Analysis

  • max time kernel
    99s
  • max time network
    93s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 15:00

General

  • Target

    fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe

  • Size

    352KB

  • MD5

    70a3a9c42c1973350deb130a53231367

  • SHA1

    5b41fdd16b97f287515aeb5f16578a5d963acc49

  • SHA256

    fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358

  • SHA512

    0469f6d3f1112b3a6f7a6d109f52bcd0a8b38aad7f8390ffc82ebfe7fab238eee3b44586605276068c71714628bf63f63e5e1aec637b47ceab0d67a25cc1eea1

  • SSDEEP

    3072:8z/92a98YQ19SexsTczlwGcaebeYYQ19qROLz/9KwCZ63+kFVaiJ38yrjw:8L9IR396cJYRXL9YE3BauVU

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe
    "C:\Users\Admin\AppData\Local\Temp\fada96dc990419b8fec6323816b3c6eed3b8b7b67d263f86d3b9c7119dc8f358.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\Loader_forqd318.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader_forqd318.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forqd318.exe
        "C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forqd318.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 /s "C:\Program Files (x86)\Internet Explorer\PPLite\plugin\pplugin2.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1600
        • C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
          "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe" /RegServer
          4⤵
          • Executes dropped EXE
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:1284
        • C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
          "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe" /LoadModule MngModule.dll /T 1 /C forqd318 /F 0 /G 2.7.0 /H 1 /I PPTV(pplive)_forqd318 /L 0 /M OK /N 1 /O 1
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          PID:1576

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\PPLite\plugin\pplugin2.dll

    Filesize

    241KB

    MD5

    f62f6814c814b1edd41401c50135bcde

    SHA1

    dbd994d95ca44d9f672149b3780b0ee32df3f404

    SHA256

    6f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650

    SHA512

    a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35

  • C:\Users\Admin\AppData\Local\Temp\Loader_forqd318.exe

    Filesize

    65KB

    MD5

    bef14d54106a5129182af8b04747adbf

    SHA1

    01fa77e1237e29f938b4c5d703946a559b2e563c

    SHA256

    49b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603

    SHA512

    c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2

  • C:\Users\Admin\AppData\Local\Temp\Loader_forqd318.exe

    Filesize

    65KB

    MD5

    bef14d54106a5129182af8b04747adbf

    SHA1

    01fa77e1237e29f938b4c5d703946a559b2e563c

    SHA256

    49b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603

    SHA512

    c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2

  • C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forqd318.exe

    Filesize

    9.6MB

    MD5

    6dc678b471d68402e9b6666629269f5f

    SHA1

    91fe4d2eacd3703034c2b12c28ec5f8677433376

    SHA256

    f4091367b4cd431af2d589320bdf1d8df2b379688f7798394e8706a08b34e8e8

    SHA512

    a761ee72ff78cf573519634ba63de46013a4c92b84f19cbf7ce226f5e2149557cf51e7e25e47cedb3f1c7871df96c2c2da76a46954b40ccc62eaf48865615688

  • C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forqd318.exe

    Filesize

    9.6MB

    MD5

    6dc678b471d68402e9b6666629269f5f

    SHA1

    91fe4d2eacd3703034c2b12c28ec5f8677433376

    SHA256

    f4091367b4cd431af2d589320bdf1d8df2b379688f7798394e8706a08b34e8e8

    SHA512

    a761ee72ff78cf573519634ba63de46013a4c92b84f19cbf7ce226f5e2149557cf51e7e25e47cedb3f1c7871df96c2c2da76a46954b40ccc62eaf48865615688

  • \Program Files (x86)\Internet Explorer\PPLite\plugin\pplugin2.dll

    Filesize

    241KB

    MD5

    f62f6814c814b1edd41401c50135bcde

    SHA1

    dbd994d95ca44d9f672149b3780b0ee32df3f404

    SHA256

    6f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650

    SHA512

    a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35

  • \Users\Admin\AppData\Local\Temp\Loader_forqd318.exe

    Filesize

    65KB

    MD5

    bef14d54106a5129182af8b04747adbf

    SHA1

    01fa77e1237e29f938b4c5d703946a559b2e563c

    SHA256

    49b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603

    SHA512

    c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2

  • \Users\Admin\AppData\Local\Temp\Loader_forqd318.exe

    Filesize

    65KB

    MD5

    bef14d54106a5129182af8b04747adbf

    SHA1

    01fa77e1237e29f938b4c5d703946a559b2e563c

    SHA256

    49b6779a2221ee3658da0f906b26843b65826cfdf8263b2e438b43467259c603

    SHA512

    c304fb79824d8bfe30f927afed9abcc5d8b3349a1f2fd29f7b9d129918e42eeb84ab7c1fd9492c442bc50f6a047609843d8fbe3c59e02d1e58dcbbbaf0b9bea2

  • \Users\Admin\AppData\Local\Temp\PPTV(pplive)_forqd318.exe

    Filesize

    9.6MB

    MD5

    6dc678b471d68402e9b6666629269f5f

    SHA1

    91fe4d2eacd3703034c2b12c28ec5f8677433376

    SHA256

    f4091367b4cd431af2d589320bdf1d8df2b379688f7798394e8706a08b34e8e8

    SHA512

    a761ee72ff78cf573519634ba63de46013a4c92b84f19cbf7ce226f5e2149557cf51e7e25e47cedb3f1c7871df96c2c2da76a46954b40ccc62eaf48865615688

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\CoreAAC.ax

    Filesize

    312KB

    MD5

    b0ffac757be8d6cc41e1131eb2b0d959

    SHA1

    0e41733a050bc2ed53fda6337d6501b9942317c2

    SHA256

    04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597

    SHA512

    356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\CoreAAC.ax

    Filesize

    312KB

    MD5

    b0ffac757be8d6cc41e1131eb2b0d959

    SHA1

    0e41733a050bc2ed53fda6337d6501b9942317c2

    SHA256

    04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597

    SHA512

    356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\CoreAVC.2.0.0.0.ax

    Filesize

    265KB

    MD5

    a45cfb1f058297ae981f8afeef056b8d

    SHA1

    e454ed585a0f19d3119cef725958ea19c93cd7cf

    SHA256

    779768aa0bf2270422e1686547ae622238e7b7cf37ce212a1d75caf8628c1508

    SHA512

    efa87c97e4f76d5fbd73d2e0c5c580c719518d4e3e7e16efdb1355b659c9584956bc7df944f0d637f069f359a046fe65bfd178e4cbaf97fbb5921ebd29e09aa0

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\CoreAVC.2.0.0.0.ax

    Filesize

    265KB

    MD5

    a45cfb1f058297ae981f8afeef056b8d

    SHA1

    e454ed585a0f19d3119cef725958ea19c93cd7cf

    SHA256

    779768aa0bf2270422e1686547ae622238e7b7cf37ce212a1d75caf8628c1508

    SHA512

    efa87c97e4f76d5fbd73d2e0c5c580c719518d4e3e7e16efdb1355b659c9584956bc7df944f0d637f069f359a046fe65bfd178e4cbaf97fbb5921ebd29e09aa0

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\CoreAVC.ax

    Filesize

    181KB

    MD5

    c264fed121afd44bda8bf0ff8f4e4269

    SHA1

    7480a3b26b81045a1504e68e15225682bcc6f440

    SHA256

    cb8d9d80dcd48d9a9e3d87c847c47125f7201a98fb5abb4bd6c443322071b951

    SHA512

    99ed4b723b2b7a90fce8e9bf9ee8d5a1440c4d569638ff6a1aa59354c8bca91618a13c440f754fad3ae22c306709da35b4c53b8a00a09753027eaed0d238052b

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\CoreAVC.ax

    Filesize

    181KB

    MD5

    c264fed121afd44bda8bf0ff8f4e4269

    SHA1

    7480a3b26b81045a1504e68e15225682bcc6f440

    SHA256

    cb8d9d80dcd48d9a9e3d87c847c47125f7201a98fb5abb4bd6c443322071b951

    SHA512

    99ed4b723b2b7a90fce8e9bf9ee8d5a1440c4d569638ff6a1aa59354c8bca91618a13c440f754fad3ae22c306709da35b4c53b8a00a09753027eaed0d238052b

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\FWUpnp.dll

    Filesize

    140KB

    MD5

    be2d4b56d5d40afca9c804d0776a25c6

    SHA1

    7ea48cf0e980fe999f14338f44ad4c57c9b714de

    SHA256

    e54031818e6449897e3a81f0637b0af7618f6aa9e1530c3bf4989d2fabe4a2d4

    SHA512

    f32b8e1d27acb7c9021dcc6cd426599374f61a78fd38a0f9d0bf5bf63c424ca816e3859387d98b3060592ea86d1743c5ff149099bcab4da9e31ff7abc81fd627

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\FindProcDLL.dll

    Filesize

    20KB

    MD5

    943ccc923be093185c04e893245e55c4

    SHA1

    5d48cfcbe7a659e8c1da7127aced2cffb8e6d125

    SHA256

    893607cef43f3dbe210b301c6b91d426a4eca11694d8feb5104edd329365f57d

    SHA512

    5006e7b312a3182b4d638a38579ff1bbbaecf288995d23135d201745b4d2b999357ce8ca051decd51c55620fc144e536d51846f73e42d76c5cd058a00c5661f6

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\HTTP_ASF_SOURCE.ax

    Filesize

    511KB

    MD5

    2ca0666cb7eebc4f31d1b1cd5567defa

    SHA1

    57937bc69d62e8405742137b94172b129274c77d

    SHA256

    5ccfce12fdeb592955cd14154446374a547864a6b5ef1a5a5d9cd801121a0128

    SHA512

    bac83324d390f961aec228ddee702a0709e9e59501500592e8fc5f30e0236719836b86c880e9cc90af3747c2b23dcce7ce1b7b29121740c82a0b9fb8fc086e41

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\HTTP_ASF_SOURCE.ax

    Filesize

    511KB

    MD5

    2ca0666cb7eebc4f31d1b1cd5567defa

    SHA1

    57937bc69d62e8405742137b94172b129274c77d

    SHA256

    5ccfce12fdeb592955cd14154446374a547864a6b5ef1a5a5d9cd801121a0128

    SHA512

    bac83324d390f961aec228ddee702a0709e9e59501500592e8fc5f30e0236719836b86c880e9cc90af3747c2b23dcce7ce1b7b29121740c82a0b9fb8fc086e41

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\Hookkernel.dll

    Filesize

    275KB

    MD5

    65c2129a5c0cabd657022cf49a1a96a3

    SHA1

    03c529e0226eb5b41cd91708512dbd58edecd600

    SHA256

    0aa0271fc27552af57fd171c3288b00b600c912a60d8752bf70f90b997f5d67c

    SHA512

    b9900c3f6c93cf30c55cf718d96743728535bcb820ffaf4efa3c1ab874c684903a8fb30c2e88babdd468c2badc49306186df95f32d86bfb1a84d8d182bc8143c

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\Hookkernel.dll

    Filesize

    275KB

    MD5

    65c2129a5c0cabd657022cf49a1a96a3

    SHA1

    03c529e0226eb5b41cd91708512dbd58edecd600

    SHA256

    0aa0271fc27552af57fd171c3288b00b600c912a60d8752bf70f90b997f5d67c

    SHA512

    b9900c3f6c93cf30c55cf718d96743728535bcb820ffaf4efa3c1ab874c684903a8fb30c2e88babdd468c2badc49306186df95f32d86bfb1a84d8d182bc8143c

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\InetLoad.dll

    Filesize

    23KB

    MD5

    7a10bf1243756d9cfbf6a5160d0daa23

    SHA1

    5770bab5f288383e316e2e59b427f7eac1e50347

    SHA256

    64d779b5bac8a2b8a31a83cb3b4171141b4809e3e126a546a4c1f7570ee93210

    SHA512

    3a8d37a47a17893388ad9f58028d98ff0687ecc9fc9f0b0501650544985e3ec257c113381a3910b3b0cc8a06fe4e26fea1b65adfd4768822e6e638a9215841bf

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\Live.dll

    Filesize

    205KB

    MD5

    ec03fa69a025dc807314b9dcb5498986

    SHA1

    a0f5abfa07ce548f10b806922eff748d2652f0e9

    SHA256

    c3c5091dad0c0be701f6da2ae41a07f3614d6f567031dda823e5a320483c2243

    SHA512

    78c30b0616686454be4c2eff375c91445270effb8d7bcbca372692ed86ce9dc383f91512fc65a937cd7c478c0c5cbd840e301aceabbf7d3c58cb92a80671cabb

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\Live.dll

    Filesize

    205KB

    MD5

    ec03fa69a025dc807314b9dcb5498986

    SHA1

    a0f5abfa07ce548f10b806922eff748d2652f0e9

    SHA256

    c3c5091dad0c0be701f6da2ae41a07f3614d6f567031dda823e5a320483c2243

    SHA512

    78c30b0616686454be4c2eff375c91445270effb8d7bcbca372692ed86ce9dc383f91512fc65a937cd7c478c0c5cbd840e301aceabbf7d3c58cb92a80671cabb

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\MP4Splitter.ax

    Filesize

    509KB

    MD5

    bb01bfdc1bfe48cf9c18180bf6539917

    SHA1

    25d0a11d31857fef74e9b98dcabd96f24d89c774

    SHA256

    050649bb8dc43e68753de7567e17972cbcec1a2dacf243befeb12dc51517f7cc

    SHA512

    f4fa00923ee61f0fcb53c8ebfd65b27db54a7663e5d60d8a56f7d08f33e2e1c467aa0b58899fbd62ac2261b185655cc94bac9ce85e2ed3b0c32336daa5346ba5

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\MP4Splitter.ax

    Filesize

    509KB

    MD5

    bb01bfdc1bfe48cf9c18180bf6539917

    SHA1

    25d0a11d31857fef74e9b98dcabd96f24d89c774

    SHA256

    050649bb8dc43e68753de7567e17972cbcec1a2dacf243befeb12dc51517f7cc

    SHA512

    f4fa00923ee61f0fcb53c8ebfd65b27db54a7663e5d60d8a56f7d08f33e2e1c467aa0b58899fbd62ac2261b185655cc94bac9ce85e2ed3b0c32336daa5346ba5

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\MngModule.dll

    Filesize

    862KB

    MD5

    992ef262f488bd71005d04644b128788

    SHA1

    6a35e4ba677cc9e03fac85983bd968ab8862b16c

    SHA256

    ca89fab589e51e74468860dec0a63eaf4bb9a80a8444fde7783f43ec7b96916b

    SHA512

    6e619c4a2b382b2f7e9a9aab5cc9578caced894092cec9abd96fa9958a0506042afc463e1a767eece3115ed5db62d207b84df6dc919a84330cecf9309cb59578

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\MngModule.dll

    Filesize

    862KB

    MD5

    992ef262f488bd71005d04644b128788

    SHA1

    6a35e4ba677cc9e03fac85983bd968ab8862b16c

    SHA256

    ca89fab589e51e74468860dec0a63eaf4bb9a80a8444fde7783f43ec7b96916b

    SHA512

    6e619c4a2b382b2f7e9a9aab5cc9578caced894092cec9abd96fa9958a0506042afc463e1a767eece3115ed5db62d207b84df6dc919a84330cecf9309cb59578

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\OPlayer.ocx

    Filesize

    1.2MB

    MD5

    ca3028a6adee108bb3fd4657e9632355

    SHA1

    43be6285c5f7ed07062dce2f23171b7965147f98

    SHA256

    57ee68455ef1219b05d8efea12beeba73a1ef03608756e693706b5096c2a558f

    SHA512

    47461d1797170e62fcb5170f22b859046dc09541614044a29c8c56377ffa30780dc8e1210b6a2600232f1e3fd68c26493e47d6b90367acf8396b430f7092e601

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\PPAP.exe

    Filesize

    181KB

    MD5

    ecf05fb40bb1eedda1ba50280ee91c74

    SHA1

    a9b160c78cdb26e2c7f8a8a172dfbca832281df7

    SHA256

    3c90f9e0159b911dd9559d86b80ebf9fc2a83908993c4cffacdc5d4ddcb9baf5

    SHA512

    8c630615ec1041f4e6f88fa744529a564e6a7442a3666015ae519d68cc61904500d932f621af4b8d231a32e81d32bb1754cc5947e61093a87ae92bd0008ae7a5

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\PPAP.exe

    Filesize

    181KB

    MD5

    ecf05fb40bb1eedda1ba50280ee91c74

    SHA1

    a9b160c78cdb26e2c7f8a8a172dfbca832281df7

    SHA256

    3c90f9e0159b911dd9559d86b80ebf9fc2a83908993c4cffacdc5d4ddcb9baf5

    SHA512

    8c630615ec1041f4e6f88fa744529a564e6a7442a3666015ae519d68cc61904500d932f621af4b8d231a32e81d32bb1754cc5947e61093a87ae92bd0008ae7a5

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\PPHookShell.dll

    Filesize

    252KB

    MD5

    a27a138723878a478c06e1f82adccfab

    SHA1

    79dffc70b9104cd9487d7e49a95f492faadd3133

    SHA256

    519277e0449b1eed8f75624ebbb9cb09a5d8dccd3815c6ef594fa4fec6318741

    SHA512

    24ec8474d7e3969772176045a0191f669c4bf6f05ca241dc0e2c0840027ed8daa9cfb7b50383f23497c192809732f2afc5f384cd4edaea4d47e3547fbdbea31f

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\PPHookShell.dll

    Filesize

    252KB

    MD5

    a27a138723878a478c06e1f82adccfab

    SHA1

    79dffc70b9104cd9487d7e49a95f492faadd3133

    SHA256

    519277e0449b1eed8f75624ebbb9cb09a5d8dccd3815c6ef594fa4fec6318741

    SHA512

    24ec8474d7e3969772176045a0191f669c4bf6f05ca241dc0e2c0840027ed8daa9cfb7b50383f23497c192809732f2afc5f384cd4edaea4d47e3547fbdbea31f

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\PPInstallLog.dll

    Filesize

    41KB

    MD5

    a04d44787b28d37b4334c184ea4faae8

    SHA1

    47a5038f2fc45841420a89f08eefd35191aa1fe7

    SHA256

    34f0eb6f3b7deda82929fba6993eb27cd26d0b791be8031ce0b4729a7dc9dd46

    SHA512

    a529e5c412dce90f34e13a185e81b757adf140447167b310d056d2b380873683e5b6681f5810be7d1194cfdd64eda25b87a1a5aae70ed4e48be5aa64acbd5346

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\Send_Log_Kernel_Module.dll

    Filesize

    233KB

    MD5

    7d1dbe3c735d2a5d4951022c45547772

    SHA1

    e6fbebc3c185d6b150bc7b2a9d1685e107b03b3e

    SHA256

    8cc9bc4f9289ef37d344c88e4b53ce5ca58b11ec1e32d60fc9fd6456a80f1233

    SHA512

    648299ee0b0c2678d9da43ca039fcf8525e9921b46327577fa6c57f0de41f5ccecda70e219a0135fb8c05725a752e7e2cdf27bad845203eb5147d3056e588086

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\Send_Log_Kernel_Module.dll

    Filesize

    233KB

    MD5

    7d1dbe3c735d2a5d4951022c45547772

    SHA1

    e6fbebc3c185d6b150bc7b2a9d1685e107b03b3e

    SHA256

    8cc9bc4f9289ef37d344c88e4b53ce5ca58b11ec1e32d60fc9fd6456a80f1233

    SHA512

    648299ee0b0c2678d9da43ca039fcf8525e9921b46327577fa6c57f0de41f5ccecda70e219a0135fb8c05725a752e7e2cdf27bad845203eb5147d3056e588086

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\TipsClient.dll

    Filesize

    237KB

    MD5

    25853e8bd3e283e15024d1111535ede7

    SHA1

    5b56e1dea924520b6c61ec09113c33fa3db573a4

    SHA256

    ccbce22f01208cc8fc96de789ab9fedefc851f588cd4c1fbd6d9edc7ac2f4eb5

    SHA512

    5bfa0e6bed05f1ab79ee97d1bd9bf1d48ba3d263a44e538d005af820c41c659eb112a4f19152e0841301fbd8b9618e8f353fe672df88b66e45c4719784202144

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\TipsClient.dll

    Filesize

    237KB

    MD5

    25853e8bd3e283e15024d1111535ede7

    SHA1

    5b56e1dea924520b6c61ec09113c33fa3db573a4

    SHA256

    ccbce22f01208cc8fc96de789ab9fedefc851f588cd4c1fbd6d9edc7ac2f4eb5

    SHA512

    5bfa0e6bed05f1ab79ee97d1bd9bf1d48ba3d263a44e538d005af820c41c659eb112a4f19152e0841301fbd8b9618e8f353fe672df88b66e45c4719784202144

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\VAProxyD.dll

    Filesize

    97KB

    MD5

    c3a7c71bce4ec04d63b7ef8ec9958c39

    SHA1

    cbe84ecbae1eb37557426783b7fa89a804d4fc09

    SHA256

    02a78e77cb64d9fa1f90ed2be6d9ff7b94624b2a790ed8109bfe61e66ebd825f

    SHA512

    9a5579cd5c437158d8277b64e583d18cd0113c186d1013e3c57c92d39a16b412ce9f95aef09dbbd05a36cab62e5193532c41eea6850b0a77d8502e7d1fa23468

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\VAProxyD.dll

    Filesize

    97KB

    MD5

    c3a7c71bce4ec04d63b7ef8ec9958c39

    SHA1

    cbe84ecbae1eb37557426783b7fa89a804d4fc09

    SHA256

    02a78e77cb64d9fa1f90ed2be6d9ff7b94624b2a790ed8109bfe61e66ebd825f

    SHA512

    9a5579cd5c437158d8277b64e583d18cd0113c186d1013e3c57c92d39a16b412ce9f95aef09dbbd05a36cab62e5193532c41eea6850b0a77d8502e7d1fa23468

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\admodule.dll

    Filesize

    812KB

    MD5

    a256337aedd10bfe85aa8d0cc759c4b1

    SHA1

    292012487cd89842964712e1ad26e7dfb2c1fcb1

    SHA256

    e2c24c63ac4da0e34a253c3cf8d6ec31da39740376fe2e87e52ba0f32c450640

    SHA512

    250666689c156809dae72648e99d0a9abdb105375044c956d6c50e4107dce236d95a7925611566f8963b7bb0e956631aff9cce65695f1b7e493cfd4c849dab72

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\admodule.dll

    Filesize

    812KB

    MD5

    a256337aedd10bfe85aa8d0cc759c4b1

    SHA1

    292012487cd89842964712e1ad26e7dfb2c1fcb1

    SHA256

    e2c24c63ac4da0e34a253c3cf8d6ec31da39740376fe2e87e52ba0f32c450640

    SHA512

    250666689c156809dae72648e99d0a9abdb105375044c956d6c50e4107dce236d95a7925611566f8963b7bb0e956631aff9cce65695f1b7e493cfd4c849dab72

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\audioswitcher.ax

    Filesize

    304KB

    MD5

    9ab21c1c96fcb113ff93cd641b88112e

    SHA1

    d5ffe5945ebbeaf73a0e1d7470d0a2f72b08f6ff

    SHA256

    bff1bf09ff63a3fd600cbf36684aa01da6a08b63498ae549b15f0964572c3ea6

    SHA512

    44cf7f6d8e51aa6c8d98f1c5456c391fe812d6df4c6b68450d0ba4ee920e86a22433f22ee3f367a8f1183c0276fbe0eaeb2de7987ac9acf51f542a0a84451293

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\crashreporter.exe

    Filesize

    193KB

    MD5

    ef3540f822902149f6519f5cbd06dc1b

    SHA1

    fd2fa2e58d4f895ed0ae3260f101b37fc0eaef48

    SHA256

    b2d19487e25e991b1d7e14e332b051a73805c9c4e4069a35af73b73af15d9a56

    SHA512

    58072f705b6aaf2ec7a9fb6c2f0501a27a92c6d8874666fccc907be5988a5c1a28978a0439f8c5467eeac3c5b71ffb02c360d47b06db2a76eb38839922087e80

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\crashreporter.exe

    Filesize

    193KB

    MD5

    ef3540f822902149f6519f5cbd06dc1b

    SHA1

    fd2fa2e58d4f895ed0ae3260f101b37fc0eaef48

    SHA256

    b2d19487e25e991b1d7e14e332b051a73805c9c4e4069a35af73b73af15d9a56

    SHA512

    58072f705b6aaf2ec7a9fb6c2f0501a27a92c6d8874666fccc907be5988a5c1a28978a0439f8c5467eeac3c5b71ffb02c360d47b06db2a76eb38839922087e80

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\mframe.dll

    Filesize

    609KB

    MD5

    cfca286051452ee4ade71c64021424e9

    SHA1

    80bdc7dd1a5b478b2e86d6d99674794cc75d4f2e

    SHA256

    1f3c0af59c46dc9a04bbc86ec5e363622d87118dd32c0782bcbbd964086aedd4

    SHA512

    8a2e88bccfe0fbdef29d9bcc7c7dc5e7451f32aa1e75a5592546f7b7013d581b5cebec7c80565ed6debea4e9a346e869cd728761cbbba3efac703167b2664cdb

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\mframe.dll

    Filesize

    609KB

    MD5

    cfca286051452ee4ade71c64021424e9

    SHA1

    80bdc7dd1a5b478b2e86d6d99674794cc75d4f2e

    SHA256

    1f3c0af59c46dc9a04bbc86ec5e363622d87118dd32c0782bcbbd964086aedd4

    SHA512

    8a2e88bccfe0fbdef29d9bcc7c7dc5e7451f32aa1e75a5592546f7b7013d581b5cebec7c80565ed6debea4e9a346e869cd728761cbbba3efac703167b2664cdb

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\mir.dll

    Filesize

    1.1MB

    MD5

    a4354640020d7940bf14afad4e9aec84

    SHA1

    238db777283f149f687147bbb61a9d94197b5036

    SHA256

    5969d022510794f883ef269d1a1dc9a1ca430d77a89087561db384f427f4fa4d

    SHA512

    1b2a396289a81488e0f13fd20f0a5ff6e3e6d16eb5897c79453b38de55f57adab9992ad73b55354208e2cf4f998afd82d9644951f46979bf5a07e2a64b1b9f55

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\mir.dll

    Filesize

    1.1MB

    MD5

    a4354640020d7940bf14afad4e9aec84

    SHA1

    238db777283f149f687147bbb61a9d94197b5036

    SHA256

    5969d022510794f883ef269d1a1dc9a1ca430d77a89087561db384f427f4fa4d

    SHA512

    1b2a396289a81488e0f13fd20f0a5ff6e3e6d16eb5897c79453b38de55f57adab9992ad73b55354208e2cf4f998afd82d9644951f46979bf5a07e2a64b1b9f55

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\peer.dll

    Filesize

    1.5MB

    MD5

    282a1d98dcf3cb5dad19f1803c548d2e

    SHA1

    e12f5d60204480c7c74e4866f6df83aaa09a798d

    SHA256

    23c74b93a95374702e9959ff2b92c0acaefe5f5de794edf9f15e1b1511ecc910

    SHA512

    67477d77d5caa075b5ad7ae21ca44632c64ecd6b599bc548b18d8a11b1418b8ad58c228d42b909470db9b88bd46372afcee7b411baadeeb504fa36a3e7a73071

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\peer.dll

    Filesize

    1.5MB

    MD5

    282a1d98dcf3cb5dad19f1803c548d2e

    SHA1

    e12f5d60204480c7c74e4866f6df83aaa09a798d

    SHA256

    23c74b93a95374702e9959ff2b92c0acaefe5f5de794edf9f15e1b1511ecc910

    SHA512

    67477d77d5caa075b5ad7ae21ca44632c64ecd6b599bc548b18d8a11b1418b8ad58c228d42b909470db9b88bd46372afcee7b411baadeeb504fa36a3e7a73071

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\pnsis.dll

    Filesize

    72KB

    MD5

    dde7cd3719145ecf3c89d2a1e79ca1f3

    SHA1

    92802c38f88c4d57f0b1153b04b4de43af4adcde

    SHA256

    c930819a0f64879fe3a96c606da4be49613693a43b9b1060dc870bec7b3ab47a

    SHA512

    dd67858919fea31f0d4df0c012dc9605fc68bb7512924fee04ae41528d02f8f7ddfd32949841b676735a9d3d81f7dcb455854f20467a4a40ee9f48babd5bee5a

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\pplugin2.dll

    Filesize

    241KB

    MD5

    f62f6814c814b1edd41401c50135bcde

    SHA1

    dbd994d95ca44d9f672149b3780b0ee32df3f404

    SHA256

    6f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650

    SHA512

    a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\pplugin2.dll

    Filesize

    241KB

    MD5

    f62f6814c814b1edd41401c50135bcde

    SHA1

    dbd994d95ca44d9f672149b3780b0ee32df3f404

    SHA256

    6f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650

    SHA512

    a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\ppp.dll

    Filesize

    305KB

    MD5

    19e50d2c1b3d9cb095508ba3edabf19d

    SHA1

    ddaa2469659fe7c110bde2c93470d4b4ccceaa39

    SHA256

    b75d1af08423e2987f90e734116e76bacfdea7632405df1b8f36af8f98d6a943

    SHA512

    75666665a231a929eb535e5c6038d155828842725fbecfe03d43267ce540b805dadadf60d4cefeed27f98b7bdd266578a6353adcb2755133216116b3eb4e6876

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\ppp.dll

    Filesize

    305KB

    MD5

    19e50d2c1b3d9cb095508ba3edabf19d

    SHA1

    ddaa2469659fe7c110bde2c93470d4b4ccceaa39

    SHA256

    b75d1af08423e2987f90e734116e76bacfdea7632405df1b8f36af8f98d6a943

    SHA512

    75666665a231a929eb535e5c6038d155828842725fbecfe03d43267ce540b805dadadf60d4cefeed27f98b7bdd266578a6353adcb2755133216116b3eb4e6876

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\sop.dll

    Filesize

    455KB

    MD5

    aec9302b4c826d91b1cd0666404354ab

    SHA1

    ea8be9a7420c972b3501cfde374a3630873fae61

    SHA256

    8dceb44c06f1cc5bc819944b9816d9c9e1ddab6d734f76ca96c56006cc0455b8

    SHA512

    287f31a2f021f4ff47abefcead9ce0ffc6d49f7ae156c1a259f3e6e98eb30641ffb2cb1166c8931916af21faf4d5f1eec2bca106f90328b9a50a007eb37c4593

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\sop.dll

    Filesize

    455KB

    MD5

    aec9302b4c826d91b1cd0666404354ab

    SHA1

    ea8be9a7420c972b3501cfde374a3630873fae61

    SHA256

    8dceb44c06f1cc5bc819944b9816d9c9e1ddab6d734f76ca96c56006cc0455b8

    SHA512

    287f31a2f021f4ff47abefcead9ce0ffc6d49f7ae156c1a259f3e6e98eb30641ffb2cb1166c8931916af21faf4d5f1eec2bca106f90328b9a50a007eb37c4593

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\sqlite3.dll

    Filesize

    504KB

    MD5

    b8a7b1f27c5d6b29ca363671307d8ec9

    SHA1

    5f190843d7bdbfbf86805d36003479df24b3a9cc

    SHA256

    4b55e4fae8b9d12c8ef971f037bc37c5e592fa3382bd5e4a08d2b3ddd112b559

    SHA512

    e7bd5c77078fe64478ca821fae29b550febdd5833d496a3d479ea4afc63822b55d81f2da2dc65b9f194edb019d4dfc951ad4af2ad970ff4b74a123ccddc3c8ea

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\time.dll

    Filesize

    10KB

    MD5

    38977533750fe69979b2c2ac801f96e6

    SHA1

    74643c30cda909e649722ed0c7f267903558e92a

    SHA256

    b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

    SHA512

    e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\tpi.dll

    Filesize

    885KB

    MD5

    f7aebe01c20ba67e2841a0d26bb14e7a

    SHA1

    8571707df764256694e6a5eb9da1288127d570e8

    SHA256

    f92a000062c3b5cb961a9773db071ab7dce19bb21a6b775fb72b89e6e12e745c

    SHA512

    dea2cea63d7098c27d73c3891234b6e672d956a41acc24315de7cce42ba35aae4e6447234c42fca085f91e6749fef051c78af35dee316f348939cbc3a131ce29

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\uilib.dll

    Filesize

    680KB

    MD5

    aff1a930d109f758a4bab03930963dfb

    SHA1

    864acf405c4617c922b328490e7ed2d6379de59d

    SHA256

    5baea08c387595bff9b644c381c6108f6d436ac13ce47fce67c2803adbc87952

    SHA512

    24ef00b2dec273f72afaa828604608acee404458750993ab84cece971b095e5008ad29a930cf57659e9f05df6399fdacdf20fdc1e9438f12b7fb09a331fb750b

  • \Users\Admin\AppData\Local\Temp\nsd7A8F.tmp\uilib.dll

    Filesize

    680KB

    MD5

    aff1a930d109f758a4bab03930963dfb

    SHA1

    864acf405c4617c922b328490e7ed2d6379de59d

    SHA256

    5baea08c387595bff9b644c381c6108f6d436ac13ce47fce67c2803adbc87952

    SHA512

    24ef00b2dec273f72afaa828604608acee404458750993ab84cece971b095e5008ad29a930cf57659e9f05df6399fdacdf20fdc1e9438f12b7fb09a331fb750b

  • memory/380-128-0x0000000003A80000-0x0000000003A92000-memory.dmp

    Filesize

    72KB

  • memory/380-133-0x0000000004360000-0x000000000445B000-memory.dmp

    Filesize

    1004KB

  • memory/380-144-0x0000000073DE0000-0x0000000073DE9000-memory.dmp

    Filesize

    36KB

  • memory/380-64-0x0000000000000000-mapping.dmp

  • memory/380-139-0x0000000003971000-0x000000000397B000-memory.dmp

    Filesize

    40KB

  • memory/380-134-0x0000000003960000-0x0000000003970000-memory.dmp

    Filesize

    64KB

  • memory/380-130-0x0000000004360000-0x000000000445B000-memory.dmp

    Filesize

    1004KB

  • memory/380-131-0x0000000073E00000-0x0000000073F12000-memory.dmp

    Filesize

    1.1MB

  • memory/380-129-0x0000000004360000-0x000000000445B000-memory.dmp

    Filesize

    1004KB

  • memory/380-132-0x0000000003AE0000-0x0000000003BDB000-memory.dmp

    Filesize

    1004KB

  • memory/380-84-0x00000000039E1000-0x00000000039EB000-memory.dmp

    Filesize

    40KB

  • memory/1284-140-0x0000000000000000-mapping.dmp

  • memory/1296-59-0x0000000000000000-mapping.dmp

  • memory/1576-142-0x0000000000000000-mapping.dmp

  • memory/1600-79-0x0000000000000000-mapping.dmp

  • memory/1760-56-0x0000000075931000-0x0000000075933000-memory.dmp

    Filesize

    8KB