165541b2120435e8ddb322b8d5c5463f97f2f022896a5c434367c798a36062bd3a884959585e2

Download Submit
\Users\Admin\AppData\Local\Temp\1027\setup.dll

Filesize
92KB

MD5
088efc555a77d8d35a9ff367ca48d86f

SHA1
5c016e6df88e1b99cce466416e1468d5218a8714

SHA256
4390163d8757c37885369d90071955de6c5789b000a351698042ba18eff34f05

SHA512
8c3a43936600315ddc6b3fb30aa963c91ea7752c0e9b7f1b2f0584e9650da44bc525893877672efae96d804ec4530236931812fa9530721090990b8547cbe6b5

Download Submit
\Users\Admin\AppData\Local\Temp\1027\setup.exe

Filesize
28KB

MD5
a4bf929fdcb401b8cfd9fd212686907e

SHA1
0dc1a0e285c94dd4ec57cc7e72ef1623d83c0abb

SHA256
7b8fa22c5f80b10ddb5fd7932c402d78e24751ce9b86af2df65530f576572297

SHA512
5ee0256db29b77fc96267d83580863a9082fbc735fcd63b5a1fef4d43699d6a1b8727633f79205d2e58298da7d9bcfffab61f599e698c9d1408667b615f015fa

Download Submit
\Users\Admin\AppData\Local\Temp\cnnic_1009.exe

Filesize
413KB

MD5
6401dc5833d65f4d95bd6e8f78fdf8a1

SHA1
1efd3bb9c4c47b2fa6ead197fe77716ed2bb5c91

SHA256
ae306c43432223f40d3421f571f583dcd48a6df8f7fccfc0b23a6072cccdaf78

SHA512
422059292b703591338b6e334bc4efc065737c6f728d3524b3b6631dc4a4ac65f675a4b8419663b7cf1719bd327e65cb3266c8dcf2c85306972265a882df8deb

Download Submit
\Users\Admin\AppData\Local\Temp\m4.exe

Filesize
235KB

MD5
f2324a0a589478957b66b967c8d95d8c

SHA1
43b6fc49d383871518e0072e7d0aa8433b3a15a6

SHA256
9ef6c19ee82db6cc5e763b275a65fff3050d3734386d6a554f9216153a7e5579

SHA512
101bcd0ee104a13a299d854926ed19b4b473c3938b9194acf5e53df9e8840662a7da9cde5fcc53bb538f835d4747e1b71a5f9bfe8376d78c3467ab2ce40af469

Download Submit
\Windows\SysWOW64\setup.exe

Filesize
381KB

MD5
d5bb1996768ed9f61915be739a1fcc43

SHA1
cdcfdda76f79cd2a06ea4b5606cd9b23b2ee1dda

SHA256
3f67f049e44e220349dd292aaa95a40463d00d481a883fe3803e5402fc70377a

SHA512
0ebb6d803dd33b7c52dce4c8a2fa218c64c2e2af3116b4680e3be6a68e0062b936996cefcbb81e8b8b7fb1c10445d0c458d825e299ed398bc63fc94e00f7b08c

Download Submit
memory/372-696-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-686-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1187-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-694-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-193-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-692-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1186-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1185-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1178-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1184-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1183-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-690-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1180-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-688-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/372-1182-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1520-196-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1520-185-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1964-43-0x0000000002990000-0x0000000002AE8000-memory.dmp

Filesize
1.3MB

Download
memory/2344-142-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/2344-133-0x0000000002D10000-0x0000000002D67000-memory.dmp

Filesize
348KB

Download
memory/2440-182-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2440-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2440-192-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2440-14-0x0000000002C80000-0x0000000002D36000-memory.dmp

Filesize
728KB

Download
memory/2440-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2440-12-0x0000000002C80000-0x0000000002D36000-memory.dmp

Filesize
728KB

Download
memory/2796-605-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-687-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-1181-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-689-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-1179-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-691-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-695-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-693-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2796-1177-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2820-50-0x0000000000560000-0x00000000006B8000-memory.dmp

Filesize
1.3MB

Download
memory/2820-51-0x0000000000560000-0x00000000006B8000-memory.dmp

Filesize
1.3MB

Download
memory/2820-176-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2832-23-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2832-25-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2832-24-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2832-184-0x0000000002E80000-0x0000000002F36000-memory.dmp

Filesize
728KB

Download
memory/2832-183-0x0000000002E80000-0x0000000002F36000-memory.dmp

Filesize
728KB

Download
memory/2832-197-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2844-171-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download