b53cf6fc4557b36bcab41cdb5aa3eeb060100a7bc606ef3c286892d71f8cb6f3

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PROGRAM_FILES_COMMON/NSISLog/Lang2052.exe
Size

392KB
MD5

6f7c5b0aa8efb062cc3bd02a322111c3
SHA1

204fc1afe73a9571ea833787b2259cc84bb59781
SHA256

ebc13d0a0e033ba82d6dbfacc1152fb3d9b7d3ee4836f1da5833a0c13ce04c5c
SHA512

1acf42eb0dd3daaeb0cffb589c15844790109bbfcc29cd353a1cfed11f846c4b817342b62913589707c9e1888d22f613b4a341ff403f46393ff39717c2a09106
SSDEEP

6144:WpSRTGEOMVBT5IpP1JKTHyjaymgiOtwNSF6Diukeg0kJ8XvaG1ynqmcI6:W6OvgMmPjc6DivTJ8/aG1EqmA

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\cdntran.sys	setup.exe
File created	C:\Windows\SysWOW64\drivers\cdnprot.sys	setup.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\cdnprot\ImagePath = "system32\\drivers\\cdnprot.sys"	setup.exe

Executes dropped EXE 3 IoCs

pid	Process
2344	setup.exe
2776	setup.exe
3020	cdnup.exe

Loads dropped DLL 34 IoCs

pid	Process
2136	Lang2052.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2344	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
2776	setup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe
2776	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CdnCtr = "C:\\Program Files\\CNNIC\\Cdn\\cdnup.exe"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{35980F6E-A137-4E50-953D-813BB8556899}	setup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cdn.dll	setup.exe
File created	C:\Windows\SysWOW64\cdnns.dll	setup.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\CNNIC\Cdn\client.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaol.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprh.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprev.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdniehlp.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdndet.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnhint.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnspie.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnaux.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnunins.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnprot.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnup.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnctr.exe	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\imaoe.dll	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\idnconv.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\src.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdnglo.dll	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdnvers.dat	setup.exe
File opened for modification	C:\Program Files\CNNIC\Cdn\cdndisp.dat	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdntdns.dll	setup.exe
File created	C:\Program Files\CNNIC\Cdn\cdntran.dat	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lang2052.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdnup.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\ValueName = "EnableMail"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\Text = "Enable Account Configuration Assistant"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\ValueName = "AutoUpdate"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\Bitmap = "C:\\WINNT\\system32\\inetcpl.cpl,4497"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\ValueName = "EnableMailScript"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\HKeyRoot = "2147483649"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuStatusBar = "ÖÐÎÄÉÏÍøÉèÖÃ"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\ValueName = "EnableKwDisp"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\Default Visible = "Yes"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\HotIcon = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll,213"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\Type = "checkbox"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\DefaultValue = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ButtonText = "Chinese Navigation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\MenuStatusBar = "Chinese Navigation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\Type = "group"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\CheckedValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\DefaultValue = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\Text = "Automatically Update When New Version is Detected(Recommended)"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\Text = "Enable Chinese Domain Name"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\DefaultValue = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\Type = "checkbox"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\Bitmap = "C:\\WINNT\\system32\\inetcpl.cpl,4497"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\ValueName = "EnableIntRes"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\HINT\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\Type = "checkbox"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\HKeyRoot = "2147483649"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\UncheckedValue = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\KW\CheckedValue = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\Type = "checkbox"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\UPDATE\HKeyRoot = "2147483649"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\DISPLAY\Text = "Display Keyword in the Address Bar Droplist"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_ACCOUNT\CheckedValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\Text = " Chinese-Language Internet Access"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN\DefaultValue = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\RegPath = "SOFTWARE\\CNNIC\\CdnClient\\Console"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\MAIL_SCRIPT\Text = "E-Mail Script"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\UncheckedValue = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\IDN	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\IDNKW\RESOLUTION\CheckedValue = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT\MAIL\IDN_MAIL\Text = "Enable Chinese Domain Name Mailing System"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{35980F6E-A137-4E50-953D-813BB8556899}\ClsidExtension = "{35980F6E-A137-4E50-953D-813BB8556899}"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\cdn.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\0\win32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\imaol.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\ = "IInspectorHandler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib\ = "{B7DB519E-7131-47B1-A9F5-DA8D061C2611}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{951A869A-1003-4897-948F-D55E570871DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser\CLSID\ = "{D449EB58-55AF-4695-B216-895D546AED89}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler\ = "InspectorHandler Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\TypeLib\ = "{C24A5A5C-0874-4386-85C7-E669F90997A9}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{951A869A-1003-4897-948F-D55E570871DB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\TypeLib\ = "{01833110-7C51-4D41-A09F-69EF74606E5B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler.1\ = "InspectorHandler Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj\CurVer\ = "CndnIEHelper.CndnIEHlprObj.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01833110-7C51-4D41-A09F-69EF74606E5B}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj.1	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj\CLSID\ = "{35980F6E-A137-4E50-953D-813BB8556899}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\ = "CNNIC_IDN"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\InprocServer32\ = "C:\\PROGRA~1\\CNNIC\\Cdn\\cdniehlp.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler\CLSID\ = "{461A86F7-A29D-460A-80D5-52979AA6C46D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\VersionIndependentProgID\ = "MailParserSvr.InspectorHandler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{951A869A-1003-4897-948F-D55E570871DB}\ = "ICdnObj"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\TypeLib\ = "{B7DB519E-7131-47B1-A9F5-DA8D061C2611}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler.1\CLSID\ = "{461A86F7-A29D-460A-80D5-52979AA6C46D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9A578C98-3C2F-4630-890B-FC04196EF420}\InprocServer32\ = "C:\\Windows\\SysWow64\\cdn.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}\VersionIndependentProgID\ = "CndnIEHelper.CndnIEHlprObj"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.MailParser.1\CLSID\ = "{D449EB58-55AF-4695-B216-895D546AED89}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Cdn.CdnObj.1\ = "CdnObj Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler.1	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\ProgID\ = "MailParserSvr.InspectorHandler.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{461A86F7-A29D-460A-80D5-52979AA6C46D}\InprocServer32\ThreadingModel = "both"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C24A5A5C-0874-4386-85C7-E669F90997A9}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\TypeLib\ = "{01833110-7C51-4D41-A09F-69EF74606E5B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\ = "ICndnIEHlprObj"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D449EB58-55AF-4695-B216-895D546AED89}\ = "MailParser Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MailParserSvr.InspectorHandler.1\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7DB519E-7131-47B1-A9F5-DA8D061C2611}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35980F6E-A137-4E50-953D-813BB8556899}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{475ABCC3-D4CF-45D2-938A-A434FDC95B67}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	Lang2052.exe
2136	Lang2052.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	Lang2052.exe
Token: SeRestorePrivilege	2776	setup.exe
Token: SeBackupPrivilege	2776	setup.exe
Token: SeRestorePrivilege	3020	cdnup.exe
Token: SeBackupPrivilege	3020	cdnup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3020	cdnup.exe
3020	cdnup.exe
3020	cdnup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2344	2136	Lang2052.exe	30
PID 2136 wrote to memory of 2344	2136	Lang2052.exe	30
PID 2136 wrote to memory of 2344	2136	Lang2052.exe	30
PID 2136 wrote to memory of 2344	2136	Lang2052.exe	30
PID 2136 wrote to memory of 2344	2136	Lang2052.exe	30
PID 2136 wrote to memory of 2344	2136	Lang2052.exe	30
PID 2136 wrote to memory of 2344	2136	Lang2052.exe	30
PID 2344 wrote to memory of 2776	2344	setup.exe	31
PID 2344 wrote to memory of 2776	2344	setup.exe	31
PID 2344 wrote to memory of 2776	2344	setup.exe	31
PID 2344 wrote to memory of 2776	2344	setup.exe	31
PID 2344 wrote to memory of 2776	2344	setup.exe	31
PID 2344 wrote to memory of 2776	2344	setup.exe	31
PID 2344 wrote to memory of 2776	2344	setup.exe	31
PID 2776 wrote to memory of 3020	2776	setup.exe	32
PID 2776 wrote to memory of 3020	2776	setup.exe	32
PID 2776 wrote to memory of 3020	2776	setup.exe	32
PID 2776 wrote to memory of 3020	2776	setup.exe	32
PID 2776 wrote to memory of 3020	2776	setup.exe	32
PID 2776 wrote to memory of 3020	2776	setup.exe	32
PID 2776 wrote to memory of 3020	2776	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES_COMMON\NSISLog\Lang2052.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES_COMMON\NSISLog\Lang2052.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  C:\Users\Admin\AppData\Local\Temp\setup.exe 00020402
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\setup\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup\setup.exe" 00020402
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files\CNNIC\Cdn\cdnup.exe
      "C:\Program Files\CNNIC\Cdn\cdnup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup\cdn.dll

Filesize
32KB

MD5
d2829f213225e47ef57798652673b79d

SHA1
97998fa49efe17d383a91839ffebc3ca2dce67f0

SHA256
0ca6f98d230813f05019f5ecf67b8b460aea421b3a9020e3e4d3bdf1d8f01988

SHA512
405d5f18bec74f95ed0b2d319ac89e8e4d62ac7296f7d3d293882e3ce5f4d38836d871b0fa59791afade2fcd9fad24135a83dcbef8c1bf286c473cca9e88397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnaux.dll

Filesize
36KB

MD5
a7a7b73184d80b802d8f324b29c7574b

SHA1
252f64ab7d06c781dc782e7dd51440a8d7d1427e

SHA256
a168517f1428b8926cf4c161b6c1cca1dd17b85b98766a15f2d582391283221a

SHA512
48e2d1c2b0e678feb73c32dcede5befa5ed8a86dc23ac3e1ff82d89edec4a668fa5e5145f0e47f2e511f17b8138d855f13013fe08ab03c60cd7ead15dadfd9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnctr.exe

Filesize
56KB

MD5
3cdcd6d87cb6fd238fd4ef3c20d51cd2

SHA1
8eb2c6e1b1b397fa0fec67eeb0e531870474bee9

SHA256
8b4ed9ae5cc04ed0bfa36ac0c7f4853e9b3d03078387fd33cb595b3a15ec4443

SHA512
7ff586ff8729b7359081737ecbf42bcd9d69f45756715d1f0c2fd8f902c37dde355583ecdf7362720f253d576508fb450ad73d64799ba5582a7b7f2a15867ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndet.dll

Filesize
76KB

MD5
a24feed08d91dde5aaa97bab14808175

SHA1
e0fcae94a2cad1015e27e5e4466e076923a824f2

SHA256
fae04d0e4f5a0d4319f50a0163aab03c739e4e3bd48347f1bb6f54a0ebf93c26

SHA512
d0b143d3a7493f90319894df1559c307799a00ee4f967d5e85b1e49fed441d4ec98050bac524b57d74aeb68b80844a51be3ce842176ea7c557a0381848ee61ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdndisp.dat

Filesize
408B

MD5
c446ea5f7758e07542e47c5353a843bc

SHA1
ef4db3fc423e539f32ea4625538351f46c0149c7

SHA256
d834262537368b143c1e39801122c7045bfe1da14f708a935e44a46963deaaed

SHA512
133895206340747a779fc60cd8adea33fb7298468f908c30a2283c089d6387452ca7bc2ab140b73e0d5f8291edd198fe01dfa54913cde401c8e7a833396b908d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnglo.dll

Filesize
84KB

MD5
6fa516fc990b1e06e2d7e9ba328be19c

SHA1
eabcfccfd669408825b8851b397dddf2700f8380

SHA256
bc1552201f7cf45185c78540d2a894e6e23250c4187014fbd18b123e5429ded9

SHA512
aece891396c20bbe6608620c31550b2a8e08f1ebf4f9125545ad11464c35aa7338619a38bf33a0efe2ef4a657101d526819ec799fdeaa614a3b694ff2e672f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnhint.dat

Filesize
617B

MD5
9dfcd4bdb68132d89824172847db86e7

SHA1
ca3671ad08c33487b4b685f5c166934362ef877e

SHA256
608a870b870ac5beebdf9d9fa6f85d5abde08274c550ab968403b0409d65030a

SHA512
daa209322c78eacc9ba2773c3d2dd7f66bcef88d41bc818b426cf358d290282d4b1d1ea130fd9ee2f567915cf7aa68976a0216d0ea2d95d211b2001cd3e88d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdniehlp.dll

Filesize
112KB

MD5
6d684c72ae70bc2621408c7389a77d12

SHA1
f6a073aa45954be4037f24c4e27eecf7f03f4cf3

SHA256
a71ace180d93d9dfd8d9c3027c051a8e2d4cb39db26eb7243cc349e8760e489c

SHA512
e43efb5c2f228d8421321fc98a3b4db68208887f9ba04c81c7f41442015331c5c32594d54e3ee6fab781216051fa72ae7cddb3e3a3d594d5b7f211ba8e7938d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnins.dll

Filesize
72KB

MD5
ddd3eda4b579e482e23aa3c5132cc14b

SHA1
9b88c9ea2175283f48d4152b9ac24a63bf2c217d

SHA256
871888a6706c56fe3441dd4e2ad556348b31c9337e3984a24fe40ee14bdff60b

SHA512
7382f548de6239ff5ffa6a0689d6f77e7b13f8ef6b21960e9a4d7f4db0e577b7ea156d95db3cbcd400ec1f68ce8666e4c53009e731ff250fa2ae1efda6cc9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnns.dll

Filesize
22KB

MD5
b9ec30062a67883d1ffdcc498d17ed3b

SHA1
a74722a2196e77dfe8bf85deb5942269e0e9f4bf

SHA256
23493233c886b2e02e48c4b47177b814aaa988c0f0f3e4ec8f168242fec1e0bd

SHA512
a8f306b286f6d36abcb20b2571de3f8aba1eb075b2f2334bbc2c7e8f462c69448bd9a6297c1d3117ac8d0a023fd4a8bf344020a103a3ad5224b377b3e92ea889

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprev.dat

Filesize
332B

MD5
859ea7a38cba1624ed5c4599ba7c8582

SHA1
35632082204a81942792c336c4f9753a48fe4da7

SHA256
fbad62bd59eb03bcf515a036d9d4c9b100efcf7aa22e17e46beeeb25eeeff858

SHA512
068adc14dee7eab6a206d41a6bf037272e0c716b4f6bd8b35a62d4457a8c71a9814cb40a164cc26185a459073eceef747ef6358cd619dd446995ec28e7a25dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprh.dll

Filesize
40KB

MD5
6bf77aeea07670dcb9b7507573d93489

SHA1
331aa409fd345fdb76877928eda7f1ea97a8f358

SHA256
17b60d34722ff32014ce272f568b30774f1607f5230e24b88381ab99aed72d5a

SHA512
364109d674d8069cb476f52db7e059c746b475c8ebb6b0986cb07ad9b7df232edb1744cc37f8d048d7725aabb53274e0dd1682208846ebb817ac0990a1cc0ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprot.dat

Filesize
3KB

MD5
c8ec48e7c816f284ffaedeb0fb4c7ab7

SHA1
2d20da67e2deb50770be105beca47c5944a0f504

SHA256
ae8e2c53bcc69b4366ed3a441e5dc4825fb62f9774d6a4521322a1b239578ea4

SHA512
8127d70f066631e42deb50bb1f148b213f129690f5c665d104df69ac94f50c3171012f09db886bd4a83834efa452bbdf018bfd43be8c177b2c823f3ac78e4d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnprot.sys

Filesize
45KB

MD5
382e88a11ebfdd22a49db61ed0820164

SHA1
0cc7376633d617e72b98fdca16ea67a8d89b55eb

SHA256
a50cbd231925f0a63f8af56a63783de9b7f30feadee66da868056b9ac2f25c00

SHA512
7db09b40ead11dcb14c62ec4089b2729d1d0677c30b11f75321f33d9531ece5ad67d2e83046808dcb35fee3df69b0f03dcef7b2e4d26fb50e2ae73d039d506bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnspie.dll

Filesize
76KB

MD5
9561e54bb17ec4ee021cde91297100dd

SHA1
962ae4fee2c6d9d8a73209f51ddb40434b0e9be1

SHA256
42d0748452991d816a1bc6c52446259d4c1cd44388a48d25e4a1d98674c93b63

SHA512
4422d01d9df4abb154fabd529309faa10a8f2396d2af5a98580815902e4361724c6abdf75b9678b37e55e35c75c149ea24965f68605b4d5797c682ab251af20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntdns.dll

Filesize
64KB

MD5
33000a1da78887ec0c3395956dc73625

SHA1
4e95eb95bc0a0748dacdd83ea0e00128580306f3

SHA256
fae2c6765a6643e4779900098d723bc08265092f47e07ab4ad808c8d27cfa5c8

SHA512
ea9d381775f1997e6261de44e1958f1f2f8329096f318326febc55c3946a1c115d8143627275ed2f775b58685973473daf97f683e91063448dfd2505b77337e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntran.dat

Filesize
1KB

MD5
496b846a17146316874633bc503101ca

SHA1
cc3e8247268f74bf26d8c4596ea62b1677c715a0

SHA256
be84e1f1216979f765c048617636afbfc8092338800348456051f81bfea2c838

SHA512
5b7aac5f836e1bc9cbf49e0275d66136649bc20dacb2a3c3fb8edeb9ec87109b870b1a8a1ec1c8f8bbe64319e509f1f879360478d0d3513976ab8177189a9358

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdntran.sys

Filesize
12KB

MD5
c61fcc6e2c783ff55ba22ca296b4d11d

SHA1
3a7cbb7083fa35fcb338ce486899fa22798d50ab

SHA256
9c6a75ea1e8198efaac0d037e5b9fd41fa1e84a39dda80457dccad03a190b167

SHA512
dc95b8c0d993be32acae2a4b50f9009730685aec8cce0e0f02dc38a60c804deaee091a191e081da1a9be6ca4cfb73c210266611e49916765acf53fac9f2e763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnunins.exe

Filesize
68KB

MD5
182330b5766815c8727e9ceef6bacb72

SHA1
8b96d4c0ea04e1791bb1139fa0287be8e6993c7c

SHA256
bee606d848d460b632d3be66dba2b88ce45b16695bb6afc0905c283764973b5f

SHA512
bc3a57848871546bdf29509cf37b05f00c1f676bb068c24309d914d80e0da93ea0620d1523b75a4d7f17ffb147c7e96aa095f084e1851d5ec2590bf29ae72cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnup.exe

Filesize
68KB

MD5
617ede36c58e86027da051debdaf4c81

SHA1
b94ee8a31691ad9227138cdb14058e6c867b4a75

SHA256
d499ed2f18b0fe4c8407b54bc2d53e6d8f3d99e398c42bc33fc3525b10697b24

SHA512
1a02e337d92d5f4f694714bbde8c60181a15a73a5ee4544d98335911ada5dfd7300e39ed5972659ef6f17546145ad26d1b5c926541a368681d2b5abb1bca3a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\cdnvers.dat

Filesize
1KB

MD5
323623a4fcd34062cf58e4160494304a

SHA1
8511717e6d51abdd10541422ce1f0d33cded424a

SHA256
3cf66a39c25ea39c03237a955d92690907d91a28c3d1e92a36dcaa12fbdc0f3c

SHA512
88c56766a74ff2f6fefdc36c59339f6d3a35f2cb173d13405f5d92da4f87259cf5cbd4c29894e55b38b186ffb9dcc9d9172bf59d93f05f64a92a4e552f192f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\client.dll

Filesize
40KB

MD5
310cc33829f149c0913ed5f79f213ec5

SHA1
1f22f940c5f0905b8ddbf452efadb23d5c942ccb

SHA256
1551ec21970495f40f423341bcdcbde5744560418e47c01c6cccdeb74f6e6946

SHA512
94325996d4f680ff0a3a0fbd41e289e559d1e9a3de8ae634ec1f4d64ec281ec5deb41a9e6d55e66e02a39fda3296c0f15c5b86b1e7ad16309335730c0c5a7a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\idnconv.dll

Filesize
228KB

MD5
53e69b76bc93941c0eda58d85f6e05f9

SHA1
13bb7ed0edfb943f7c981fdf9df8487878a151f4

SHA256
55d8110ebe08d94c63ce16558fd7e897cc7c6aedf1bb3f52b0d383b2d17dc576

SHA512
2acbe0f0ead481be94aedd9be57e88bdcfcd0011088c63c48f7aef438c3833b1246656ce73fbb0c705212504d1e4375725f730cd2110a32a094845dac53fb098

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaconv.dll

Filesize
36KB

MD5
925383c03b330f2416f6efbeaf0e61e9

SHA1
e17ad03b6e1fd3c5788f91e2a432bfc324a810d3

SHA256
862f5ea1d81c1bd4a5e8bbff75a7de1cbac7085bb5f2e822d90a7318783af924

SHA512
c2fb1396747525dfe80b91cd65e02dca62d5d48d7453725100fe86fc8975a0bc1d43a770ae303cb380d473ea343d6315ba5239ea0b8e667c59b4c56acb36b320

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\imaoe.dll

Filesize
52KB

MD5
58be436dd3309680ee2818bdc1c20041

SHA1
d740fa64c3b67852b08ff0221911eb168a8189cc

SHA256
ef08403922e31c5bd2bd85500b7292dc60cd75786275625e2a51df96e992feeb

SHA512
1de0705bf2d3c28dd5115ab5d39653255611b4eead37bf63a8ae7508799259e6e52f409b9bfe77427aace559b56cb904c2dea2e9d72b9223a98344b97386e6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup\src.dat

Filesize
108B

MD5
f4f19b06d2de17741549f44c56702923

SHA1
b70631ed0531f39e18dea8732bc8957215e3b5e3

SHA256
0695723c28af1ef079a2c380bdc41631e01f03475b99ed55a752ad220d883c47

SHA512
4c12038054ca18f75c026a95b794e04c4d38da794cbdb43cdd071d50f367936e0897d927b42c16c5adb48851f344f2f34c44735d5af8e86d2750dee85e022000

Download Submit
C:\Users\Admin\AppData\Local\Temp\src.tmp

Filesize
108B

MD5
105c1a3d2fbbd9c087af79dbf8f710c4

SHA1
14e2db1fa16d4d56acdfab85f2c3e1f08069d99f

SHA256
26b19c61eee88f2ce739ab67fb4bad16a75a86f2fb8fbabc35ef91ea809e70c8

SHA512
f2a13ae4b26725045a9e00204e6e70edef0f434c7c2ef2a40509b2e4a653b85330105181adf16848e290d295dc39245d94825df064d6db6a680f1cf12a844644

Download Submit
\PROGRA~1\CNNIC\Cdn\imaol.dll

Filesize
92KB

MD5
915c0235920f915d7933058eee08858b

SHA1
9945a0d6c29c67fa46cd7359d5b155a914a404ae

SHA256
eda38c4311e2780d0df7d6db8bb9ac158eb8626aaca1aeb5fe44dc6d580502a6

SHA512
68c3db18c039cf17e3e3c9ec15b91419de9fa65321de842e937dcb3f8f9f0d46ad689ea90f6988b0cd63901dddcd9f76f7996b8294a2927b09867be05d781d80

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
333KB

MD5
403c907056c3602efab42a210454a9e0

SHA1
8cde8646ffd1ed1410f2bdd26827fd82dc33895a

SHA256
57e338b58c1228d14bfa1e8386125cdc0839923f1a268e1f9691911ea89119ca

SHA512
c57cb193977a30ccb3e3922e07e0d83a0ab63b561112e3bb6a6bf1e2f03055664c35857f74489df4e18ac04c057886cbe13f9e48d1f56386b5811638b7e9debf

Download Submit
\Users\Admin\AppData\Local\Temp\setup\setup.exe

Filesize
28KB

MD5
b9d4e392e8ac6a4420f126cc88d8c0c1

SHA1
3fa9755060979a13973927906222a4929bb4c80f

SHA256
3d20d973651546be8d370ff9013bbdc03282808a212731b92852f0b789634064

SHA512
03fe62e90efaa0cf064c335d7dd4df912f738a85726eb77269687f398511b883400eb0b95d3a8158d2a5b7fec37e073bbde754a5b53e17732b18f667d9960128

Download Submit
memory/2776-115-0x00000000002C0000-0x00000000002D8000-memory.dmp

Filesize
96KB

Download
memory/2776-128-0x0000000003B30000-0x0000000003CE1000-memory.dmp

Filesize
1.7MB

Download
memory/2776-96-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2776-142-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/3020-179-0x0000000000330000-0x000000000033D000-memory.dmp

Filesize
52KB

Download
memory/3020-178-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/3020-181-0x0000000003BC0000-0x0000000003D71000-memory.dmp

Filesize
1.7MB

Download
memory/3020-180-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download