Analysis
-
max time kernel
99s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe
Resource
win10v2004-20221111-en
General
-
Target
fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe
-
Size
352KB
-
MD5
70a3a9c42c1973350deb130a53231367
-
SHA1
5b41fdd16b97f287515aeb5f16578a5d963acc49
-
SHA256
fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358
-
SHA512
0469f6d3f1112b3a6f7a6d109f52bcd0a8b38aad7f8390ffc82ebfe7fab238eee3b44586605276068c71714628bf63f63e5e1aec637b47ceab0d67a25cc1eea1
-
SSDEEP
3072:8z/92a98YQ19SexsTczlwGcaebeYYQ19qROLz/9KwCZ63+kFVaiJ38yrjw:8L9IR396cJYRXL9YE3BauVU
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1296 Loader_forqd318.exe 380 PPTV(pplive)_forqd318.exe 1284 PPAP.exe 1576 PPAP.exe -
Loads dropped DLL 64 IoCs
pid Process 1760 fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe 1760 fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe 1296 Loader_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 1600 regsvr32.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\PPAP = "\"C:\\Program Files (x86)\\Common Files\\PPLiveNetwork\\PPAP.exe\" -background" PPTV(pplive)_forqd318.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 PPAP.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\menu.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\data\face\em25-ÆøÌå.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\dt_titlebar_r.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\expanding.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\exbg_right_bot.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\passport_bot_bg_down.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\in_bg_left_top.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\scrollbar_uparrow_down.bmp PPTV(pplive)_forqd318.exe File opened for modification C:\Program Files (x86)\PPLive\PPTV\PPLive.url PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\components\PPFrame.dll PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\data\face\em03-´ô.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\state_ÔÝÍ£ÖÐ.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\list_epg_bk.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\play.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\ICON\2_3.ico PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\list_epg_back3.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\exbg_top.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\Common Files\PPLiveNetwork\MngModule.dll PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\data\face\em15-Öí.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\min_down.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\updatetipclose.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\mini_main_l.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\scrollbar_uparrow.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\common\checkbox_checked_down.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\mute.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\scrollbar_vthumbgripper.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\item_bg_Ñ¡ÖÐ.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\top_hover.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\skin.ini PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\common\checkbox_down.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\checkstop_down.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\speed0.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_so_left.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_so_bot1.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_table.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_top_bg_bar.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\btn_screennormal.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\bright.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\passport_bot_bg.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\scrollbar_pagedown.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\btn_min_1.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\notop_down.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\tab\1\1\2.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\list_fav.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\mute4.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\resizenotop2.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\data\face\em04-ºÇºÇ.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\menu_hover.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_search.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\notop.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\ch2.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\adselector_title.jpg PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\common\radio_checked_disabled.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\bg_numTip.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\ex_button_hover.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\user_normal.gif PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\btn_close_3.bmp PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\common\radio_hover.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\arrow-hover.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\pprepair.dll PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\classic\saturation.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\dt_header_bg.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\passport_collapse.png PPTV(pplive)_forqd318.exe File created C:\Program Files (x86)\PPLive\PPTV\skins\default\set_bg_right.bmp PPTV(pplive)_forqd318.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
resource yara_rule behavioral1/files/0x0007000000012721-63.dat nsis_installer_1 behavioral1/files/0x0007000000012721-63.dat nsis_installer_2 behavioral1/files/0x0007000000012721-65.dat nsis_installer_1 behavioral1/files/0x0007000000012721-65.dat nsis_installer_2 behavioral1/files/0x0007000000012721-67.dat nsis_installer_1 behavioral1/files/0x0007000000012721-67.dat nsis_installer_2 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\Policy = "3" PPAP.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977} PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\Default Visible = "Yes" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\MenuText = "PPLive" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\MenuStatusBar = "PPLive" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" PPTV(pplive)_forqd318.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82} PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\AppPath = "%CommonProgramFiles%\\PPLiveNetwork" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\ButtonText = "PPLive" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\HotIcon = "C:\\Program Files (x86)\\PPLive\\PPTV\\icons\\PPLive.ico" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\Icon = "C:\\Program Files (x86)\\PPLive\\PPTV\\icons\\PPLive.ico" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\Exec = "C:\\Program Files (x86)\\PPLive\\PPTV\\PPLive.exe" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\AppName = "PPAP.exe" PPAP.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pptv\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\PPLive\\PPTV\\PPLive.exe\" \"%1\"" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\PPLiveNetwork\\MngModule.dll" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E62D3029-1430-49F8-9470-2A192B02E433}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\PPLite\\plugin\\pplugin2.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Synacast\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\PPLive\\PPTV\\PPLive.exe\" \"%1\"" PPTV(pplive)_forqd318.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.Update.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E62D3029-1430-49F8-9470-2A192B02E433}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppl\Version = "2.7.0" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pptv\Version = "2.7.0" PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.Update.1\CLSID\ = "{E62D3029-1430-49F8-9470-2A192B02E433}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8}\ = "_IEwaOCXEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E62D3029-1430-49F8-9470-2A192B02E433}\ProgID\ = "Ifupt.Update.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppl\Shell\Open PPTV(pplive)_forqd318.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F770594-0FC9-44DB-AD75-47C808CB7B44}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.Update\CLSID\ = "{E62D3029-1430-49F8-9470-2A192B02E433}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\TypeLib\ = "{6F770594-0FC9-44DB-AD75-47C808CB7B44}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\TypeLib\ = "{377AC21C-4921-4c3f-9240-7756548790FB}" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04987413-5E4A-472F-9899-0A092233239E}\ = "IManager" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\VersionIndependentProgID\ = "PPLive.Lite" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\TypeLib\ = "{6F770594-0FC9-44DB-AD75-47C808CB7B44}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E62D3029-1430-49F8-9470-2A192B02E433}\ = "Update Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8}\TypeLib\ = "{6F770594-0FC9-44DB-AD75-47C808CB7B44}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\ = "_IManagerEvents" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04987413-5E4A-472F-9899-0A092233239E}\TypeLib\ = "{377AC21C-4921-4C3F-9240-7756548790FB}" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PPLive.Lite.1\ = "PPLive Lite Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{377AC21C-4921-4C3F-9240-7756548790FB}\1.0\FLAGS\ = "0" PPAP.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\InprocServer32 PPAP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.DPlugin.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{04987413-5E4A-472F-9899-0A092233239E}\ = "IManager" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppl\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\PPLive\\PPTV\\PPLive.exe\" \"%1\"" PPTV(pplive)_forqd318.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\VersionIndependentProgID PPAP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.DPlugin\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Synacast\ = "URL:synacast Protocol" PPTV(pplive)_forqd318.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pptv\Shell PPTV(pplive)_forqd318.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{377AC21C-4921-4C3F-9240-7756548790FB}\1.0\0 PPAP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\ = "IEwaOCX" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F770594-0FC9-44DB-AD75-47C808CB7B44}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pptv PPTV(pplive)_forqd318.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MngModule.Manager\ = "Manager Class" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\ = "_IManagerEvents" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\TypeLib\Version = "1.0" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\ProgID\ = "PPLive.Lite.1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04987413-5E4A-472F-9899-0A092233239E} PPAP.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MngModule.Manager\CurVer PPAP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\TypeLib PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{04987413-5E4A-472F-9899-0A092233239E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\TypeLib PPAP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{377AC21C-4921-4C3F-9240-7756548790FB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\PPLiveNetwork\\MngModule.dll" PPAP.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe 380 PPTV(pplive)_forqd318.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1760 fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1296 1760 fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe 27 PID 1760 wrote to memory of 1296 1760 fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe 27 PID 1760 wrote to memory of 1296 1760 fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe 27 PID 1760 wrote to memory of 1296 1760 fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe 27 PID 1296 wrote to memory of 380 1296 Loader_forqd318.exe 30 PID 1296 wrote to memory of 380 1296 Loader_forqd318.exe 30 PID 1296 wrote to memory of 380 1296 Loader_forqd318.exe 30 PID 1296 wrote to memory of 380 1296 Loader_forqd318.exe 30 PID 1296 wrote to memory of 380 1296 Loader_forqd318.exe 30 PID 1296 wrote to memory of 380 1296 Loader_forqd318.exe 30 PID 1296 wrote to memory of 380 1296 Loader_forqd318.exe 30 PID 380 wrote to memory of 1600 380 PPTV(pplive)_forqd318.exe 31 PID 380 wrote to memory of 1600 380 PPTV(pplive)_forqd318.exe 31 PID 380 wrote to memory of 1600 380 PPTV(pplive)_forqd318.exe 31 PID 380 wrote to memory of 1600 380 PPTV(pplive)_forqd318.exe 31 PID 380 wrote to memory of 1600 380 PPTV(pplive)_forqd318.exe 31 PID 380 wrote to memory of 1600 380 PPTV(pplive)_forqd318.exe 31 PID 380 wrote to memory of 1600 380 PPTV(pplive)_forqd318.exe 31 PID 380 wrote to memory of 1284 380 PPTV(pplive)_forqd318.exe 33 PID 380 wrote to memory of 1284 380 PPTV(pplive)_forqd318.exe 33 PID 380 wrote to memory of 1284 380 PPTV(pplive)_forqd318.exe 33 PID 380 wrote to memory of 1284 380 PPTV(pplive)_forqd318.exe 33 PID 380 wrote to memory of 1576 380 PPTV(pplive)_forqd318.exe 34 PID 380 wrote to memory of 1576 380 PPTV(pplive)_forqd318.exe 34 PID 380 wrote to memory of 1576 380 PPTV(pplive)_forqd318.exe 34 PID 380 wrote to memory of 1576 380 PPTV(pplive)_forqd318.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe"C:\Users\Admin\AppData\Local\Temp\fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\Loader_forqd318.exe"C:\Users\Admin\AppData\Local\Temp\Loader_forqd318.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forqd318.exe"C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forqd318.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\Internet Explorer\PPLite\plugin\pplugin2.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:1600
-
-
C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe"C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe" /RegServer4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:1284
-
-
C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe"C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe" /LoadModule MngModule.dll /T 1 /C forqd318 /F 0 /G 2.7.0 /H 1 /I PPTV(pplive)_forqd318 /L 0 /M OK /N 1 /O 14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1576
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD5f62f6814c814b1edd41401c50135bcde
SHA1dbd994d95ca44d9f672149b3780b0ee32df3f404
SHA2566f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650
SHA512a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35
-
Filesize
65KB
MD5bef14d54106a5129182af8b04747adbf
SHA101fa77e1237e29f938b4c5d703946a559b2e563c
SHA25649b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603
SHA512c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2
-
Filesize
65KB
MD5bef14d54106a5129182af8b04747adbf
SHA101fa77e1237e29f938b4c5d703946a559b2e563c
SHA25649b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603
SHA512c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2
-
Filesize
9.6MB
MD56dc678b471d68402e9b6666629269f5f
SHA191fe4d2eacd3703034c2b12c28ec5f8677433376
SHA256f4091367b4cd431af2d589320bdf1d8df2b379688f7798394e8706a08b34e8e8
SHA512a761ee72ff78cf573519634ba63de46013a4c92b84f19cbf7ce226f5e2149557cf51e7e25e47cedb3f1c7871df96c2c2da76a46954b40ccc62eaf48865615688
-
Filesize
9.6MB
MD56dc678b471d68402e9b6666629269f5f
SHA191fe4d2eacd3703034c2b12c28ec5f8677433376
SHA256f4091367b4cd431af2d589320bdf1d8df2b379688f7798394e8706a08b34e8e8
SHA512a761ee72ff78cf573519634ba63de46013a4c92b84f19cbf7ce226f5e2149557cf51e7e25e47cedb3f1c7871df96c2c2da76a46954b40ccc62eaf48865615688
-
Filesize
241KB
MD5f62f6814c814b1edd41401c50135bcde
SHA1dbd994d95ca44d9f672149b3780b0ee32df3f404
SHA2566f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650
SHA512a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35
-
Filesize
65KB
MD5bef14d54106a5129182af8b04747adbf
SHA101fa77e1237e29f938b4c5d703946a559b2e563c
SHA25649b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603
SHA512c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2
-
Filesize
65KB
MD5bef14d54106a5129182af8b04747adbf
SHA101fa77e1237e29f938b4c5d703946a559b2e563c
SHA25649b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603
SHA512c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2
-
Filesize
9.6MB
MD56dc678b471d68402e9b6666629269f5f
SHA191fe4d2eacd3703034c2b12c28ec5f8677433376
SHA256f4091367b4cd431af2d589320bdf1d8df2b379688f7798394e8706a08b34e8e8
SHA512a761ee72ff78cf573519634ba63de46013a4c92b84f19cbf7ce226f5e2149557cf51e7e25e47cedb3f1c7871df96c2c2da76a46954b40ccc62eaf48865615688
-
Filesize
312KB
MD5b0ffac757be8d6cc41e1131eb2b0d959
SHA10e41733a050bc2ed53fda6337d6501b9942317c2
SHA25604bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597
SHA512356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3
-
Filesize
312KB
MD5b0ffac757be8d6cc41e1131eb2b0d959
SHA10e41733a050bc2ed53fda6337d6501b9942317c2
SHA25604bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597
SHA512356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3
-
Filesize
265KB
MD5a45cfb1f058297ae981f8afeef056b8d
SHA1e454ed585a0f19d3119cef725958ea19c93cd7cf
SHA256779768aa0bf2270422e1686547ae622238e7b7cf37ce212a1d75caf8628c1508
SHA512efa87c97e4f76d5fbd73d2e0c5c580c719518d4e3e7e16efdb1355b659c9584956bc7df944f0d637f069f359a046fe65bfd178e4cbaf97fbb5921ebd29e09aa0
-
Filesize
265KB
MD5a45cfb1f058297ae981f8afeef056b8d
SHA1e454ed585a0f19d3119cef725958ea19c93cd7cf
SHA256779768aa0bf2270422e1686547ae622238e7b7cf37ce212a1d75caf8628c1508
SHA512efa87c97e4f76d5fbd73d2e0c5c580c719518d4e3e7e16efdb1355b659c9584956bc7df944f0d637f069f359a046fe65bfd178e4cbaf97fbb5921ebd29e09aa0
-
Filesize
181KB
MD5c264fed121afd44bda8bf0ff8f4e4269
SHA17480a3b26b81045a1504e68e15225682bcc6f440
SHA256cb8d9d80dcd48d9a9e3d87c847c47125f7201a98fb5abb4bd6c443322071b951
SHA51299ed4b723b2b7a90fce8e9bf9ee8d5a1440c4d569638ff6a1aa59354c8bca91618a13c440f754fad3ae22c306709da35b4c53b8a00a09753027eaed0d238052b
-
Filesize
181KB
MD5c264fed121afd44bda8bf0ff8f4e4269
SHA17480a3b26b81045a1504e68e15225682bcc6f440
SHA256cb8d9d80dcd48d9a9e3d87c847c47125f7201a98fb5abb4bd6c443322071b951
SHA51299ed4b723b2b7a90fce8e9bf9ee8d5a1440c4d569638ff6a1aa59354c8bca91618a13c440f754fad3ae22c306709da35b4c53b8a00a09753027eaed0d238052b
-
Filesize
140KB
MD5be2d4b56d5d40afca9c804d0776a25c6
SHA17ea48cf0e980fe999f14338f44ad4c57c9b714de
SHA256e54031818e6449897e3a81f0637b0af7618f6aa9e1530c3bf4989d2fabe4a2d4
SHA512f32b8e1d27acb7c9021dcc6cd426599374f61a78fd38a0f9d0bf5bf63c424ca816e3859387d98b3060592ea86d1743c5ff149099bcab4da9e31ff7abc81fd627
-
Filesize
20KB
MD5943ccc923be093185c04e893245e55c4
SHA15d48cfcbe7a659e8c1da7127aced2cffb8e6d125
SHA256893607cef43f3dbe210b301c6b91d426a4eca11694d8feb5104edd329365f57d
SHA5125006e7b312a3182b4d638a38579ff1bbbaecf288995d23135d201745b4d2b999357ce8ca051decd51c55620fc144e536d51846f73e42d76c5cd058a00c5661f6
-
Filesize
511KB
MD52ca0666cb7eebc4f31d1b1cd5567defa
SHA157937bc69d62e8405742137b94172b129274c77d
SHA2565ccfce12fdeb592955cd14154446374a547864a6b5ef1a5a5d9cd801121a0128
SHA512bac83324d390f961aec228ddee702a0709e9e59501500592e8fc5f30e0236719836b86c880e9cc90af3747c2b23dcce7ce1b7b29121740c82a0b9fb8fc086e41
-
Filesize
511KB
MD52ca0666cb7eebc4f31d1b1cd5567defa
SHA157937bc69d62e8405742137b94172b129274c77d
SHA2565ccfce12fdeb592955cd14154446374a547864a6b5ef1a5a5d9cd801121a0128
SHA512bac83324d390f961aec228ddee702a0709e9e59501500592e8fc5f30e0236719836b86c880e9cc90af3747c2b23dcce7ce1b7b29121740c82a0b9fb8fc086e41
-
Filesize
275KB
MD565c2129a5c0cabd657022cf49a1a96a3
SHA103c529e0226eb5b41cd91708512dbd58edecd600
SHA2560aa0271fc27552af57fd171c3288b00b600c912a60d8752bf70f90b997f5d67c
SHA512b9900c3f6c93cf30c55cf718d96743728535bcb820ffaf4efa3c1ab874c684903a8fb30c2e88babdd468c2badc49306186df95f32d86bfb1a84d8d182bc8143c
-
Filesize
275KB
MD565c2129a5c0cabd657022cf49a1a96a3
SHA103c529e0226eb5b41cd91708512dbd58edecd600
SHA2560aa0271fc27552af57fd171c3288b00b600c912a60d8752bf70f90b997f5d67c
SHA512b9900c3f6c93cf30c55cf718d96743728535bcb820ffaf4efa3c1ab874c684903a8fb30c2e88babdd468c2badc49306186df95f32d86bfb1a84d8d182bc8143c
-
Filesize
23KB
MD57a10bf1243756d9cfbf6a5160d0daa23
SHA15770bab5f288383e316e2e59b427f7eac1e50347
SHA25664d779b5bac8a2b8a31a83cb3b4171141b4809e3e126a546a4c1f7570ee93210
SHA5123a8d37a47a17893388ad9f58028d98ff0687ecc9fc9f0b0501650544985e3ec257c113381a3910b3b0cc8a06fe4e26fea1b65adfd4768822e6e638a9215841bf
-
Filesize
205KB
MD5ec03fa69a025dc807314b9dcb5498986
SHA1a0f5abfa07ce548f10b806922eff748d2652f0e9
SHA256c3c5091dad0c0be701f6da2ae41a07f3614d6f567031dda823e5a320483c2243
SHA51278c30b0616686454be4c2eff375c91445270effb8d7bcbca372692ed86ce9dc383f91512fc65a937cd7c478c0c5cbd840e301aceabbf7d3c58cb92a80671cabb
-
Filesize
205KB
MD5ec03fa69a025dc807314b9dcb5498986
SHA1a0f5abfa07ce548f10b806922eff748d2652f0e9
SHA256c3c5091dad0c0be701f6da2ae41a07f3614d6f567031dda823e5a320483c2243
SHA51278c30b0616686454be4c2eff375c91445270effb8d7bcbca372692ed86ce9dc383f91512fc65a937cd7c478c0c5cbd840e301aceabbf7d3c58cb92a80671cabb
-
Filesize
509KB
MD5bb01bfdc1bfe48cf9c18180bf6539917
SHA125d0a11d31857fef74e9b98dcabd96f24d89c774
SHA256050649bb8dc43e68753de7567e17972cbcec1a2dacf243befeb12dc51517f7cc
SHA512f4fa00923ee61f0fcb53c8ebfd65b27db54a7663e5d60d8a56f7d08f33e2e1c467aa0b58899fbd62ac2261b185655cc94bac9ce85e2ed3b0c32336daa5346ba5
-
Filesize
509KB
MD5bb01bfdc1bfe48cf9c18180bf6539917
SHA125d0a11d31857fef74e9b98dcabd96f24d89c774
SHA256050649bb8dc43e68753de7567e17972cbcec1a2dacf243befeb12dc51517f7cc
SHA512f4fa00923ee61f0fcb53c8ebfd65b27db54a7663e5d60d8a56f7d08f33e2e1c467aa0b58899fbd62ac2261b185655cc94bac9ce85e2ed3b0c32336daa5346ba5
-
Filesize
862KB
MD5992ef262f488bd71005d04644b128788
SHA16a35e4ba677cc9e03fac85983bd968ab8862b16c
SHA256ca89fab589e51e74468860dec0a63eaf4bb9a80a8444fde7783f43ec7b96916b
SHA5126e619c4a2b382b2f7e9a9aab5cc9578caced894092cec9abd96fa9958a0506042afc463e1a767eece3115ed5db62d207b84df6dc919a84330cecf9309cb59578
-
Filesize
862KB
MD5992ef262f488bd71005d04644b128788
SHA16a35e4ba677cc9e03fac85983bd968ab8862b16c
SHA256ca89fab589e51e74468860dec0a63eaf4bb9a80a8444fde7783f43ec7b96916b
SHA5126e619c4a2b382b2f7e9a9aab5cc9578caced894092cec9abd96fa9958a0506042afc463e1a767eece3115ed5db62d207b84df6dc919a84330cecf9309cb59578
-
Filesize
1.2MB
MD5ca3028a6adee108bb3fd4657e9632355
SHA143be6285c5f7ed07062dce2f23171b7965147f98
SHA25657ee68455ef1219b05d8efea12beeba73a1ef03608756e693706b5096c2a558f
SHA51247461d1797170e62fcb5170f22b859046dc09541614044a29c8c56377ffa30780dc8e1210b6a2600232f1e3fd68c26493e47d6b90367acf8396b430f7092e601
-
Filesize
181KB
MD5ecf05fb40bb1eedda1ba50280ee91c74
SHA1a9b160c78cdb26e2c7f8a8a172dfbca832281df7
SHA2563c90f9e0159b911dd9559d86b80ebf9fc2a83908993c4cffacdc5d4ddcb9baf5
SHA5128c630615ec1041f4e6f88fa744529a564e6a7442a3666015ae519d68cc61904500d932f621af4b8d231a32e81d32bb1754cc5947e61093a87ae92bd0008ae7a5
-
Filesize
181KB
MD5ecf05fb40bb1eedda1ba50280ee91c74
SHA1a9b160c78cdb26e2c7f8a8a172dfbca832281df7
SHA2563c90f9e0159b911dd9559d86b80ebf9fc2a83908993c4cffacdc5d4ddcb9baf5
SHA5128c630615ec1041f4e6f88fa744529a564e6a7442a3666015ae519d68cc61904500d932f621af4b8d231a32e81d32bb1754cc5947e61093a87ae92bd0008ae7a5
-
Filesize
252KB
MD5a27a138723878a478c06e1f82adccfab
SHA179dffc70b9104cd9487d7e49a95f492faadd3133
SHA256519277e0449b1eed8f75624ebbb9cb09a5d8dccd3815c6ef594fa4fec6318741
SHA51224ec8474d7e3969772176045a0191f669c4bf6f05ca241dc0e2c0840027ed8daa9cfb7b50383f23497c192809732f2afc5f384cd4edaea4d47e3547fbdbea31f
-
Filesize
252KB
MD5a27a138723878a478c06e1f82adccfab
SHA179dffc70b9104cd9487d7e49a95f492faadd3133
SHA256519277e0449b1eed8f75624ebbb9cb09a5d8dccd3815c6ef594fa4fec6318741
SHA51224ec8474d7e3969772176045a0191f669c4bf6f05ca241dc0e2c0840027ed8daa9cfb7b50383f23497c192809732f2afc5f384cd4edaea4d47e3547fbdbea31f
-
Filesize
41KB
MD5a04d44787b28d37b4334c184ea4faae8
SHA147a5038f2fc45841420a89f08eefd35191aa1fe7
SHA25634f0eb6f3b7deda82929fba6993eb27cd26d0b791be8031ce0b4729a7dc9dd46
SHA512a529e5c412dce90f34e13a185e81b757adf140447167b310d056d2b380873683e5b6681f5810be7d1194cfdd64eda25b87a1a5aae70ed4e48be5aa64acbd5346
-
Filesize
233KB
MD57d1dbe3c735d2a5d4951022c45547772
SHA1e6fbebc3c185d6b150bc7b2a9d1685e107b03b3e
SHA2568cc9bc4f9289ef37d344c88e4b53ce5ca58b11ec1e32d60fc9fd6456a80f1233
SHA512648299ee0b0c2678d9da43ca039fcf8525e9921b46327577fa6c57f0de41f5ccecda70e219a0135fb8c05725a752e7e2cdf27bad845203eb5147d3056e588086
-
Filesize
233KB
MD57d1dbe3c735d2a5d4951022c45547772
SHA1e6fbebc3c185d6b150bc7b2a9d1685e107b03b3e
SHA2568cc9bc4f9289ef37d344c88e4b53ce5ca58b11ec1e32d60fc9fd6456a80f1233
SHA512648299ee0b0c2678d9da43ca039fcf8525e9921b46327577fa6c57f0de41f5ccecda70e219a0135fb8c05725a752e7e2cdf27bad845203eb5147d3056e588086
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
237KB
MD525853e8bd3e283e15024d1111535ede7
SHA15b56e1dea924520b6c61ec09113c33fa3db573a4
SHA256ccbce22f01208cc8fc96de789ab9fedefc851f588cd4c1fbd6d9edc7ac2f4eb5
SHA5125bfa0e6bed05f1ab79ee97d1bd9bf1d48ba3d263a44e538d005af820c41c659eb112a4f19152e0841301fbd8b9618e8f353fe672df88b66e45c4719784202144
-
Filesize
237KB
MD525853e8bd3e283e15024d1111535ede7
SHA15b56e1dea924520b6c61ec09113c33fa3db573a4
SHA256ccbce22f01208cc8fc96de789ab9fedefc851f588cd4c1fbd6d9edc7ac2f4eb5
SHA5125bfa0e6bed05f1ab79ee97d1bd9bf1d48ba3d263a44e538d005af820c41c659eb112a4f19152e0841301fbd8b9618e8f353fe672df88b66e45c4719784202144
-
Filesize
97KB
MD5c3a7c71bce4ec04d63b7ef8ec9958c39
SHA1cbe84ecbae1eb37557426783b7fa89a804d4fc09
SHA25602a78e77cb64d9fa1f90ed2be6d9ff7b94624b2a790ed8109bfe61e66ebd825f
SHA5129a5579cd5c437158d8277b64e583d18cd0113c186d1013e3c57c92d39a16b412ce9f95aef09dbbd05a36cab62e5193532c41eea6850b0a77d8502e7d1fa23468
-
Filesize
97KB
MD5c3a7c71bce4ec04d63b7ef8ec9958c39
SHA1cbe84ecbae1eb37557426783b7fa89a804d4fc09
SHA25602a78e77cb64d9fa1f90ed2be6d9ff7b94624b2a790ed8109bfe61e66ebd825f
SHA5129a5579cd5c437158d8277b64e583d18cd0113c186d1013e3c57c92d39a16b412ce9f95aef09dbbd05a36cab62e5193532c41eea6850b0a77d8502e7d1fa23468
-
Filesize
812KB
MD5a256337aedd10bfe85aa8d0cc759c4b1
SHA1292012487cd89842964712e1ad26e7dfb2c1fcb1
SHA256e2c24c63ac4da0e34a253c3cf8d6ec31da39740376fe2e87e52ba0f32c450640
SHA512250666689c156809dae72648e99d0a9abdb105375044c956d6c50e4107dce236d95a7925611566f8963b7bb0e956631aff9cce65695f1b7e493cfd4c849dab72
-
Filesize
812KB
MD5a256337aedd10bfe85aa8d0cc759c4b1
SHA1292012487cd89842964712e1ad26e7dfb2c1fcb1
SHA256e2c24c63ac4da0e34a253c3cf8d6ec31da39740376fe2e87e52ba0f32c450640
SHA512250666689c156809dae72648e99d0a9abdb105375044c956d6c50e4107dce236d95a7925611566f8963b7bb0e956631aff9cce65695f1b7e493cfd4c849dab72
-
Filesize
304KB
MD59ab21c1c96fcb113ff93cd641b88112e
SHA1d5ffe5945ebbeaf73a0e1d7470d0a2f72b08f6ff
SHA256bff1bf09ff63a3fd600cbf36684aa01da6a08b63498ae549b15f0964572c3ea6
SHA51244cf7f6d8e51aa6c8d98f1c5456c391fe812d6df4c6b68450d0ba4ee920e86a22433f22ee3f367a8f1183c0276fbe0eaeb2de7987ac9acf51f542a0a84451293
-
Filesize
193KB
MD5ef3540f822902149f6519f5cbd06dc1b
SHA1fd2fa2e58d4f895ed0ae3260f101b37fc0eaef48
SHA256b2d19487e25e991b1d7e14e332b051a73805c9c4e4069a35af73b73af15d9a56
SHA51258072f705b6aaf2ec7a9fb6c2f0501a27a92c6d8874666fccc907be5988a5c1a28978a0439f8c5467eeac3c5b71ffb02c360d47b06db2a76eb38839922087e80
-
Filesize
193KB
MD5ef3540f822902149f6519f5cbd06dc1b
SHA1fd2fa2e58d4f895ed0ae3260f101b37fc0eaef48
SHA256b2d19487e25e991b1d7e14e332b051a73805c9c4e4069a35af73b73af15d9a56
SHA51258072f705b6aaf2ec7a9fb6c2f0501a27a92c6d8874666fccc907be5988a5c1a28978a0439f8c5467eeac3c5b71ffb02c360d47b06db2a76eb38839922087e80
-
Filesize
609KB
MD5cfca286051452ee4ade71c64021424e9
SHA180bdc7dd1a5b478b2e86d6d99674794cc75d4f2e
SHA2561f3c0af59c46dc9a04bbc86ec5e363622d87118dd32c0782bcbbd964086aedd4
SHA5128a2e88bccfe0fbdef29d9bcc7c7dc5e7451f32aa1e75a5592546f7b7013d581b5cebec7c80565ed6debea4e9a346e869cd728761cbbba3efac703167b2664cdb
-
Filesize
609KB
MD5cfca286051452ee4ade71c64021424e9
SHA180bdc7dd1a5b478b2e86d6d99674794cc75d4f2e
SHA2561f3c0af59c46dc9a04bbc86ec5e363622d87118dd32c0782bcbbd964086aedd4
SHA5128a2e88bccfe0fbdef29d9bcc7c7dc5e7451f32aa1e75a5592546f7b7013d581b5cebec7c80565ed6debea4e9a346e869cd728761cbbba3efac703167b2664cdb
-
Filesize
1.1MB
MD5a4354640020d7940bf14afad4e9aec84
SHA1238db777283f149f687147bbb61a9d94197b5036
SHA2565969d022510794f883ef269d1a1dc9a1ca430d77a89087561db384f427f4fa4d
SHA5121b2a396289a81488e0f13fd20f0a5ff6e3e6d16eb5897c79453b38de55f57adab9992ad73b55354208e2cf4f998afd82d9644951f46979bf5a07e2a64b1b9f55
-
Filesize
1.1MB
MD5a4354640020d7940bf14afad4e9aec84
SHA1238db777283f149f687147bbb61a9d94197b5036
SHA2565969d022510794f883ef269d1a1dc9a1ca430d77a89087561db384f427f4fa4d
SHA5121b2a396289a81488e0f13fd20f0a5ff6e3e6d16eb5897c79453b38de55f57adab9992ad73b55354208e2cf4f998afd82d9644951f46979bf5a07e2a64b1b9f55
-
Filesize
1.5MB
MD5282a1d98dcf3cb5dad19f1803c548d2e
SHA1e12f5d60204480c7c74e4866f6df83aaa09a798d
SHA25623c74b93a95374702e9959ff2b92c0acaefe5f5de794edf9f15e1b1511ecc910
SHA51267477d77d5caa075b5ad7ae21ca44632c64ecd6b599bc548b18d8a11b1418b8ad58c228d42b909470db9b88bd46372afcee7b411baadeeb504fa36a3e7a73071
-
Filesize
1.5MB
MD5282a1d98dcf3cb5dad19f1803c548d2e
SHA1e12f5d60204480c7c74e4866f6df83aaa09a798d
SHA25623c74b93a95374702e9959ff2b92c0acaefe5f5de794edf9f15e1b1511ecc910
SHA51267477d77d5caa075b5ad7ae21ca44632c64ecd6b599bc548b18d8a11b1418b8ad58c228d42b909470db9b88bd46372afcee7b411baadeeb504fa36a3e7a73071
-
Filesize
72KB
MD5dde7cd3719145ecf3c89d2a1e79ca1f3
SHA192802c38f88c4d57f0b1153b04b4de43af4adcde
SHA256c930819a0f64879fe3a96c606da4be49613693a43b9b1060dc870bec7b3ab47a
SHA512dd67858919fea31f0d4df0c012dc9605fc68bb7512924fee04ae41528d02f8f7ddfd32949841b676735a9d3d81f7dcb455854f20467a4a40ee9f48babd5bee5a
-
Filesize
241KB
MD5f62f6814c814b1edd41401c50135bcde
SHA1dbd994d95ca44d9f672149b3780b0ee32df3f404
SHA2566f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650
SHA512a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35
-
Filesize
241KB
MD5f62f6814c814b1edd41401c50135bcde
SHA1dbd994d95ca44d9f672149b3780b0ee32df3f404
SHA2566f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650
SHA512a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35
-
Filesize
305KB
MD519e50d2c1b3d9cb095508ba3edabf19d
SHA1ddaa2469659fe7c110bde2c93470d4b4ccceaa39
SHA256b75d1af08423e2987f90e734116e76bacfdea7632405df1b8f36af8f98d6a943
SHA51275666665a231a929eb535e5c6038d155828842725fbecfe03d43267ce540b805dadadf60d4cefeed27f98b7bdd266578a6353adcb2755133216116b3eb4e6876
-
Filesize
305KB
MD519e50d2c1b3d9cb095508ba3edabf19d
SHA1ddaa2469659fe7c110bde2c93470d4b4ccceaa39
SHA256b75d1af08423e2987f90e734116e76bacfdea7632405df1b8f36af8f98d6a943
SHA51275666665a231a929eb535e5c6038d155828842725fbecfe03d43267ce540b805dadadf60d4cefeed27f98b7bdd266578a6353adcb2755133216116b3eb4e6876
-
Filesize
455KB
MD5aec9302b4c826d91b1cd0666404354ab
SHA1ea8be9a7420c972b3501cfde374a3630873fae61
SHA2568dceb44c06f1cc5bc819944b9816d9c9e1ddab6d734f76ca96c56006cc0455b8
SHA512287f31a2f021f4ff47abefcead9ce0ffc6d49f7ae156c1a259f3e6e98eb30641ffb2cb1166c8931916af21faf4d5f1eec2bca106f90328b9a50a007eb37c4593
-
Filesize
455KB
MD5aec9302b4c826d91b1cd0666404354ab
SHA1ea8be9a7420c972b3501cfde374a3630873fae61
SHA2568dceb44c06f1cc5bc819944b9816d9c9e1ddab6d734f76ca96c56006cc0455b8
SHA512287f31a2f021f4ff47abefcead9ce0ffc6d49f7ae156c1a259f3e6e98eb30641ffb2cb1166c8931916af21faf4d5f1eec2bca106f90328b9a50a007eb37c4593
-
Filesize
504KB
MD5b8a7b1f27c5d6b29ca363671307d8ec9
SHA15f190843d7bdbfbf86805d36003479df24b3a9cc
SHA2564b55e4fae8b9d12c8ef971f037bc37c5e592fa3382bd5e4a08d2b3ddd112b559
SHA512e7bd5c77078fe64478ca821fae29b550febdd5833d496a3d479ea4afc63822b55d81f2da2dc65b9f194edb019d4dfc951ad4af2ad970ff4b74a123ccddc3c8ea
-
Filesize
10KB
MD538977533750fe69979b2c2ac801f96e6
SHA174643c30cda909e649722ed0c7f267903558e92a
SHA256b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53
-
Filesize
885KB
MD5f7aebe01c20ba67e2841a0d26bb14e7a
SHA18571707df764256694e6a5eb9da1288127d570e8
SHA256f92a000062c3b5cb961a9773db071ab7dce19bb21a6b775fb72b89e6e12e745c
SHA512dea2cea63d7098c27d73c3891234b6e672d956a41acc24315de7cce42ba35aae4e6447234c42fca085f91e6749fef051c78af35dee316f348939cbc3a131ce29
-
Filesize
680KB
MD5aff1a930d109f758a4bab03930963dfb
SHA1864acf405c4617c922b328490e7ed2d6379de59d
SHA2565baea08c387595bff9b644c381c6108f6d436ac13ce47fce67c2803adbc87952
SHA51224ef00b2dec273f72afaa828604608acee404458750993ab84cece971b095e5008ad29a930cf57659e9f05df6399fdacdf20fdc1e9438f12b7fb09a331fb750b
-
Filesize
680KB
MD5aff1a930d109f758a4bab03930963dfb
SHA1864acf405c4617c922b328490e7ed2d6379de59d
SHA2565baea08c387595bff9b644c381c6108f6d436ac13ce47fce67c2803adbc87952
SHA51224ef00b2dec273f72afaa828604608acee404458750993ab84cece971b095e5008ad29a930cf57659e9f05df6399fdacdf20fdc1e9438f12b7fb09a331fb750b