44afbe9021198962048332685d51e48f9d71d5319851945f989a11b49ab6846f

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
Size

6.4MB
MD5

c1b9821ffbc1a74a167781f0339cc419
SHA1

4ce719bab8b8af01a127c012eea23857879810a7
SHA256

44afbe9021198962048332685d51e48f9d71d5319851945f989a11b49ab6846f
SHA512

b71717b861280cd00e990eb2798f80d9027d63f2ee616c80333deb6011cb60a9b9e0aacc4378104362db630473831ee54767094d2176e26e0aed933b1186d3f9
SSDEEP

196608:CeP+HX0EGC4f/XjoeMlKAK0+KgkIJp5iCeUzFp3UvGKqQrmj/m6:CggXK/zpmd+6IJp575zUOZImj/m6

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2736	pipi_dae_489.exe
2860	pipi_setup_489.exe
2596	pipi_setup_489.tmp
1724	PIPIStartSvr.exe
2848	jfCacheMgr.exe

Loads dropped DLL 57 IoCs

pid	Process
2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
2736	pipi_dae_489.exe
2736	pipi_dae_489.exe
2736	pipi_dae_489.exe
2736	pipi_dae_489.exe
2860	pipi_setup_489.exe
2860	pipi_setup_489.exe
2860	pipi_setup_489.exe
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
1548	regsvr32.exe
2384	regsvr32.exe
2384	regsvr32.exe
2384	regsvr32.exe
2384	regsvr32.exe
1124	regsvr32.exe
1124	regsvr32.exe
1124	regsvr32.exe
1124	regsvr32.exe
1124	regsvr32.exe
684	regsvr32.exe
1736	regsvr32.exe
1048	regsvr32.exe
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
1724	PIPIStartSvr.exe
1724	PIPIStartSvr.exe
1724	PIPIStartSvr.exe
2596	pipi_setup_489.tmp
2596	pipi_setup_489.tmp
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\ = "PIPI Link Helper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}	regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\mcckmplayervod.ini	regsvr32.exe
File created	C:\Windows\SysWOW64\pncrt.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\pncrt.dll	regsvr32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\PIPI_Update.job	pipi_setup_489.tmp
File opened for modification	C:\Windows\Tasks\PIPI_Update.job	pipi_setup_489.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PIPIStartSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipi_dae_489.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipi_setup_489.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfCacheMgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipi_setup_489.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{1E315374-71A5-471A-B683-4C4ADB5C588B}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CC10D1C-1032-4570-9BAA-607466123845}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDB55E8E-A844-4558-8D7D-8511352BE59F}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}	jfCacheMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ = "_IMCCKMPlayerXCEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wav\shell\pipiopen\command	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.rmvb\shell\pipiopen\command	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.3gp\shell\pipiopen\ = "Play With PIPIPlayer"	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2745192-8F50-4ACC-AA27-2AC0B85A875F}\ = "PIPIWebPlayer Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PIPIWEBPLAYER.PIPIWebPlayerCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.asf\shell\pipiopen\ = "Play With PIPIPlayer"	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.rm\shell\pipiopen\ = "Play With PIPIPlayer"	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\shell\ = "open"	jfCacheMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\MiscStatus	jfCacheMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\ProgID\ = "JfCheck.MVSearch.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DF8601-815A-475D-990A-8916C7F03D5B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp3\shell\pipiopen\ = "Play With PIPIPlayer"	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DF8601-815A-475D-990A-8916C7F03D5B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{008BAC12-FBAF-497B-9670-BC6F6FBAE2C4}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\ToolboxBitmap32\ = "C:\\pipi\\PIPIWE~1.OCX, 1"	jfCacheMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6887547-369E-42FB-9921-85DBD895FF76}\1.0\ = "JfCheck 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.3gp\shell\pipiopen	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\InprocServer32\ = "C:\\pipi\\PIPIWE~1.OCX"	jfCacheMgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MCCKMPlayerX.MCCKMPlayerXC.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell\pipiopen\command	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{008BAC12-FBAF-497B-9670-BC6F6FBAE2C4}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5AA0389-D274-48E1-BF50-ACB05A56DDE0}\ = "CMPCVideoDecPropertyPage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FA20E2A-496E-4CAC-8D07-B5C227EBD3FA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\NumMethods\ = "93"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.ram\shell\pipiopen\ = "Play With PIPIPlayer"	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mpg\shell\pipiopen\ = "Play With PIPIPlayer"	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\Implemented Categories	jfCacheMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452}\TypeLib\ = "{DDB55E8E-A844-4558-8D7D-8511352BE59F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\DefaultIcon	jfCacheMgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer\shell\open\command	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wma\shell\pipiopen\command	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.rm\shell	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\InprocServer32\ = "C:\\pipi\\codec\\CoreAAC.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F23B1F18-CB1A-47ED-A1FE-B60494A626D0}\ = "CoreAVC Video Decoder Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	jfCacheMgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amr\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\""	pipi_setup_489.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E315374-71A5-471A-B683-4C4ADB5C588B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E315374-71A5-471A-B683-4C4ADB5C588B}\TypeLib\ = "{F6887547-369E-42FB-9921-85DBD895FF76}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\TypeLib\ = "{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}\1.0\HELPDIR\ = "C:\\pipi\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.flv	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\ = "CoreAAC Audio Decoder About"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2745192-8F50-4ACC-AA27-2AC0B85A875F}\InprocServer32\ = "C:\\pipi\\PIPIWE~1.OCX"	jfCacheMgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\ProgID	jfCacheMgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer\shell\open	pipi_setup_489.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{632C6705-17AB-4407-9281-F60D0A7726BE}\MiscStatus\ = "0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	pipi_setup_489.tmp
2848	jfCacheMgr.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2848	jfCacheMgr.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2848	jfCacheMgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe
2848	jfCacheMgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2736	2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2736	2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2736	2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2736	2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2736	2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2736	2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2736	2884	c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2860	2736	pipi_dae_489.exe	31
PID 2736 wrote to memory of 2860	2736	pipi_dae_489.exe	31
PID 2736 wrote to memory of 2860	2736	pipi_dae_489.exe	31
PID 2736 wrote to memory of 2860	2736	pipi_dae_489.exe	31
PID 2736 wrote to memory of 2860	2736	pipi_dae_489.exe	31
PID 2736 wrote to memory of 2860	2736	pipi_dae_489.exe	31
PID 2736 wrote to memory of 2860	2736	pipi_dae_489.exe	31
PID 2860 wrote to memory of 2596	2860	pipi_setup_489.exe	32
PID 2860 wrote to memory of 2596	2860	pipi_setup_489.exe	32
PID 2860 wrote to memory of 2596	2860	pipi_setup_489.exe	32
PID 2860 wrote to memory of 2596	2860	pipi_setup_489.exe	32
PID 2860 wrote to memory of 2596	2860	pipi_setup_489.exe	32
PID 2860 wrote to memory of 2596	2860	pipi_setup_489.exe	32
PID 2860 wrote to memory of 2596	2860	pipi_setup_489.exe	32
PID 2596 wrote to memory of 1548	2596	pipi_setup_489.tmp	33
PID 2596 wrote to memory of 1548	2596	pipi_setup_489.tmp	33
PID 2596 wrote to memory of 1548	2596	pipi_setup_489.tmp	33
PID 2596 wrote to memory of 1548	2596	pipi_setup_489.tmp	33
PID 2596 wrote to memory of 1548	2596	pipi_setup_489.tmp	33
PID 2596 wrote to memory of 1548	2596	pipi_setup_489.tmp	33
PID 2596 wrote to memory of 1548	2596	pipi_setup_489.tmp	33
PID 2596 wrote to memory of 2384	2596	pipi_setup_489.tmp	34
PID 2596 wrote to memory of 2384	2596	pipi_setup_489.tmp	34
PID 2596 wrote to memory of 2384	2596	pipi_setup_489.tmp	34
PID 2596 wrote to memory of 2384	2596	pipi_setup_489.tmp	34
PID 2596 wrote to memory of 2384	2596	pipi_setup_489.tmp	34
PID 2596 wrote to memory of 2384	2596	pipi_setup_489.tmp	34
PID 2596 wrote to memory of 2384	2596	pipi_setup_489.tmp	34
PID 2596 wrote to memory of 1124	2596	pipi_setup_489.tmp	35
PID 2596 wrote to memory of 1124	2596	pipi_setup_489.tmp	35
PID 2596 wrote to memory of 1124	2596	pipi_setup_489.tmp	35
PID 2596 wrote to memory of 1124	2596	pipi_setup_489.tmp	35
PID 2596 wrote to memory of 1124	2596	pipi_setup_489.tmp	35
PID 2596 wrote to memory of 1124	2596	pipi_setup_489.tmp	35
PID 2596 wrote to memory of 1124	2596	pipi_setup_489.tmp	35
PID 2596 wrote to memory of 684	2596	pipi_setup_489.tmp	37
PID 2596 wrote to memory of 684	2596	pipi_setup_489.tmp	37
PID 2596 wrote to memory of 684	2596	pipi_setup_489.tmp	37
PID 2596 wrote to memory of 684	2596	pipi_setup_489.tmp	37
PID 2596 wrote to memory of 684	2596	pipi_setup_489.tmp	37
PID 2596 wrote to memory of 684	2596	pipi_setup_489.tmp	37
PID 2596 wrote to memory of 684	2596	pipi_setup_489.tmp	37
PID 2596 wrote to memory of 1736	2596	pipi_setup_489.tmp	38
PID 2596 wrote to memory of 1736	2596	pipi_setup_489.tmp	38
PID 2596 wrote to memory of 1736	2596	pipi_setup_489.tmp	38
PID 2596 wrote to memory of 1736	2596	pipi_setup_489.tmp	38
PID 2596 wrote to memory of 1736	2596	pipi_setup_489.tmp	38
PID 2596 wrote to memory of 1736	2596	pipi_setup_489.tmp	38
PID 2596 wrote to memory of 1736	2596	pipi_setup_489.tmp	38
PID 2596 wrote to memory of 1048	2596	pipi_setup_489.tmp	39
PID 2596 wrote to memory of 1048	2596	pipi_setup_489.tmp	39
PID 2596 wrote to memory of 1048	2596	pipi_setup_489.tmp	39
PID 2596 wrote to memory of 1048	2596	pipi_setup_489.tmp	39
PID 2596 wrote to memory of 1048	2596	pipi_setup_489.tmp	39
PID 2596 wrote to memory of 1048	2596	pipi_setup_489.tmp	39
PID 2596 wrote to memory of 1048	2596	pipi_setup_489.tmp	39
PID 2596 wrote to memory of 1724	2596	pipi_setup_489.tmp	40

C:\Users\Admin\AppData\Local\Temp\c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1b9821ffbc1a74a167781f0339cc419_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\pipi_dae_489.exe
  "C:\Users\Admin\AppData\Local\Temp\pipi_dae_489.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\pipi_setup_489.exe
    C:\Users\Admin\AppData\Local\Temp\pipi_setup_489.exe /verysilent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\is-JBSQS.tmp\pipi_setup_489.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JBSQS.tmp\pipi_setup_489.tmp" /SL5="$301E6,6213687,71168,C:\Users\Admin\AppData\Local\Temp\pipi_setup_489.exe" /verysilent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\pipi\JfCheck.dll"
        5⤵
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:1548
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\pipi\MCCKMPlayerX.dll"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\pipi\PIPIWebPlayer.ocx"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAAC.ax"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAVC.ax"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\MPCVideoDec.ax"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
    - - C:\pipi\PIPIStartSvr.exe
        
        "C:\pipi\PIPIStartSvr.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1724
    - - C:\pipi\jfCacheMgr.exe
        
        "C:\pipi\jfCacheMgr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-02P63.tmp\topWizardSmallImageFile.bmp

Filesize
77KB

MD5
2bf58dfc87fed4cd136b38eda09b03b5

SHA1
0466c573f89c2311bec15e1892af8bb1981f8e46

SHA256
59bc1f995b1c0989689039de7bdd50201ba75f700e1aba7ac548751629f77ed3

SHA512
f7f82b12cec7b036aae733da6c0639dc193ba979d5662b0c5595ed6e1a8120f314a6f9f4fc74c0f8d44f79884dc66d25129755160ee7dc688e7c9c0e5bc7dfe0

Download Submit
C:\Windows\SysWOW64\config\mcckmplayervod.ini

Filesize
31B

MD5
5378f5b11a7f76e5363bd9246670d2f4

SHA1
58377e3e0763caca75e84dcf6595ed620e72430f

SHA256
352c88b52b5e831263ed4486ef774c38c5c36fc07375204f4d539a4ce8d756d1

SHA512
38175ef3a721595f8204f1be010fbe48e033ba7746d05c6a6b4585c5a20dfbfe4d60d7dd6d3fd4166bc4fcfb7f83ba12e952cb13c31d499bbeb1f62a15e44480

Download Submit
C:\Windows\SysWOW64\config\mcckmplayervod.ini

Filesize
47B

MD5
bce0add342645081e876fc1b5c493857

SHA1
70b95fa92734665acd4f5920443b1a2fcb5c3127

SHA256
4e1ae73cb97aac9553eb06b33352ff32f3ff799512d60fb9632eaa76de209492

SHA512
8cbbd8142e32a02843156512535ca793083b05fa4b9c3ae48c4ecc5da3e9a9f2b5dc73772239bbaeae5043afbd1b4a2524d8ae60eefec18d3bb715bd714bc0e8

Download Submit
C:\Windows\SysWOW64\config\mcckmplayervod.ini

Filesize
5KB

MD5
c9fd3c9037f9a4484d0635868ea571e4

SHA1
02ac3179b0ac4b6ea91fa861ebcae2bc8072bdb3

SHA256
e54b124bceed3b3495bb1298cb03276b7505d850f6e3386afaa4668adc41ae4c

SHA512
776bf5a8f2a6550ad837df16192a64b81decf071633ae130d77e51c509c75f7de9b62975e096366fa4b4361a582224c4ca32f7d75219a6f8614450ac784c266b

Download Submit
C:\pipi\0\user.db

Filesize
24KB

MD5
90b422d18298d8711074d85a1d55f889

SHA1
6b46053a6a490202a0dc24f59a53e1af37cf0573

SHA256
f3c332872b4e716698e38388a93664ec1df4875135d119608972d55bcb4312c9

SHA512
43ede50f706bddec085c4e73d5582c5970b19b726bce56e52520aff293afec3985b174f6086c5d3ac59505e6e979d5ae9ae86ef5b1a4cbdaba02f62aeecb5cae

Download Submit
C:\pipi\JfCheck.dll

Filesize
255KB

MD5
1657afe7575729742c65193390623784

SHA1
27c648287b0400c2344fbc335bc78010b751efe3

SHA256
7f3baae263dd7f486f83270b6ab241d5fa79610fa171eedbb320bdc6a74aa623

SHA512
b3aa8a4e4eac6b3bf9193c43a446c50a187c07f3d9c823ea83da131254928f8ef1a6a7c30ee1b667efb9a2521477bea5eb26cb5f282ce3c5672a33d3b7d3ce59

Download Submit
C:\pipi\MCCKMPlayerX.dll

Filesize
3.1MB

MD5
51ac0e8d96e644a5ac1c670b37269a9f

SHA1
ef761c6b88b2ed9174184b364d9ef472bfb85ecb

SHA256
1f50f6ee5b6f2e0fbaed1fdd47c20bff5f7099d6b07a5cde23ba8e24120324f9

SHA512
ab9d57b2e5b18af3760f3b811ae2286101ac9ea948fa042073acdd543dca3b1bf8b8c758e2e4ab5696eaf0181d5e6824d2e6a0f78153bdc2b7f6eba0e78718ca

Download Submit
C:\pipi\PIPIWebPlayer.ocx

Filesize
427KB

MD5
cb2d2dc09a6e895817462579fbd04f72

SHA1
dae1d1db8d377e16e14de46b6aba7a343f9ce9c6

SHA256
908868ced5007895a97a2bfe28137cfe21dbce7a0a406d4d6d73c733f6d01581

SHA512
e35c21871ea6b167b0bf01f94e45b352d033a9311052daf09184590e9af6e2ac45f13034d91306276f6c831e5c01cf39da972d670b61403cb6ff4f365ed3e45a

Download Submit
C:\pipi\baidu_logo.JPG

Filesize
6KB

MD5
674b355f4facfe3c02d9a4b2230b59dd

SHA1
e4543a4d01d28ffb184c25d283b0fdff83f6353d

SHA256
2a8053f50ee7658429a06c42282afeea4433307486e00f09d1c4b111fca74c3a

SHA512
c4f77ee544aeb0c4e77f673ec4bb23076dcc2de1595296eb1cb6da40e9651676ea72b4c6f503d663091126fb0fa1cf065b74a6acef48752baa391ace54d53f81

Download Submit
C:\pipi\codec\CoreAAC.ax

Filesize
312KB

MD5
b0ffac757be8d6cc41e1131eb2b0d959

SHA1
0e41733a050bc2ed53fda6337d6501b9942317c2

SHA256
04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597

SHA512
356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3

Download Submit
C:\pipi\codec\CoreAVC.ax

Filesize
228KB

MD5
40850535fa9d08698e69d2985f1dc20b

SHA1
670ac35368499b3abe9339b7a9467e31b33b3cad

SHA256
67b3280ec7a04f686a94f87d7e19220f62b8e28647660fabd08ff57902ec2e9d

SHA512
52d909dc11f06883ae7c6ab5ef97c989a12838ad8b95681771583546669c3c19fd4a9077ce3c383330a1e9af4155324533ed62b36d70c66224f53a8160106906

Download Submit
C:\pipi\codec\MPCVideoDec.ax

Filesize
2.7MB

MD5
b49bb7b63fd5dab01d7be40144da3625

SHA1
3c077fba0dd9b382711f8889060d3948c7e6ae95

SHA256
919aa595ec2b18b811e3562ba9667c539015d401d3ef53f2c0f8e4b0ea51bebe

SHA512
461a5766dab7a20d905229116a000d8a0e73ec0a693f46fa7846322770df45fdf7a70aee4dfc77fd3d2dc7e2dd94615efb159497500694ff747c83dd7df78b76

Download Submit
C:\pipi\codec\rm\pncrt.dll

Filesize
272KB

MD5
13001eb0a58b4de96126b16ab15fd8cc

SHA1
4dfe6d2d02e9fa194f4af3d054b458b5a4bafbe6

SHA256
e983aa97fe1ce6af92f06433a71e03f54d3fc78392e26691cace927094bab8d7

SHA512
1a7c052bc1e7c824a3aff5e27c5cbd0720893e341dfb93062021b82c3a6d940c4ea23cbcdfaaeb174d90f51c36f0d8c62f693766f42172f894b6b689d26f49b2

Download Submit
C:\pipi\config\config.ini

Filesize
646B

MD5
e4a3f8797262dfaf39aea78e9f5dfc86

SHA1
f191ba6ed659c02fe025da21d7eeb7341a9c3ce2

SHA256
0572dfd01784d4603573f60c8287ec9ec7751b8fe1e1abd96bed391029950c89

SHA512
dfb6429be8e555d1f0c0422909b929737e5b046e006f1f311e55ade3199a81c8c894b338fda4aeaca5b8d4000e451f8fbb2034c35b461f955c9d55fe1bff73e0

Download Submit
C:\pipi\config\config.ini

Filesize
677B

MD5
6dea98687b555d25b9400b6608a7c3c1

SHA1
840775ca8fcc8b3d32289107cad7379f38057144

SHA256
b3163e59f46029b0be23f91e48fd7ae6f89a59e116033c0fe4afd6ebc6c06b8f

SHA512
164633e7777326a4bbb32462bbf59b488b7d22d0d040fa9fb5d6c8e6b82de585b9508ae2a3f5ffb6349799b77bd2dde8a7ee93bd07f99b0fb4b1c9af0950ed82

Download Submit
C:\pipi\config\config.ini

Filesize
731B

MD5
64a7b58edf2aa4ded6a4233f35aa3fcf

SHA1
f55111ff518a1edacbb0afc32303a10e3ee84173

SHA256
7a9774b161f8e7e5475002435295aa48fdeca20c5e338c6d2675844c304b0dea

SHA512
065d5c230da5763540c075df39662da5961120e9410245fa6e3510b0058caad5e453f3938be4f05ea41b2eef9fa832a261ef18163cecd0ba0b9a8345e4633600

Download Submit
C:\pipi\config\config.ini

Filesize
753B

MD5
aaaf15dc2c5f155fa63ec5fb518fadc6

SHA1
c6d775e5b8c63f85045e6c5a52378695353a3512

SHA256
d28cc1f7a778e282d339779b8854ca6c3076a2504b4d25efbb704054302293c9

SHA512
4a34a867e11b261192ad48a323c0904c462c4fd74c20aee1f3cecf47ef895ceae409baf7dc8a2e332fd1ee890b630b5dfb754f2bdf8103260dc465632488d2cb

Download Submit
C:\pipi\config\enumwindow.ini

Filesize
485B

MD5
97129f3dad72c31fc0c0522b13d8a8e9

SHA1
5746b079d104ebc4ead8e3a1840a72caf9aeedac

SHA256
39b8d619b336a8edabe2b10ab945e0dbed4dc51dfe6453bdb884f48469e539ab

SHA512
984b150090134d35bf6172a7c06d98758d9898b8657cb891febf1b69e7e8fdbb27dd05a8e3d3cc148b1b4c7722bd8188941b4b32afae16e428595c9957d4a770

Download Submit
C:\pipi\config\partner.ini

Filesize
35B

MD5
46eb36517ab14c72e99ab022b59a5d0f

SHA1
cc06e9a72c1fd5d929ebdcd570051ec2365436bc

SHA256
6a88fdab1cf8d3485667e99eb74039a1be13696158d873d87d3d4805a67489a9

SHA512
e38b9faa1f05a4d034b2e8c29cc12f8b098f6775839ce14cf5dad2b6ec367b75ff3d4ce842fc2343123b253697493b5dd26fd3cbe0e43b20bffe7feecff1643b

Download Submit
C:\pipi\config\skin.ini

Filesize
15KB

MD5
f33179b59f10498a6ae36f981fb485b8

SHA1
ca724a40aa3c6d62461ead3a6815eececdc71195

SHA256
3407e2ddd689f40f3e8e3c2c8dd87b52a182143acf1ffedcc7608e72fecff9d7

SHA512
4db4cb0471e9fc2bcdffc5ad87375c239ea3ec103cdca57b5376ac530cd2284a2e60730b22017346a53b0adeb768330a3569f1a25ba9e51fb8ff9f0f0b440730

Download Submit
C:\pipi\google_logo.JPG

Filesize
5KB

MD5
4beef83fec516b37b5219e8433c07498

SHA1
8fab8c53263ecbe34109a2e91ef4a739a8735646

SHA256
f4cf7983c35b8842b356371c557885faf26261ef523d0f9e0d3921e20f165e8c

SHA512
577009e03ee341b7ad4b0979b6e47df79f64cf9139c4eb4e26696c3b21b74960f61362253363bba8e49537ad039626b9dfad182b6b68b73ddce7bb9ac86b694f

Download Submit
C:\pipi\jfCacheMgr.exe

Filesize
1.9MB

MD5
46f26ea44b601aceffb91595b949ff63

SHA1
0a5e49443eb64e7e3395d578d852a2d61a8a2923

SHA256
c481592291afeea322c440d0b03323f2920cfb619e326e93f36dc28b52e2312e

SHA512
b1edd7f979937669ae5e811b75d2114866307f03f258880f8d2c43aab76e1bea87c668cce2be6de7e019564c3354fdede508798a13cf41e8b5d5fa3507888610

Download Submit
C:\pipi\jfres_plug.dll

Filesize
6.6MB

MD5
d429f2117ba8d39c28f85a8d7d50a7c6

SHA1
042be6a8f49bbdc61b467bb018743ffccaca7262

SHA256
896fd2153552f48b47ea98a171720020a09ce0cff5517a9e728a576a942b1c13

SHA512
57de255f2d11bba70591f4b64e3f13d4ffac20892afe662adfa61de07ec656bf4c49303d04afbd31195a2447142c4303bde4f6c4b92c1147754fb09719ba165c

Download Submit
C:\pipi\setupwelcome.JPG

Filesize
36KB

MD5
5f2e955342701741fa97750aa5d99487

SHA1
eb81e74ef78dd94e4da1d041d04afc5bad2b4d47

SHA256
8ac83f47e5353f052b1f7c729f4e1b1ae41377010421b71ea034d20850b4efed

SHA512
6b708d617905902fbad5fa83f16c699240c046d4ed11fdfb963ecc41795a6f2bd014a0ec4450893c62954a62dbfeacdf1132a320b442d993bfd2b27eed986efa

Download Submit
C:\pipi\topWizardSmallImageFile.jpg

Filesize
2KB

MD5
5ed5fd48c11acc65c88b0954a7224fe1

SHA1
5bfe240886fdae4f231671bf46c67d4c1cfe2f27

SHA256
51c476f505836fa5a4e5a0331fca86d03ef729aaacd4ba08a4351cd3a933136e

SHA512
dc5ee19db8136c13718a40dbbb65e8bd10932ad8c28e94239d466c1382e0c68ca46ef513b215762e81f2dbfadd9dc67dafe465317963040da36901858d3975da

Download Submit
C:\pipi\wizard_recommand.JPG

Filesize
5KB

MD5
1f03b9d855e4f6044db8d3d9834a5e46

SHA1
0b52092d8edc49e57ff48d8e81ddb8f2e8db6fb7

SHA256
eaf146a8b301d03c0ee4a21d05ede09b7cb6bfd4eca5882014c69701bb6257f5

SHA512
050dbf6fa7d6629881be01e81fea412104144da96071497e22019347f28dd49321468bca030f62898247c025e7d108be420d2ca18d46d9b45e7bd18148493d89

Download Submit
\Users\Admin\AppData\Local\Temp\is-02P63.tmp\PIPIRecommend.dll

Filesize
155KB

MD5
1ce3ea602274c3cc2e6037933e2b8bb2

SHA1
9a6137688fec60e6247085beba8a5aa064069bc0

SHA256
c56af8733c25963a17abb24e7340e2cb98abdd37232741391b6771bcf2a3821b

SHA512
d98070fec53eaa0ad39c72b38e493f828971864db2844e2c225b1ba1e803e9960f2d2b23610b569fe31875a05049d336e6932c6b5184dc5c8f78b01f36ad3b55

Download Submit
\Users\Admin\AppData\Local\Temp\is-02P63.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-02P63.tmp\jpg2bmp.dll

Filesize
143KB

MD5
df1fd0bed631d245485deeb4cfdc29f1

SHA1
739579e6460091e567d53a2d0179bc3a2abeb038

SHA256
2607f1f086472678f15e9fa6e0f21e91e816d8c4015d2ff3359e69263311d240

SHA512
9c2e73ecefc9b5b1f1691bdcc9fb457fb387f83f8a8e466eba4a985392a9fdb9fd2d8799e65f65e4f54de6e8c7199196be82c8525633bbff9ec3f10fad05bd8c

Download Submit
\Users\Admin\AppData\Local\Temp\is-JBSQS.tmp\pipi_setup_489.tmp

Filesize
829KB

MD5
fb111f1c53146bc0e04b2103f7a4d4a3

SHA1
f3abb93fd2f3520929744075336acf0c33e4d544

SHA256
03cfea10a4f72c59389fdc2f9cb465a3bf2baeddb074aa2cde711e622e4a5d78

SHA512
03c4dc797737f7fdf66d5998c8c36a3c1b154398f0664f65a0c9b9485bd635698e6333d7bf756f9251f9512554c33817ce15942b38a55fe6bcd6e6bfdbb80855

Download Submit
\Users\Admin\AppData\Local\Temp\pipi_dae_489.exe

Filesize
6.3MB

MD5
e209b3e6154589c34b7ebdad8d73980b

SHA1
b0be9c6dc0d8627b754a3c2ff1044b191e3a9052

SHA256
883184254d9e4abde6311df166143a5ff1c6845cdc86fc3dc6dcf3859f343d38

SHA512
01be02ab5de0df44abf60434e9cf72ffc199fb9ea8e7df4e83b86581558cc8e0776262a164f172bc020add351261822dce57755287f92fb6f1fde1f0936e25cc

Download Submit
\Users\Admin\AppData\Local\Temp\pipi_setup_489.exe

Filesize
6.2MB

MD5
cc3bba23d59e99c1bbd3727d77392518

SHA1
cd779107009e75ae256dcd93d472cb715dfa472e

SHA256
3303531c4370dab0b019c82f3ddb1294ac053bb9ce2b91cacc6370bbb3d20bf0

SHA512
661fa143987313bcf0bd29409358b80f1261af3589382c6e639cefa3a54ac14bc0d45f3555a031456dd57fe41736171b0b147ab23dda495110452f4dd70f26da

Download Submit
\pipi\KmFileTypeSetting.exe

Filesize
42KB

MD5
773504a6e1b891dbda9e7cd906393df8

SHA1
3dcda41aa9b14b9572870f3a961e8572c3dea4f2

SHA256
5ed50ab0bfd7f3a0e7f7b7cb1b3a2a366c05e9630f8bf1b0435513f24fe1bdf2

SHA512
36a5bc03a4fe7e219b18f6a1d90ff9611d304952ffe855f8a4b28f1459a5c7c8b306d4ecde3f49e79cdfbbf1007c026a2d8ed709eaf6f34de507c5f4caacce63

Download Submit
\pipi\MFC71.dll

Filesize
1.0MB

MD5
f35a584e947a5b401feb0fe01db4a0d7

SHA1
664dc99e78261a43d876311931694b6ef87cc8b9

SHA256
4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32

SHA512
b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

Download Submit
\pipi\PIPIPlayer.exe

Filesize
883KB

MD5
19abe9404a640fb9d492e7432c123804

SHA1
fb06a19b30378cb9fb4dd72b62d1f3557658102e

SHA256
77eec39e9633cc07fb6fbdee6748c6c6be3003152a3cbdb07c3ae313ab65bd53

SHA512
139b392e30c3b503d2fed0e6058b869fd653ae76530be050d8314daf12b0aa4e9a148b998ba6275d858c22da40fc9a96785787207236c839dad7fb6b5785f7bb

Download Submit
\pipi\PIPIStartSvr.exe

Filesize
15KB

MD5
ce035202671f9c9dd1d0cd26d4a06adc

SHA1
34d42b94be4367371a74f5c0db3b760c16a80557

SHA256
6bbbc4d67cce170dc3b234c85a136d96e2f4a83cf2001cbb2bc1837bce218b02

SHA512
00415034debed0c8a65ab8c96b89828729eb9d2446ae882f363004290aba049369717ac28cd54f0a35a75b3b5183382d01e41c39c13a36297f9d27d7ddb3a7cd

Download Submit
\pipi\msvcp71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
\pipi\msvcr71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\pipi\unins000.exe

Filesize
839KB

MD5
2c6d392a649e15f0218a8c888ed85b8b

SHA1
d823c2dd56b4d7b761a136b261d315e958d20b3e

SHA256
58cd2fddcac89292d5332b401cf61cab57cce5220352e9344b668874d00fc337

SHA512
382417dd1f9a8f70b93644157a56ae473e74c371f95d269c5e99963c5096bec90d70f6efc24ec1fc598cf50fcbfc909f94a340d3cb05215810f04f063d6c3f87

Download Submit
memory/1736-585-0x0000000010000000-0x0000000010103000-memory.dmp

Filesize
1.0MB

Download
memory/1736-584-0x0000000010000000-0x0000000010103000-memory.dmp

Filesize
1.0MB

Download
memory/2384-409-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/2384-410-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/2596-348-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2596-701-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2596-48-0x0000000001FF0000-0x0000000002018000-memory.dmp

Filesize
160KB

Download
memory/2860-702-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2860-107-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2860-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download