Malware Analysis Report

2025-03-15 05:49

Sample ID 240623-2jn9cavhqe
Target 03230705619b2d19aca576ff473c2fbd_JaffaCakes118
SHA256 c5581720a340f7a6068ae6b3b509b231944f8939f94f99641af810403de39daa
Tags
aspackv2 adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c5581720a340f7a6068ae6b3b509b231944f8939f94f99641af810403de39daa

Threat Level: Shows suspicious behavior

The file 03230705619b2d19aca576ff473c2fbd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 adware discovery stealer

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-23 22:36

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 22:36

Reported

2024-06-23 22:39

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7605CC7C-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\OCINS\cnstc.ini C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\ieaux.dll C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\convs.dll C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\uninstall.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\cuscfg.dat C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File opened for modification C:\Program Files\OCINS\usrcfg.ini C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\idnsvr.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\idnsvr.dll C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File opened for modification C:\Program Files\OCINS\ctrcfg.ini C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File opened for modification C:\Program Files\OCINS\convs.dll C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\version.dat C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\cndsv.dll C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
File created C:\Program Files\OCINS\kwacs.dat C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ocinfo.dat C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\CLSID\ = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\Programmable C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID\ = "IEAux.IEHlprObj.1" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID\ = "IEAux.IEHlprObj" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ = "IIEHlprObj" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0 C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR\ = "C:\\PROGRA~1\\OCINS\\" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\CurVer C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32\ = "C:\\PROGRA~1\\OCINS\\ieaux.dll" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32\ = "C:\\PROGRA~1\\OCINS\\ieaux.dll" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ = "IIEHlprObj" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\ = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\CurVer\ = "IEAux.IEHlprObj.1" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ = "IEAux Class" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1 C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\ = "IEAux Class" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\ = "IEAux 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\ = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\CLSID C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\ = "IEAux Class" C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0 C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe
PID 1264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe
PID 1264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe
PID 1264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe
PID 1264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe
PID 1264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe
PID 1264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe
PID 1264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe
PID 1264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe
PID 1264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe
PID 1264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe
PID 1264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe
PID 1264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe
PID 1264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe

C:\Users\Admin\AppData\Local\Temp\2BB2\setup.exe 00010200

C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe

C:\Users\Admin\AppData\Local\Temp\2BB2\loader.exe

Network

N/A

Files

memory/1264-0-0x0000000000400000-0x00000000004FC000-memory.dmp

memory/1264-1-0x0000000000230000-0x000000000032C000-memory.dmp

\Users\Admin\AppData\Local\Temp\2BB2\setup.exe

MD5 a4bf929fdcb401b8cfd9fd212686907e
SHA1 0dc1a0e285c94dd4ec57cc7e72ef1623d83c0abb
SHA256 7b8fa22c5f80b10ddb5fd7932c402d78e24751ce9b86af2df65530f576572297
SHA512 5ee0256db29b77fc96267d83580863a9082fbc735fcd63b5a1fef4d43699d6a1b8727633f79205d2e58298da7d9bcfffab61f599e698c9d1408667b615f015fa

\Users\Admin\AppData\Local\Temp\2BB2\cnprovh.dll

MD5 3d8a11f1dc9127afc415a3c5aa0f4ab8
SHA1 fd0773db131ed9ab5a366e0a99a811d4fdd683cd
SHA256 f2f89bedc3a84fd261910c96d07219985db61f2e7d23bbe52cab034e3b52dd28
SHA512 19dfbb2542335fa10e5f151143a414623d780105ee424f2a1245f5ade5b71fded7c2559b35f7acb4bb2c76acb70ba2b3f46c97812241c9b5297de2416e4aab3e

C:\Users\Admin\AppData\Local\Temp\2BB2\setup.dll

MD5 377e8aa095265e5d07dd2caf0dd5cb0a
SHA1 497c22d99107b174e45ddf00e311dfe5ff6ce4fc
SHA256 6d85c7ef3fd75bc7bd0cee41febc9cf7bdfce91b1f520fed9bae751f8ab70feb
SHA512 231bc14a99f6011af0e9d921ca8f4f7bc1be1db48d6882c5e6d5a49a7a878f396138fd78cdefbc0760db92817abda1cdfc234a2620fc8b6fe18d66df347e9616

C:\Users\Admin\AppData\Local\Temp\2BB2\cuscfg.dat

MD5 65ab7abc0a233b98381d659c9b56d832
SHA1 d871cc11ccf49e2e93c41cc4c0070e28b87de5fe
SHA256 cf66008b9abce152ea47e6340a5b67c7192234ec9d6448f30719541af4948571
SHA512 dfef24d61545cded46ccaeace232f7b269e47a094f7d86a252884e5f695b7f6dbf0f410b370030119bbcfcb4b9e028436fbd7a13f8cc6b9d6766d87fc6160f97

C:\Users\Admin\AppData\Local\Temp\2BB2\version.dat

MD5 cadad1db22ebaa5c46cf44d2b5657e10
SHA1 eb6f1bda1f1f95a77692df41cb347964686a3d6d
SHA256 39e6dd3527ff3b58c9f0e1e9ac69d864feafc5bab9845fc3f5deef01be114f80
SHA512 5ed5ddd7d717c56e6d63c9cf96d84d4b3515ff16d3656ddf40069a90fdff2c85c8653e684c8d707d3e592e528251bca3cc96a7383deb07e2f13e2ba21a1a31a3

C:\Users\Admin\AppData\Local\Temp\2BB2\convs.dll

MD5 57b46fc2b9cb59275cdcfb5e1722f48f
SHA1 e984165bb7b8b9975d7c4007cb2b37c384f322fd
SHA256 db16cf6625fd786d0cf6a4691618293a8f104f32154262f4a7bd050f953f7bd5
SHA512 ad29ac58f2a9af5690a65942a4458e44ea9844aa2bcd775c02a5e66f31c2410929bf6044b6f5313250f4ddda0c06bbcd66d6e0d93f4ba34e6e8cda0a33e3c6f7

C:\Users\Admin\AppData\Local\Temp\2BB2\uninstall.exe

MD5 cdee162546ec53b5579800f8fc26b0a1
SHA1 f4793f729c7886353707246608af69795c82c6d4
SHA256 bc36ec3c4a3e3d70b172111112c8d9b315a4f49335e2533c786a06a1bd880fb1
SHA512 e6d7ea509172f1a2c20cbc2d6c0b0452a06c7572f3f5a3795616ecf4f8ebb6c137d3daf0218163ce15c41dc7c1cbbefc31e1471daeeb489b6c40e34e16c33b0b

C:\Users\Admin\AppData\Local\Temp\2BB2\cndsv.dll

MD5 9f230f967a8607b7565cfcb83d963a96
SHA1 26d9a68c80bdf295fb77c13da638f5a837b44f65
SHA256 059c575fd355c00fb43f011dac04be452fb68e2e389cff5db5602ba59643c8eb
SHA512 8b574cf07124dbec0088ae967814063bd0a4ba0e5f7cb958a990c5a671d44aa7fe26b6cbac793bcd8805f61801d1e0cdeab91b04430d5ece41e336de7b57aeb0

C:\Users\Admin\AppData\Local\Temp\2BB2\cnstc.ini

MD5 39df37ebd9a7db386b13b8eb6a0957b1
SHA1 b22b7b9176ef9c8f0949ad61a6e9a546441d88d6
SHA256 5c3c1a1f43a53ebb79ef8e0a38ddb254bcbc309c16a82e88d1f1d348d50ad1f7
SHA512 ca33ee999b537864cd24d7e9b7a7a84e8eba0a8990b2cdd02cff5f8397db2bbb8dbfda252958d872176b9ba61a40221d178d86dc3cc468a1772e5fdf141e2247

C:\Users\Admin\AppData\Local\Temp\2BB2\idnsvr.dll

MD5 293f9116cab66a3ac0c3a8689e95ff3e
SHA1 0075fa125f906805c2250da0fbc099561f36869e
SHA256 9a9a8b03291a1696a349b097764a94cc4f9e35878893a00b928afa2c21223885
SHA512 5aafd3796b6982c2f4b4110f149d645249d49511bf9e69066b5ce442272e7da7b91dedc2d4bf8356bd0e72ece2c0b5f0abfa344b26ea30d79d4087ae3290f320

C:\Users\Admin\AppData\Local\Temp\2BB2\idnsvr.exe

MD5 31ce6253f551e51eee8ad37b47eb4ebe
SHA1 68fcba39c61f7a8edb7dfb7f3354d0133d144b39
SHA256 11dbf3bc524586658326b220864921ca1f17c2e9af95fb27971fe97680a82519
SHA512 f06c8d0b6bb4886f736198728a2ba7c383a86123c5f1978ebea50fed1beec759ab017ceb40301dc1ef060709abcbbbe30559f8a55974831caa7352968613d830

C:\Program Files\OCINS\ctrcfg.ini

MD5 1d6bfcc6234d48ee13ad8f2b4fe30d48
SHA1 d97589b61ae64bcb523b4f5cbd4b2e283dbec88e
SHA256 a851b43366c713899c26c9bd6715ae74efe3252370273faf981faeebb564d6bb
SHA512 cae66026c90042ba27d8cc819b83b4114b1c2db3504dc2b7e48a768af934914d3ddf748657b0f2ba6b4902792344f272a8470937df518c3a247d98178f2c7e08

C:\Program Files\OCINS\ctrcfg.ini

MD5 3cfed7ed2af44083acd0f3f2eb8fea1b
SHA1 ca382db771f57fedfd1163313ac0ad2ebffe3df9
SHA256 af9647839b8252540687d84ac93fca7e6d195023a36e7cfd5a783a22362a95a1
SHA512 ec27f583cf4df313ffce2ddf48d13e210b386f8d3a64b2e1bdb5724a2ca2454570578a14764c67cb7e58e11635e0e97e7b5de4a04c574380b9738d0dee396e73

C:\Users\Admin\AppData\Local\Temp\2BB2\ieaux.dll

MD5 0df67b5e009c6d350c2ade62c97657a7
SHA1 cfffa73dd79234a46ffe63f6e58636dc33819911
SHA256 9b876f6fc8341eaae3be8878037fa8a7ed1b3e9c6b5a573ce05de7fb1d17a659
SHA512 65b4f47de04653ace131b148c242cf1f05d72a4b9d5f1b5554207ad3a07ffbac51fb44cf1d914e79088226aa337514d503ec3d23943905156b2f452176871c49

C:\Users\Admin\AppData\Local\Temp\2BB2\ocinfo.dat

MD5 d27c7bce603f166d1041ad4a17262a32
SHA1 493316de5a00bbf73b38ebcba403e453916d4223
SHA256 ee34e367eb98397f8d28293a54d3fb4f2045974c845dbc95400a96ada61c6025
SHA512 3c004838c19c6d2c3e439d84f4150aacc70984898fd11bbc65ec2e9f5f31a6de431a39cda46ed93a3edf7aae1378eb11278049bdf0dc5a26ea65194752879db9

C:\Users\Admin\AppData\Local\Temp\2BB2\kwacs.dat

MD5 43a6fe907782d689c917fe5c75affe6c
SHA1 76b8ad656e45918402ef5bb446a4328639abbb39
SHA256 b78f832a0242ada187a4fe19afb6c9c23dffbc380bd917000a5446fa6824cb10
SHA512 bfc0ab4bd2fb1fe3c9c9367b4dc9525283c17b67c7b209db3b234eba69e7ee4a74dd6bcbdaf16b67e309c970b5a1a814b28e472c8b6914a75e0e3297567c4f08

memory/2776-80-0x0000000002470000-0x00000000024C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\2BB2\loader.exe

MD5 c8d32d9ce600888693ccb1864bf6bdd2
SHA1 6c2502e847fb3af8e3a175c9d1e4fe3ca547fbc4
SHA256 3f29dd5ec4cc26eeabee3cfb0c5f9e7db30fc26840004e5c0c640159af80149a
SHA512 9d5657e5966cc86eb47e206256d89723b753cc6975393a5c107d98571466684f4526e7266f8eabc547aa72eb838ef133ca2b828eca7dadca0141a6772d9ab34f

memory/1264-95-0x0000000000400000-0x00000000004FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 22:36

Reported

2024-06-23 22:39

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B01\loader.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7605CC7C-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\OCINS\convs.dll C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\idnsvr.exe C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\ieaux.dll C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\kwacs.dat C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\idnsvr.dll C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\uninstall.exe C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\cuscfg.dat C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\cnstc.ini C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\convs.dll C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\version.dat C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File created C:\Program Files\OCINS\cndsv.dll C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File opened for modification C:\Program Files\OCINS\ctrcfg.ini C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
File opened for modification C:\Program Files\OCINS\usrcfg.ini C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ocinfo.dat C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\CurVer\ = "IEAux.IEHlprObj.1" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0 C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID\ = "IEAux.IEHlprObj" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\ = "IEAux 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1 C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\CLSID\ = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32\ = "C:\\PROGRA~1\\OCINS\\ieaux.dll" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ = "IIEHlprObj" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0 C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\ = "IEAux Class" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279} C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ = "IEAux Class" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID\ = "IEAux.IEHlprObj.1" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\ = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\ = "IEAux Class" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj\CurVer C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\Programmable C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ = "IIEHlprObj" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\ = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEAux.IEHlprObj.1\CLSID C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32\ = "C:\\PROGRA~1\\OCINS\\ieaux.dll" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR\ = "C:\\PROGRA~1\\OCINS\\" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03230705619b2d19aca576ff473c2fbd_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe

C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe 00010200

C:\Users\Admin\AppData\Local\Temp\5B01\loader.exe

C:\Users\Admin\AppData\Local\Temp\5B01\loader.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3028-0-0x0000000000400000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5B01\setup.exe

MD5 a4bf929fdcb401b8cfd9fd212686907e
SHA1 0dc1a0e285c94dd4ec57cc7e72ef1623d83c0abb
SHA256 7b8fa22c5f80b10ddb5fd7932c402d78e24751ce9b86af2df65530f576572297
SHA512 5ee0256db29b77fc96267d83580863a9082fbc735fcd63b5a1fef4d43699d6a1b8727633f79205d2e58298da7d9bcfffab61f599e698c9d1408667b615f015fa

C:\Users\Admin\AppData\Local\Temp\5B01\cnprovh.dll

MD5 3d8a11f1dc9127afc415a3c5aa0f4ab8
SHA1 fd0773db131ed9ab5a366e0a99a811d4fdd683cd
SHA256 f2f89bedc3a84fd261910c96d07219985db61f2e7d23bbe52cab034e3b52dd28
SHA512 19dfbb2542335fa10e5f151143a414623d780105ee424f2a1245f5ade5b71fded7c2559b35f7acb4bb2c76acb70ba2b3f46c97812241c9b5297de2416e4aab3e

C:\Users\Admin\AppData\Local\Temp\5B01\setup.dll

MD5 377e8aa095265e5d07dd2caf0dd5cb0a
SHA1 497c22d99107b174e45ddf00e311dfe5ff6ce4fc
SHA256 6d85c7ef3fd75bc7bd0cee41febc9cf7bdfce91b1f520fed9bae751f8ab70feb
SHA512 231bc14a99f6011af0e9d921ca8f4f7bc1be1db48d6882c5e6d5a49a7a878f396138fd78cdefbc0760db92817abda1cdfc234a2620fc8b6fe18d66df347e9616

C:\Users\Admin\AppData\Local\Temp\5B01\convs.dll

MD5 57b46fc2b9cb59275cdcfb5e1722f48f
SHA1 e984165bb7b8b9975d7c4007cb2b37c384f322fd
SHA256 db16cf6625fd786d0cf6a4691618293a8f104f32154262f4a7bd050f953f7bd5
SHA512 ad29ac58f2a9af5690a65942a4458e44ea9844aa2bcd775c02a5e66f31c2410929bf6044b6f5313250f4ddda0c06bbcd66d6e0d93f4ba34e6e8cda0a33e3c6f7

C:\Users\Admin\AppData\Local\Temp\5B01\idnsvr.exe

MD5 31ce6253f551e51eee8ad37b47eb4ebe
SHA1 68fcba39c61f7a8edb7dfb7f3354d0133d144b39
SHA256 11dbf3bc524586658326b220864921ca1f17c2e9af95fb27971fe97680a82519
SHA512 f06c8d0b6bb4886f736198728a2ba7c383a86123c5f1978ebea50fed1beec759ab017ceb40301dc1ef060709abcbbbe30559f8a55974831caa7352968613d830

C:\Users\Admin\AppData\Local\Temp\5B01\idnsvr.dll

MD5 293f9116cab66a3ac0c3a8689e95ff3e
SHA1 0075fa125f906805c2250da0fbc099561f36869e
SHA256 9a9a8b03291a1696a349b097764a94cc4f9e35878893a00b928afa2c21223885
SHA512 5aafd3796b6982c2f4b4110f149d645249d49511bf9e69066b5ce442272e7da7b91dedc2d4bf8356bd0e72ece2c0b5f0abfa344b26ea30d79d4087ae3290f320

C:\Users\Admin\AppData\Local\Temp\5B01\uninstall.exe

MD5 cdee162546ec53b5579800f8fc26b0a1
SHA1 f4793f729c7886353707246608af69795c82c6d4
SHA256 bc36ec3c4a3e3d70b172111112c8d9b315a4f49335e2533c786a06a1bd880fb1
SHA512 e6d7ea509172f1a2c20cbc2d6c0b0452a06c7572f3f5a3795616ecf4f8ebb6c137d3daf0218163ce15c41dc7c1cbbefc31e1471daeeb489b6c40e34e16c33b0b

C:\PROGRA~1\OCINS\ieaux.dll

MD5 0df67b5e009c6d350c2ade62c97657a7
SHA1 cfffa73dd79234a46ffe63f6e58636dc33819911
SHA256 9b876f6fc8341eaae3be8878037fa8a7ed1b3e9c6b5a573ce05de7fb1d17a659
SHA512 65b4f47de04653ace131b148c242cf1f05d72a4b9d5f1b5554207ad3a07ffbac51fb44cf1d914e79088226aa337514d503ec3d23943905156b2f452176871c49

memory/4920-76-0x00000000028C0000-0x0000000002918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5B01\ocinfo.dat

MD5 d27c7bce603f166d1041ad4a17262a32
SHA1 493316de5a00bbf73b38ebcba403e453916d4223
SHA256 ee34e367eb98397f8d28293a54d3fb4f2045974c845dbc95400a96ada61c6025
SHA512 3c004838c19c6d2c3e439d84f4150aacc70984898fd11bbc65ec2e9f5f31a6de431a39cda46ed93a3edf7aae1378eb11278049bdf0dc5a26ea65194752879db9

C:\Users\Admin\AppData\Local\Temp\5B01\kwacs.dat

MD5 43a6fe907782d689c917fe5c75affe6c
SHA1 76b8ad656e45918402ef5bb446a4328639abbb39
SHA256 b78f832a0242ada187a4fe19afb6c9c23dffbc380bd917000a5446fa6824cb10
SHA512 bfc0ab4bd2fb1fe3c9c9367b4dc9525283c17b67c7b209db3b234eba69e7ee4a74dd6bcbdaf16b67e309c970b5a1a814b28e472c8b6914a75e0e3297567c4f08

C:\Program Files\OCINS\cuscfg.dat

MD5 65ab7abc0a233b98381d659c9b56d832
SHA1 d871cc11ccf49e2e93c41cc4c0070e28b87de5fe
SHA256 cf66008b9abce152ea47e6340a5b67c7192234ec9d6448f30719541af4948571
SHA512 dfef24d61545cded46ccaeace232f7b269e47a094f7d86a252884e5f695b7f6dbf0f410b370030119bbcfcb4b9e028436fbd7a13f8cc6b9d6766d87fc6160f97

C:\Program Files\OCINS\ctrcfg.ini

MD5 10020556324b0214b768e1075dabb986
SHA1 4e0db7794eb0557f1198eada82d396e43877f053
SHA256 3144a91f6ae167df13c74fc4369edf2aa7799c5f41c7528057055458b38f0a72
SHA512 35ad2d1b7d2cbafac2cbcdba0ca6e4b021c05311bd14a0aa58ae4a7800bb5ecc97c52cff973aac45398008f94f774f3626c30722f2e5e84449fba4a24199759c

C:\Users\Admin\AppData\Local\Temp\5B01\cnstc.ini

MD5 39df37ebd9a7db386b13b8eb6a0957b1
SHA1 b22b7b9176ef9c8f0949ad61a6e9a546441d88d6
SHA256 5c3c1a1f43a53ebb79ef8e0a38ddb254bcbc309c16a82e88d1f1d348d50ad1f7
SHA512 ca33ee999b537864cd24d7e9b7a7a84e8eba0a8990b2cdd02cff5f8397db2bbb8dbfda252958d872176b9ba61a40221d178d86dc3cc468a1772e5fdf141e2247

C:\Users\Admin\AppData\Local\Temp\5B01\cndsv.dll

MD5 9f230f967a8607b7565cfcb83d963a96
SHA1 26d9a68c80bdf295fb77c13da638f5a837b44f65
SHA256 059c575fd355c00fb43f011dac04be452fb68e2e389cff5db5602ba59643c8eb
SHA512 8b574cf07124dbec0088ae967814063bd0a4ba0e5f7cb958a990c5a671d44aa7fe26b6cbac793bcd8805f61801d1e0cdeab91b04430d5ece41e336de7b57aeb0

C:\Users\Admin\AppData\Local\Temp\5B01\version.dat

MD5 cadad1db22ebaa5c46cf44d2b5657e10
SHA1 eb6f1bda1f1f95a77692df41cb347964686a3d6d
SHA256 39e6dd3527ff3b58c9f0e1e9ac69d864feafc5bab9845fc3f5deef01be114f80
SHA512 5ed5ddd7d717c56e6d63c9cf96d84d4b3515ff16d3656ddf40069a90fdff2c85c8653e684c8d707d3e592e528251bca3cc96a7383deb07e2f13e2ba21a1a31a3

C:\Users\Admin\AppData\Local\Temp\5B01\loader.exe

MD5 c8d32d9ce600888693ccb1864bf6bdd2
SHA1 6c2502e847fb3af8e3a175c9d1e4fe3ca547fbc4
SHA256 3f29dd5ec4cc26eeabee3cfb0c5f9e7db30fc26840004e5c0c640159af80149a
SHA512 9d5657e5966cc86eb47e206256d89723b753cc6975393a5c107d98571466684f4526e7266f8eabc547aa72eb838ef133ca2b828eca7dadca0141a6772d9ab34f

memory/3028-87-0x0000000000400000-0x00000000004FC000-memory.dmp