e54d0e0cc1ccd001209c8108ccbd63fbe2bd01f2ac39b34c44e88a6b797f9cc3

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

580b54595b1ac2afe6735750731e1195.exe
Size

135KB
MD5

580b54595b1ac2afe6735750731e1195
SHA1

baf37c8be3a98dc31ea2aab1ef7d8e1094250093
SHA256

e54d0e0cc1ccd001209c8108ccbd63fbe2bd01f2ac39b34c44e88a6b797f9cc3
SHA512

fc22debcb508cc57f237c6fe30db157369526f465caf559c97e0ec1b48e565a91ec14185861754279b32e4ebdc78195807139f466643af6bdc0b3c476b2f82d2
SSDEEP

3072:NR7HuvXOz3outSqNbVl6OIcU9zSO998/ksB:NRqvXOboSSmVl7U9za9B

Score

8^/10

bootkit discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2212	PPTV(pplive)_forwenping_0031.exe
2156	PPAP.exe
2776	PPAP.exe

Loads dropped DLL 64 IoCs

pid	Process
2232	580b54595b1ac2afe6735750731e1195.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
1984	regsvr32.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2232-2-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2232-15-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\PPAP = "\"C:\\Program Files (x86)\\Common Files\\PPLiveNetwork\\PPAP.exe\" -background"	PPTV(pplive)_forwenping_0031.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	PPAP.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\in_bg_right.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\in_bg_bot.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\in_bg_left.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\scrollbar_pagedown_disabled.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\min.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\in_bg_left_top.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\previous.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\min_hover.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\ch.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\brightness.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\SliderThumb.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\hot_1.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\icons\PPTV.WMA.ico	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\bdclose.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\exbg_top.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\btn_close_2.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\hot_1.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\data\face\em32-Æà²Ò.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\infobtn.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\list_class_bg.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\list_update.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\mode_hover.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\ch.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_expanded_treebox2.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\icons\PPTV.WAV.ico	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\btn_min_3.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\restore_down.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\color_thumb.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_close.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\list_so_left.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\icons\PPLive.ico	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\dt_tab_check.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\check_ok.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\chrome\CodecFail.xml.js	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\mute.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\newsbg.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\common\checkbox.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\exbg_right_top.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\data\local\page.html	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\scrollbar_vthumbgripper.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\tab\8\3\1.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\color_thumb.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\gbg_left.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\player\CoreAVC.ax	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\hot_2.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\ch.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\expanding.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\common\checkbox_down.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\capture_default.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\data\face\em22-ÐÄËé.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\PlayProgressThumb.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\fullscreen.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\in_bg_left.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\list_epg_close.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\resizetop2.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\mute4.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\tab\4\3\2.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\resize1501.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\playerinfo.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\gbg_right.bmp	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\list_update.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\passport_bot_bg_hover.png	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\classic\loading.gif	PPTV(pplive)_forwenping_0031.exe
File created	C:\Program Files (x86)\PPLive\PPTV\skins\default\btn_close_1.bmp	PPTV(pplive)_forwenping_0031.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0021000000015e94-9.dat	nsis_installer_1
behavioral1/files/0x0021000000015e94-9.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\Default Visible = "Yes"	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\Exec = "C:\\Program Files (x86)\\PPLive\\PPTV\\PPLive.exe"	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\AppPath = "%CommonProgramFiles%\\PPLiveNetwork"	PPAP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\Policy = "3"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\ButtonText = "PPLive"	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\MenuText = "PPLive"	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\MenuStatusBar = "PPLive"	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\Icon = "C:\\Program Files (x86)\\PPLive\\PPTV\\icons\\PPLive.ico"	PPTV(pplive)_forwenping_0031.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\AppName = "PPAP.exe"	PPAP.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{95B3F550-91C4-4627-BCC4-521288C52977}\HotIcon = "C:\\Program Files (x86)\\PPLive\\PPTV\\icons\\PPLive.ico"	PPTV(pplive)_forwenping_0031.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.Update.1\ = "Update Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04987413-5E4A-472F-9899-0A092233239E}\ = "IManager"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PPLive.Lite\ = "PPLive Lite Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\ = "PPLive Lite Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\TypeLib\ = "{7163F003-E2FD-4C06-A268-F36C1083FBC0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pptv\Shell	PPTV(pplive)_forwenping_0031.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MngModule.Manager\CurVer	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\ = "_IManagerEvents"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.DPlugin\CLSID\ = "{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987}\ = "ISerializer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987}\ = "ISerializer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PPLive.Lite\CurVer\ = "PPLive.Lite.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E62D3029-1430-49F8-9470-2A192B02E433}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\PPLite\\plugin\\pplugin2.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.Update.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Synacast	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{04987413-5E4A-472F-9899-0A092233239E}\TypeLib\Version = "1.0"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\TypeLib\ = "{377AC21C-4921-4c3f-9240-7756548790FB}"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{04987413-5E4A-472F-9899-0A092233239E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Internet Explorer\\PPLite\\plugin\\pplugin2.dll, 101"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppl\Shell	PPTV(pplive)_forwenping_0031.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\Programmable	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{377AC21C-4921-4C3F-9240-7756548790FB}\1.0\FLAGS\ = "0"	PPAP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppl\Shell\Open	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pptv\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\PPLive\\PPTV\\PPLive.exe\" \"%1\""	PPTV(pplive)_forwenping_0031.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Synacast\Shell\Open\Command	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.Update.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8}\TypeLib\ = "{6F770594-0FC9-44DB-AD75-47C808CB7B44}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\ = "_IManagerEvents"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Synacast\Customer = "forqd346"	PPTV(pplive)_forwenping_0031.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pptv	PPTV(pplive)_forwenping_0031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\TypeLib\ = "{6F770594-0FC9-44DB-AD75-47C808CB7B44}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MngModule.Manager.1\CLSID\ = "{9F0F8700-A4D8-4E24-A3E0-1CA654CB5179}"	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\TypeLib\Version = "1.0"	PPAP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\VersionIndependentProgID	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\TypeLib\Version = "1.0"	PPAP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ifupt.DPlugin	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ppl\DefaultIcon\ = "C:\\Program Files (x86)\\PPLive\\PPTV\\PPLive.exe"	PPTV(pplive)_forwenping_0031.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA7DFF65-E473-4efe-ADF0-FC1E50CDFC82}\ProgID	PPAP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PPLive.Lite.1\CLSID\ = "{EF0D1A14-1033-41A2-A589-240C01EDC078}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\ = "IEwaOCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{579A418B-2440-4278-9CC1-25E85E1C9D09}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C016F89-DC77-481D-A82F-A5345DFB7FB8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F770594-0FC9-44DB-AD75-47C808CB7B44}\1.0\0\win32\ = "C:\\Program Files (x86)\\Internet Explorer\\PPLite\\plugin\\pplugin2.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{628DF9B1-785D-44BA-AC9D-E9E226F01987}\TypeLib\ = "{6F770594-0FC9-44DB-AD75-47C808CB7B44}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{203AFF7C-C6A8-46F5-B32C-C6A7F4E79A62}\TypeLib\ = "{377AC21C-4921-4C3F-9240-7756548790FB}"	PPAP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PPLive.Lite\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\PPLite\\plugin\\pplugin2.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB37F5E2-E5EC-4E8D-8978-420074EA4DC0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0D1A14-1033-41A2-A589-240C01EDC078}\VersionIndependentProgID	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe
2212	PPTV(pplive)_forwenping_0031.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2212	2232	580b54595b1ac2afe6735750731e1195.exe	31
PID 2232 wrote to memory of 2212	2232	580b54595b1ac2afe6735750731e1195.exe	31
PID 2232 wrote to memory of 2212	2232	580b54595b1ac2afe6735750731e1195.exe	31
PID 2232 wrote to memory of 2212	2232	580b54595b1ac2afe6735750731e1195.exe	31
PID 2232 wrote to memory of 2212	2232	580b54595b1ac2afe6735750731e1195.exe	31
PID 2232 wrote to memory of 2212	2232	580b54595b1ac2afe6735750731e1195.exe	31
PID 2232 wrote to memory of 2212	2232	580b54595b1ac2afe6735750731e1195.exe	31
PID 2212 wrote to memory of 1984	2212	PPTV(pplive)_forwenping_0031.exe	32
PID 2212 wrote to memory of 1984	2212	PPTV(pplive)_forwenping_0031.exe	32
PID 2212 wrote to memory of 1984	2212	PPTV(pplive)_forwenping_0031.exe	32
PID 2212 wrote to memory of 1984	2212	PPTV(pplive)_forwenping_0031.exe	32
PID 2212 wrote to memory of 1984	2212	PPTV(pplive)_forwenping_0031.exe	32
PID 2212 wrote to memory of 1984	2212	PPTV(pplive)_forwenping_0031.exe	32
PID 2212 wrote to memory of 1984	2212	PPTV(pplive)_forwenping_0031.exe	32
PID 2212 wrote to memory of 2156	2212	PPTV(pplive)_forwenping_0031.exe	34
PID 2212 wrote to memory of 2156	2212	PPTV(pplive)_forwenping_0031.exe	34
PID 2212 wrote to memory of 2156	2212	PPTV(pplive)_forwenping_0031.exe	34
PID 2212 wrote to memory of 2156	2212	PPTV(pplive)_forwenping_0031.exe	34
PID 2212 wrote to memory of 2776	2212	PPTV(pplive)_forwenping_0031.exe	35
PID 2212 wrote to memory of 2776	2212	PPTV(pplive)_forwenping_0031.exe	35
PID 2212 wrote to memory of 2776	2212	PPTV(pplive)_forwenping_0031.exe	35
PID 2212 wrote to memory of 2776	2212	PPTV(pplive)_forwenping_0031.exe	35

C:\Users\Admin\AppData\Local\Temp\580b54595b1ac2afe6735750731e1195.exe
"C:\Users\Admin\AppData\Local\Temp\580b54595b1ac2afe6735750731e1195.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forwenping_0031.exe
  "C:\Users\Admin\AppData\Local\Temp\PPTV(pplive)_forwenping_0031.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Internet Explorer\PPLite\plugin\pplugin2.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1984
- - C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
    "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2156
- - C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
    "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe" /LoadModule MngModule.dll /T 1 /C forqd346 /F 0 /G 2.7.0 /H 1 /I PPTV(pplive)_forwenping_0031 /L 0 /M OK /N 1 /O 1
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\PPLiveNetwork\kernel\peer.dll

Filesize
1.5MB

MD5
0480fd1e157c3818d8328fe287bb01cb

SHA1
6b1ad3c5acf5933bb7ad9c89f0ad5d8d5eeec9e8

SHA256
c06a1930f3911d426075cafdfeb4f61ce79b1f1f232a8a789bbc68ba34b559ea

SHA512
6a719e164a6fb29872fb73dd5b30cc06b2ed8d49155f903dd13e6e32013e03ee88271346139da8efb7733b9cc668f321ec0be8709f37714357d70ce21c833d4c

Download Submit
C:\Program Files (x86)\PPLive\PPTV\PPVodDownload.dll

Filesize
569KB

MD5
fd03beeade8fe7121ca7916459cf3873

SHA1
1af9b5f0ad974105b3cd9f69c52a4e97705592fd

SHA256
d9e20f1bd31d0349bf237befff8fa488d96c9d36e404338bc089a24091256e61

SHA512
7c0b5011198aa4304648b1ced45d3e5f496962922b00774d2d79a9e53dd322b95d35001e059da147ac85e82c6d9e1e4335ff4877fb4e91d90f6ac853731bf59e

Download Submit
C:\Program Files (x86)\PPLive\PPTV\Troubleshooter.dll

Filesize
365KB

MD5
4fa4e323db30f10c8e678f35459d6cef

SHA1
ccde320d4366d83fa3df907fd2b328770a722545

SHA256
27346c756cee08f4a7bf1cbed2be017ae06bee03e9db182ca6fd0b6599f017df

SHA512
eb23b321ef2ef1e30dfdc00577514583da7eafb295aef0b30c5aca703e41b91612021a3e9d48e19239aebbe5ef849e12da9ef4b9193d10804df52f4cd0adc114

Download Submit
C:\Program Files (x86)\PPLive\PPTV\components\filepick.dll

Filesize
73KB

MD5
eee0751d024f5be186645db4ef65b9d6

SHA1
d7914843b10662cc324e8ad9280288a15afef930

SHA256
c8905eeb8e3d346e5a8b0a2451e0ebf7b1341feee196a00dfe826915ccc747ac

SHA512
3be2a2837e55ffb972c204eacaad3eff25b0edc403bf37735228131b3bc8a530b6976ef013efd9c941f27b2b6b673edb401e34ff12ffc47c209a736920190270

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\ICON\PPLive.ico

Filesize
126KB

MD5
9f00095091415c1e065e9fc44b51ea7a

SHA1
5dfcaac94c6264f058f726372efb9a5be452bfb4

SHA256
9a270237bbd86d4c57e526f36ef6542b1653bb7313dd84000ec1db3bb8293114

SHA512
942f4f94ee34bdb35b3f5b616cacf0ea51d7d2ca4d15dd2e60e1cfbd0ae1d0254cea5e71e4e849c963c8ff85c1dd6116d41ef01119861d2b5f658aab18a55f32

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\PlayProgress2.bmp

Filesize
16KB

MD5
8e52e745125306ee4c1a820b16a47f97

SHA1
ffd685465eaec0cfe3b69abbd928dc9e7cadc0ab

SHA256
f890ad1dd6c2cd54fc5127c430d121bc6945a29c26afbac498e40d0b68c0c197

SHA512
10aad92675645e15b88e09a2eaff3f02770ecf18e25d43518b65a635409e479be2a65c25455321be1f362b0e9ab8302aaa345d61a5e96921cb4ecf1769fa8d4a

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\list_HD.png

Filesize
544B

MD5
22b53edfe6e1d6bde4c145fe4eeb01a5

SHA1
11e8c70756e18ffb8b7c03cb17f9f8e1ccbd9cb6

SHA256
9ed30eb5783647a0f4d3838dd9a4df81794c0234b237e73327aa7b24cfc28f43

SHA512
7ffbed90c92b76d73fd4f537ef1c7d92ecc3ea533c0382a89c2c835e29f7a8af86e46c9f898879814b47c0a6d64b88ae509f63aafc7d6d26b4ec5b80c2e2ac68

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\list_livebtn_down.png

Filesize
757B

MD5
cb96f0c57d50eeadf658f1bd858353ee

SHA1
2367654541eaf27ed1e86b506d3199c18f183ed7

SHA256
36630d09b394828852c5133a3ee909c8d2b5b402cf81477a5036597259943a1d

SHA512
e5a5343e5f3fd57b6f6f8207b86ac13ae9d29213af646aabe9dc5e287989052106c23ee6c809a0cc5024449852435eb897154bc94b68e984dff5759c4d0bc2fc

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\scrollbar_pagedown_hover.bmp

Filesize
938B

MD5
164b0e5435d98c9b78e5a8b2f67032f0

SHA1
7e97a10a4889f0a40fc09fe0af457994a3f29b54

SHA256
6909bc2d3367d8d28a4f43b4b5dfdfa0118f9d3bc36d758ecfba3241cb0a3e23

SHA512
b1f52be072d6ffcd901bcad633dd74c50eb499f8945158ac1009e7f3690406d43e49dc5469858113e334a5ab12f24560f5d1d9e5af9cb56c9b4287633ae5027a

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\3xgiving\scrollbar_vthumbgripper_down.bmp

Filesize
67B

MD5
790d30d59169ff4af1fdf4758a0dc742

SHA1
fc09b7ac084e59ec4556d2d407beb6b6e38137ca

SHA256
7bcaf21d25e29965e887e09a4542afd4ffafe3a6c788dd0184c5efb7a7f839d1

SHA512
4b0eaccce9d297f94c7d8f23f3593fa409051112478551cb2ea39af22e801199b76fcf3875ca51fc705fcff95b4bcb45e3c4284ea2788f5c47d9c38fa0391b7f

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\PlayProgress2.bmp

Filesize
12KB

MD5
e4e993436f1d6c079f51d3c3b5c00ffa

SHA1
2f56caef164858c22ed17ced0e09e94fde578c15

SHA256
aef46f4191ce7404add9bd7429fce703060d8d226f02c25229b4dcb4d18efd03

SHA512
e5b4bef624637d169c8b01e87e520b698dda9f39d1e148d706683eeb12c930eb6cb849d6b77a359b18396bcc10247aa5953bef95873e6bfbcac5ec08592425d7

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\download_pause.png

Filesize
1KB

MD5
387bc6e9662bb349881a011eff57835f

SHA1
b7f31f4cc56b024b75f54d56d5d88ab5fc32902c

SHA256
0a2c55b70d3a90367c3b299b9963259f93f51badef602a6ffc8179f81899fb57

SHA512
d82264866931c88988e594959315e87be468ccfdb65be0f5e6a5712748262c781b1c6a241b098b0f2e1ed5bc5c466c52953eecf211a6a08c9ea5f1e439126184

Download Submit
C:\Program Files (x86)\PPLive\PPTV\skins\classic_b\scrollbar_pagedown.bmp

Filesize
938B

MD5
8cef089386ebde8d75be4f1ff484dedf

SHA1
9b0d2df216ab05a77dd2d26e25f74ad0f74215e7

SHA256
00ef4863718b02036cba33c6c6a9c418257055ae9ecc05e2e9e363ff7164d31c

SHA512
27aeb168cc70c16ae64f60507250c935038bec80c084c0d54b8a273ec3f4311d02c3c3cf1320a4b87286760187d0654f17bdaf5a7698f970624973912f64d822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\PPTV(pplive)_forwenping_0031[1].exe

Filesize
9.6MB

MD5
29bdc0b1475f722c195a78d47c081c5c

SHA1
51cfbebc54f226c6c7e5c74b027f102ffe25b192

SHA256
2713e2104209b80e56c4ff0a06325509906702817c6d6b8b3847a755bf539ec8

SHA512
8511ea2c96a565d9a7ced89906a11b2f6729c9796e03da56599268013dd4c43754e47231982f47aaf4a4c294a4ae97893f23313e1c707874ac0cd84199fc5cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\BindDLL.dll

Filesize
49KB

MD5
45ee47b84617f225b8991c78675e649a

SHA1
5ee71b44abbd9823f0b5e5e93d4bc42da7048669

SHA256
021d056a03fd6a15154caef3faa98dd5388a1338552f8b5c89edffaa9e5a838d

SHA512
9ecab1b534a5a8abe67dc52d443f8ea93dc3844fddea6c6d285e208e600beb529c418559c0b4632e2f4db5c52fb55b5d64b4d207d25356f2c161b91e67862fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\CoreAAC.ax

Filesize
312KB

MD5
b0ffac757be8d6cc41e1131eb2b0d959

SHA1
0e41733a050bc2ed53fda6337d6501b9942317c2

SHA256
04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597

SHA512
356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\CoreAVC.ax

Filesize
181KB

MD5
c264fed121afd44bda8bf0ff8f4e4269

SHA1
7480a3b26b81045a1504e68e15225682bcc6f440

SHA256
cb8d9d80dcd48d9a9e3d87c847c47125f7201a98fb5abb4bd6c443322071b951

SHA512
99ed4b723b2b7a90fce8e9bf9ee8d5a1440c4d569638ff6a1aa59354c8bca91618a13c440f754fad3ae22c306709da35b4c53b8a00a09753027eaed0d238052b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\FWUpnp.dll

Filesize
140KB

MD5
be2d4b56d5d40afca9c804d0776a25c6

SHA1
7ea48cf0e980fe999f14338f44ad4c57c9b714de

SHA256
e54031818e6449897e3a81f0637b0af7618f6aa9e1530c3bf4989d2fabe4a2d4

SHA512
f32b8e1d27acb7c9021dcc6cd426599374f61a78fd38a0f9d0bf5bf63c424ca816e3859387d98b3060592ea86d1743c5ff149099bcab4da9e31ff7abc81fd627

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\Gallop.dll

Filesize
61KB

MD5
1d35ca1932177d72945e8210a7ba6473

SHA1
5bd7f1904e0b2ab8204293785cb4cb3382280a28

SHA256
0eeffe35f50a01473d58ec87ce5a933beb1f932a37ec1abdd35c4db4191df28f

SHA512
b57f23344b186156e6a1beb2c76cc1a4c9cb1ebbf6e82c00d328f0f6878f3347c8f8d73f1687b37bae10d338292686dc05c43c8b3f1212d8c3e828185289a1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\GdiPlus.dll

Filesize
1.7MB

MD5
0c38476c6e51c95144f648b78fb579d8

SHA1
1a85ebc7203e7f0dc5297e6c5a056d52d45c447c

SHA256
04495ada069d6d176f14115738782cc8660c575e90046919a02792c274260f02

SHA512
5800fd07a1ab41a14aa1d413d0d2e54583e61086937bbc6b9b8901726f6944fb75fabc45ef1ae44ca9a0b00240c5df50a8a826ce7f2a33581ec21f9fd47be8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\GetCommentsInfoDll.dll

Filesize
53KB

MD5
aa61ac6aa49a499b30dce871869bb6be

SHA1
cfce11e23f1678fe9e46bc72b54ccc546c6e79aa

SHA256
c5a4a3674b518f7378a900665ac94d39a305f92dccaed5a879c328d6cc308ae7

SHA512
bd1facaded3bb2fa47901e0e0cc27a5376fe11c140a5be26a95a38fd66a1799109dd97ece1c413fd226ef5da3ebf55b0999c80b8bc1eab828a84a4600d84108d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\HTTP_ASF_SOURCE.ax

Filesize
511KB

MD5
2ca0666cb7eebc4f31d1b1cd5567defa

SHA1
57937bc69d62e8405742137b94172b129274c77d

SHA256
5ccfce12fdeb592955cd14154446374a547864a6b5ef1a5a5d9cd801121a0128

SHA512
bac83324d390f961aec228ddee702a0709e9e59501500592e8fc5f30e0236719836b86c880e9cc90af3747c2b23dcce7ce1b7b29121740c82a0b9fb8fc086e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\Hookkernel.dll

Filesize
275KB

MD5
65c2129a5c0cabd657022cf49a1a96a3

SHA1
03c529e0226eb5b41cd91708512dbd58edecd600

SHA256
0aa0271fc27552af57fd171c3288b00b600c912a60d8752bf70f90b997f5d67c

SHA512
b9900c3f6c93cf30c55cf718d96743728535bcb820ffaf4efa3c1ab874c684903a8fb30c2e88babdd468c2badc49306186df95f32d86bfb1a84d8d182bc8143c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\IEBrowser.dll

Filesize
209KB

MD5
fc6f1a6895679f0043609aa24b8bbf65

SHA1
4f3a6a730f52ec4f6437201f39c3d277ea4f6007

SHA256
e6082f7afff0e65503ccda11ec1fd87999b41e1952e6a18e72c1ada891954169

SHA512
b7978bed8b42038b820ff042b7ce96e6d6df029ddeecf03ce7be862a1c3523129dfa5f47a329fbbd2d49b09b5a43f57d26458bfa2c3103eaf6066c33ab2bcf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\IEProxy.dll

Filesize
225KB

MD5
dd5706db7e75941e3658731b86ef7d6b

SHA1
0254d7ecc87f3bf6345fb4c0ae35be492e495450

SHA256
83f9daccbb75bd6105c1586119aae0309c29578cfac82f5a5fa9371bd4e71d5e

SHA512
af2c76de0741f4c405ed4636c7bcccd5be05319554ea15ee0a78cb0b2cfd37b470bb410298dd80dec4a10cc39040c7a5678a7aec6542d8ad0b98e47f7648a9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\Live.dll

Filesize
205KB

MD5
ec03fa69a025dc807314b9dcb5498986

SHA1
a0f5abfa07ce548f10b806922eff748d2652f0e9

SHA256
c3c5091dad0c0be701f6da2ae41a07f3614d6f567031dda823e5a320483c2243

SHA512
78c30b0616686454be4c2eff375c91445270effb8d7bcbca372692ed86ce9dc383f91512fc65a937cd7c478c0c5cbd840e301aceabbf7d3c58cb92a80671cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\MngModule.dll

Filesize
862KB

MD5
992ef262f488bd71005d04644b128788

SHA1
6a35e4ba677cc9e03fac85983bd968ab8862b16c

SHA256
ca89fab589e51e74468860dec0a63eaf4bb9a80a8444fde7783f43ec7b96916b

SHA512
6e619c4a2b382b2f7e9a9aab5cc9578caced894092cec9abd96fa9958a0506042afc463e1a767eece3115ed5db62d207b84df6dc919a84330cecf9309cb59578

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\NCList.dll

Filesize
703KB

MD5
c0f9c252b835f3e56efce95bb44d2818

SHA1
4cfd419b7eb0cd623200795507f1adb471395c67

SHA256
fff29a3574c8aa6a89ea508f965a829ab52a8f89ca22610a6c9713712f9a09dc

SHA512
60c3c08b5c971277700bb98da5c94d14e6d5e6382946a991b7ccbb06d4d58a9afec98e66c281b8299f5719b8672132bbc9682c992ffea0edc7b7222e87f31de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPAP.exe

Filesize
181KB

MD5
ecf05fb40bb1eedda1ba50280ee91c74

SHA1
a9b160c78cdb26e2c7f8a8a172dfbca832281df7

SHA256
3c90f9e0159b911dd9559d86b80ebf9fc2a83908993c4cffacdc5d4ddcb9baf5

SHA512
8c630615ec1041f4e6f88fa744529a564e6a7442a3666015ae519d68cc61904500d932f621af4b8d231a32e81d32bb1754cc5947e61093a87ae92bd0008ae7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPChLocalManager.dll

Filesize
255KB

MD5
ebba7add0bdac4418ca13b33c780655d

SHA1
c6db8e5230ed5c05bdfe225e002d719f5adf19ac

SHA256
f69393814f15897980cee2125408eab4259b40126aa078551c601dcd433fd721

SHA512
e221bf2e64049fef5f477b2d22dc44c8ca30e17dec0ed11d32bf1beac526d552f6045b7334274d968220a1be186f7d790764bee5b7c99811faf270df33a36a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPFlvCom.dll

Filesize
81KB

MD5
01e157b81ac314d668ec0cb6b88a5ed3

SHA1
b6fa91106a37c0effbf81475297fe6bd8298585b

SHA256
2ca061165325fe3b8e8d1df7d557a2cd33663f1b32346d0168e2527b35c709c7

SHA512
1f4ec727db27038ce699977d56bf0499b43cb11199870a5b1016b251de2b260e84701536e184ffe5e0cd0f34e88cd6003a3adc5b22633ba04864e8a66f710252

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPFrame.dll

Filesize
530KB

MD5
faffe5976dbdb7679b7995c10623523b

SHA1
c2db57119ae148c7fa9358936637fd9720c11f86

SHA256
571d0eef70d40c8d266820661a8551f5ee1ea8e8f7a9d5e52c68f243369aa4d9

SHA512
e07b66b27462ebb81dd12047f889862c77bb61a243dc06d85a930bb5edf4f769e0706b2598422d364a1c7b40be2efcd4b9d1348eee8a724d764ca6bd62ce64d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPHookShell.dll

Filesize
252KB

MD5
a27a138723878a478c06e1f82adccfab

SHA1
79dffc70b9104cd9487d7e49a95f492faadd3133

SHA256
519277e0449b1eed8f75624ebbb9cb09a5d8dccd3815c6ef594fa4fec6318741

SHA512
24ec8474d7e3969772176045a0191f669c4bf6f05ca241dc0e2c0840027ed8daa9cfb7b50383f23497c192809732f2afc5f384cd4edaea4d47e3547fbdbea31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPLive.exe

Filesize
181KB

MD5
f4fdd69ab106cada8ddcdc23a0a4f06e

SHA1
db5ec982457fc9ec917453d394bae3a5ed3b8720

SHA256
cab6f233b7143662e7791d5d4063464ede370e883d562dc976ad6e5b97b0ea28

SHA512
3db86e1b16f95abb74cc268c71114fbbc89905ed86c5a335eba8d5a0b2443dcfd0a1454efe63a23b17a12ab66079edb7abb42b1a726a7118782ac23d8e0b85f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPLiveU.exe

Filesize
181KB

MD5
3c993bd6888e15f953dfa09cc8574562

SHA1
f3378eebb71ecc70d8e73d11e150a4a6ee850d76

SHA256
ab14fa7a372c943f04940245b53eedd5fe3a7f57cf5538ce4b39cc34157b7b66

SHA512
1534945574c97e78dc5c27948968e9cd0a9b438b7a9798fc054f771a7140dcb4be20c74296226c3544c54bd344679536a443e793c5c5161d8790880b0481fed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPOptions.dll

Filesize
505KB

MD5
e25a8bbe848bdf37857423a649ca4322

SHA1
2a17dfb77349977ff5024b0cd3925acc89b7ea35

SHA256
f17e3794e296525c4519edc4ed1300bf15dc10d7de5b678caa9c22a900e6475b

SHA512
9ed7dced84a6779f3d4e7e79fac7fc660e0dc3452351ac3aa3d7063d5dc9f0c15b527d5b9f6fb967b90e1536451909ac11c7ed75aa36c5466afd30d8707b14e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\ProductUpdate.dll

Filesize
662KB

MD5
695ebf69843e073f56702346160ed4ec

SHA1
a0d6f2b0238892aee5a6a71a0f886b17b813fad8

SHA256
f36e471fe8ca6129b7b3ec34ad32c87565146181ede41a77b9f04fcdda251227

SHA512
fc893c3710eaedafa0828a752edff2a381b8f437498452ef45f96aad6e9a7150f78d2b258396a63f05ba9da8575ede6f2d991f6688f46998d44222473ff1b1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\Send_Log_Kernel_Module.dll

Filesize
233KB

MD5
7d1dbe3c735d2a5d4951022c45547772

SHA1
e6fbebc3c185d6b150bc7b2a9d1685e107b03b3e

SHA256
8cc9bc4f9289ef37d344c88e4b53ce5ca58b11ec1e32d60fc9fd6456a80f1233

SHA512
648299ee0b0c2678d9da43ca039fcf8525e9921b46327577fa6c57f0de41f5ccecda70e219a0135fb8c05725a752e7e2cdf27bad845203eb5147d3056e588086

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\TipsClient.dll

Filesize
237KB

MD5
25853e8bd3e283e15024d1111535ede7

SHA1
5b56e1dea924520b6c61ec09113c33fa3db573a4

SHA256
ccbce22f01208cc8fc96de789ab9fedefc851f588cd4c1fbd6d9edc7ac2f4eb5

SHA512
5bfa0e6bed05f1ab79ee97d1bd9bf1d48ba3d263a44e538d005af820c41c659eb112a4f19152e0841301fbd8b9618e8f353fe672df88b66e45c4719784202144

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\VAProxyD.dll

Filesize
97KB

MD5
c3a7c71bce4ec04d63b7ef8ec9958c39

SHA1
cbe84ecbae1eb37557426783b7fa89a804d4fc09

SHA256
02a78e77cb64d9fa1f90ed2be6d9ff7b94624b2a790ed8109bfe61e66ebd825f

SHA512
9a5579cd5c437158d8277b64e583d18cd0113c186d1013e3c57c92d39a16b412ce9f95aef09dbbd05a36cab62e5193532c41eea6850b0a77d8502e7d1fa23468

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\VSFilter.dll

Filesize
1.3MB

MD5
347e0b1ad5494939167e883479bd0a5b

SHA1
260a595d847b4923b13109a64cfe52f7185f7f9f

SHA256
e31ed68fca6374cd6cf5b6fb2ecab03ae1c06616f44d3597b56c6f907ac16a06

SHA512
91044d1f1576e92a7b9f02e3e49c4db978fb7e9b19f92059f907f6dc38a12fcdd0340939dc6a6d849cf905ca2d941ba680b3f4fcabc4e5c7648211854e8d7fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\admodule.dll

Filesize
889KB

MD5
ecff547257597c45b2b492adc11f84a9

SHA1
702dbb4b6d420ad70caa077f723bbebf47b482c8

SHA256
8d7d4f500917da75bfa774e930d048648d91f4ba7377ab8221d35416a5f52f10

SHA512
ddb8dd2f53a6e0005a57cc9a56647290b1b000b30e45abb1a0add14408bbfaf3b005fbbb75991651e3b43a25e933f4d215dfbb1f290a847f19ee27e4bede005d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\admodule.dll

Filesize
812KB

MD5
a256337aedd10bfe85aa8d0cc759c4b1

SHA1
292012487cd89842964712e1ad26e7dfb2c1fcb1

SHA256
e2c24c63ac4da0e34a253c3cf8d6ec31da39740376fe2e87e52ba0f32c450640

SHA512
250666689c156809dae72648e99d0a9abdb105375044c956d6c50e4107dce236d95a7925611566f8963b7bb0e956631aff9cce65695f1b7e493cfd4c849dab72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\audioswitcher.ax

Filesize
304KB

MD5
9ab21c1c96fcb113ff93cd641b88112e

SHA1
d5ffe5945ebbeaf73a0e1d7470d0a2f72b08f6ff

SHA256
bff1bf09ff63a3fd600cbf36684aa01da6a08b63498ae549b15f0964572c3ea6

SHA512
44cf7f6d8e51aa6c8d98f1c5456c391fe812d6df4c6b68450d0ba4ee920e86a22433f22ee3f367a8f1183c0276fbe0eaeb2de7987ac9acf51f542a0a84451293

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\chctrl.dll

Filesize
953KB

MD5
2b7922d7f6fad8f4e13a4e7ff249dd6e

SHA1
3ef02d0a56e13f5ac3373f556905a7c965c50c9d

SHA256
e603f75ca46e07d7cf1e3d3d8a3012d70051990f9b1c8e68e17f0c0e595d6404

SHA512
5ad6a6fd8dd7bb67870fbc76096a0c0d62e85f5dbe84ed4e48f37a9d5004adedead6d4e0cb4aa527e134fe27eebec3ffc85dde4a5dfbc47c35e8ebac8c2e2cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\ckdll.dll

Filesize
65KB

MD5
5453a50acedcdd7b81ebcb44e5df4607

SHA1
475da46f5d0906d93c9fc93247a0d3addcb001e8

SHA256
45b134cde09d861a62e740f27b52ccbb911ef35b7a6cacce9e2765d842f57088

SHA512
807ef2172fa4bc077588992dcec963a264fb6b96b5a530f780587949223c8ebfd4439e8c9649bbb410485b9fe8bc60e315e06a1398f16cb974060783e122cb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\cknsis.dll

Filesize
51KB

MD5
08089179f184f92fafe82e690b335bcf

SHA1
f272226069706e1e2d009e95e408b3303a8b1662

SHA256
58eac56896032ca3babd1093b25be14c1a54ecbec2c7ad0f9ae6b87ffba2a30c

SHA512
6277e5151628a0e8e78006e8c69c44b89c988352e1de02de149dd162bb2a5dcffa3f1bf2844d8a621c1768ea12b8597ddbb1abc375312240873f1151aa0a2dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\client_ap.dll

Filesize
446KB

MD5
13bdd430284805dbec8c68b99259e4cd

SHA1
f0ecf785efa6de53dc0440b934ee01cbdc6f943d

SHA256
67bcafadeced563063841597f87a168bb2cb059d6827154513cc4963f258f40e

SHA512
1777646d25ef3aaffe9199b192d3aebdf35a9d46d784bb52ab2dc35816bee4b348925744575dac6f96d8abd3b999285b86fb714cb31887fbb06fc461c77b7463

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\cmdline.dll

Filesize
45KB

MD5
e6f710078a265647d4fbd96fc2fb40fc

SHA1
c27581059618a531efae20d4734e0e8400e77035

SHA256
76e493cbf94fb95287bc62a0f291bba4d60623574e0b3d7eb54d0bd43e420aee

SHA512
3cba58c3f6005e1a1e59dec0a621d4b39629bfd8df849af92045fafda8b6939dca0e83bfc2d7b9d705d3f0feed329078013003c499550edd285301d2af42f649

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\condisp.dll

Filesize
69KB

MD5
84cf51e413b97f0c238035ae7f1fbc04

SHA1
d95e22f13996483219fd4b272e4ecf67aaa86cd2

SHA256
0d679f7500e559e3cbe42bd2d55017657c79f4d652c28eb1e894bd99a505ccf3

SHA512
ec23f50bb0b8555faf766b4a0069163baf92a840f3d5a1c7622b6cde4501d436ce597116fc5742cbeac313550d95ceb143a8245f52d1a83f06a6c6cba15a78ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\crashreporter.exe

Filesize
193KB

MD5
ef3540f822902149f6519f5cbd06dc1b

SHA1
fd2fa2e58d4f895ed0ae3260f101b37fc0eaef48

SHA256
b2d19487e25e991b1d7e14e332b051a73805c9c4e4069a35af73b73af15d9a56

SHA512
58072f705b6aaf2ec7a9fb6c2f0501a27a92c6d8874666fccc907be5988a5c1a28978a0439f8c5467eeac3c5b71ffb02c360d47b06db2a76eb38839922087e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\crashreporter.exe

Filesize
193KB

MD5
b0ce6381fca2dda09a8899ee88dcc026

SHA1
811f2b66e1b53eda64b11cc18bd5d4604ec2b51b

SHA256
418ad8f0c01b476fd3c0e691fbc64574be93e7221d977c5997dcdcb6dc5b474c

SHA512
41563b2a9840213599a1a1fd416afcb3e4e59b1f48824a7895e5c29842bb3e07a2272455d274d656311561a0b9b96f3d1f06bf6ce5a693110b95a1d673655381

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\ikan-p.ico

Filesize
126KB

MD5
96651dcf6e6acc9966f24b31c84f6937

SHA1
847e145c951139bb2736eb5f32e82f55b565a0c3

SHA256
e72970a5e442fc1e22e2363a1a8a81b7e8d7dcc3032e582c410fde47779116ba

SHA512
0035d9e69142a6b843db7e33adadef35d55f81d148c44b90ef38d1e234f0c666d03286f742694c024f51db1f96e4c8517f852091cff12e317781a469da2d8afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\mframe.dll

Filesize
609KB

MD5
cfca286051452ee4ade71c64021424e9

SHA1
80bdc7dd1a5b478b2e86d6d99674794cc75d4f2e

SHA256
1f3c0af59c46dc9a04bbc86ec5e363622d87118dd32c0782bcbbd964086aedd4

SHA512
8a2e88bccfe0fbdef29d9bcc7c7dc5e7451f32aa1e75a5592546f7b7013d581b5cebec7c80565ed6debea4e9a346e869cd728761cbbba3efac703167b2664cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\mframe.dll

Filesize
497KB

MD5
a7987894d9c1da8ae24312e9cfb06c15

SHA1
92605193fd641c7a61c6a1b05df459df546b8600

SHA256
e97881bb79eda5140af4c6978120f5454aa5f729396b1e295925c83ce8238c34

SHA512
a1d00d443c63112c0183fbc96780ed6739cfbe853e839246aa95d6bc37ce54a38a4e699446d8bd73c797e961236ab480b0f508b45bd0398b28a2931fbd0c8e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\mir.dll

Filesize
1.1MB

MD5
a4354640020d7940bf14afad4e9aec84

SHA1
238db777283f149f687147bbb61a9d94197b5036

SHA256
5969d022510794f883ef269d1a1dc9a1ca430d77a89087561db384f427f4fa4d

SHA512
1b2a396289a81488e0f13fd20f0a5ff6e3e6d16eb5897c79453b38de55f57adab9992ad73b55354208e2cf4f998afd82d9644951f46979bf5a07e2a64b1b9f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\omng.dll

Filesize
485KB

MD5
92303255256128a7516be09380d84557

SHA1
f2c8828e5b8e07abee2a141611b43f2ed14e45dc

SHA256
ebf5f27a69ce8ccf7cdb175fa68517fa6afcd2ad1386ba22ab0f6f9c3916503c

SHA512
3f9c590006daf1390ff0fcb16a18d320298ccc668075441520c9a917e70e8d8704ca98ab3c25f6d881f21f012361667eb86a17a1c3691374b7651aa1eb1a4b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\pplugin.dll

Filesize
121KB

MD5
a7543337212c5cae30de77d63272c1ce

SHA1
fe1a358f8e0eca0d3bbdf05036cc59af80126669

SHA256
45f88a39d30e45e674ffe9d9a4ab989289472c2ad32e3ed01e0ebf73970f6b34

SHA512
57fea8652a16b23ad5570a50db7527855e0efb253884f15de6bd18f49ddb857dcfa9956a6f6da2b3ec6aa1e40605d340f14567dbd19b50349d3a3933f669a612

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\pplugin2.dll

Filesize
241KB

MD5
f62f6814c814b1edd41401c50135bcde

SHA1
dbd994d95ca44d9f672149b3780b0ee32df3f404

SHA256
6f060604bd162cadd83e75eeb0285056aa389bdacf1a4c906a81e63328ddd650

SHA512
a2be347d3f2c6fb0c55bdc22b881450db9e3f1c7fdfcd47245122dcdfe7c77d923d36be6aadfccc4a6e327078e9f2d109d65cc7ddd4436a899dd61328f03cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\ppopt.dll

Filesize
101KB

MD5
ffcf0e4cfee109dfbca76bb776fd2608

SHA1
4140f8791697cba83ae1afb120ba14060746ff2b

SHA256
900bdfd4b9f25195bbf907bdb5e1bca3ea3d1378d71d650edf857d19559b1aae

SHA512
730629e776828c545e1825bd4e8b8acaa97b67a91244faffd9a8da076a7d9613e0467481194781d44cb10d878e898e911b579454f43f4b93f4be09642474d5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\ppp.dll

Filesize
333KB

MD5
6c9e0736a571af2be5786b63d11e26c1

SHA1
c63465d6f15c1fb721015cb343f43196f73ee045

SHA256
854d6fd69109b41075610b51b3f464378ea122bd9ee7fbc34452f553bb30ca27

SHA512
1f663562aae214c19a991027bf46d22af5e77c924b08c8b3336e611000baae8165e4d85bcb7c0d6df219fd5e4469951a3f3b04a4678cfa13f5fd4bfe90b50a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\ppp.dll

Filesize
305KB

MD5
19e50d2c1b3d9cb095508ba3edabf19d

SHA1
ddaa2469659fe7c110bde2c93470d4b4ccceaa39

SHA256
b75d1af08423e2987f90e734116e76bacfdea7632405df1b8f36af8f98d6a943

SHA512
75666665a231a929eb535e5c6038d155828842725fbecfe03d43267ce540b805dadadf60d4cefeed27f98b7bdd266578a6353adcb2755133216116b3eb4e6876

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\pprepair.dll

Filesize
29KB

MD5
47534dd790ebfddbc9c8a718e3c8f597

SHA1
5521f6fa238c71becb79b616e7ef40ce9b1af2eb

SHA256
349591ef83276586b26f010f93e3868d8680a5bd5d976a247c698bb30b3c6a47

SHA512
302390c876baf8cb51292ed341198f22b8b142ad7a80c4e703555ef8473f556bd5ca08bce79d382ef0b16a548220f1a3ec00e481d5d35e5408b9420763bcba07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\sqlite3.dll

Filesize
504KB

MD5
b8a7b1f27c5d6b29ca363671307d8ec9

SHA1
5f190843d7bdbfbf86805d36003479df24b3a9cc

SHA256
4b55e4fae8b9d12c8ef971f037bc37c5e592fa3382bd5e4a08d2b3ddd112b559

SHA512
e7bd5c77078fe64478ca821fae29b550febdd5833d496a3d479ea4afc63822b55d81f2da2dc65b9f194edb019d4dfc951ad4af2ad970ff4b74a123ccddc3c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\tpi.dll

Filesize
885KB

MD5
f7aebe01c20ba67e2841a0d26bb14e7a

SHA1
8571707df764256694e6a5eb9da1288127d570e8

SHA256
f92a000062c3b5cb961a9773db071ab7dce19bb21a6b775fb72b89e6e12e745c

SHA512
dea2cea63d7098c27d73c3891234b6e672d956a41acc24315de7cce42ba35aae4e6447234c42fca085f91e6749fef051c78af35dee316f348939cbc3a131ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\ui.dll

Filesize
799KB

MD5
e92429931dfc9b0846438fdeced4fcba

SHA1
1f7e7ee18748ae45deeff060959246414fba600d

SHA256
39a4335c4793d33ff2ad659bc1b7389480198b05c990585bd92bfd075a4516da

SHA512
cc5ff01db04258cc6395064ce9d02c8632c279361459b2933534afd6c9d1b5581b16fb20d65b295137abc32331db3e59dffc7644215cc9355c927ae88bfd23b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\uilib.dll

Filesize
708KB

MD5
34a8482d581a5275a3fbefb5b6d4d9c6

SHA1
ba4600b0b7934b34d990da140aaeaac42fd9a3ef

SHA256
b35a4521b5ea1c3d11ca24470acca87d040bad7932bacc82ee7a343c76f62b1d

SHA512
c47500b57086c072fc2ef776e49791a6608f7c7535b55b392833f78384cb5ab1222a426edc87af1f57b93aa0eeb69b3af82af07ba74714db6004d5e00306b7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\uilib.dll

Filesize
708KB

MD5
e5b0cae7fbc695b788771e7f905dae8a

SHA1
c426603903e07055a50a3378fb5692111bf5886f

SHA256
620d545ec417442907c08d3550332c4835fd0f45169fe278304fcb8ea2efd9f5

SHA512
6e22600c0f46b1a3a74e269ce198334141ef44cce5c0dab6f0a0115c838d5c12e713e6c7f4288af6836ccb19779a31984d7c7e58c0af4ae233210efcf6bf1bc0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\CommonFuncDll.dll

Filesize
29KB

MD5
563021d3e7a1feffd5825f74accd509d

SHA1
4f088428f5cd8db4c8162379cc2f04353f0cfb41

SHA256
69588124f8ef69475c9188dc7855e2bfec22d8aaf97aee569af9c3d895395aec

SHA512
7b4d778d8280b05a337a48754c065f79fd07fe62ba69cf0d6291ecd6591df4ba3e0a96837f8530e402fd42ef428323eb9679d44f344db919e4d8647a81814600

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\CoreAVC.2.0.0.0.ax

Filesize
265KB

MD5
a45cfb1f058297ae981f8afeef056b8d

SHA1
e454ed585a0f19d3119cef725958ea19c93cd7cf

SHA256
779768aa0bf2270422e1686547ae622238e7b7cf37ce212a1d75caf8628c1508

SHA512
efa87c97e4f76d5fbd73d2e0c5c580c719518d4e3e7e16efdb1355b659c9584956bc7df944f0d637f069f359a046fe65bfd178e4cbaf97fbb5921ebd29e09aa0

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\FindProcDLL.dll

Filesize
20KB

MD5
943ccc923be093185c04e893245e55c4

SHA1
5d48cfcbe7a659e8c1da7127aced2cffb8e6d125

SHA256
893607cef43f3dbe210b301c6b91d426a4eca11694d8feb5104edd329365f57d

SHA512
5006e7b312a3182b4d638a38579ff1bbbaecf288995d23135d201745b4d2b999357ce8ca051decd51c55620fc144e536d51846f73e42d76c5cd058a00c5661f6

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\InetLoad.dll

Filesize
23KB

MD5
7a10bf1243756d9cfbf6a5160d0daa23

SHA1
5770bab5f288383e316e2e59b427f7eac1e50347

SHA256
64d779b5bac8a2b8a31a83cb3b4171141b4809e3e126a546a4c1f7570ee93210

SHA512
3a8d37a47a17893388ad9f58028d98ff0687ecc9fc9f0b0501650544985e3ec257c113381a3910b3b0cc8a06fe4e26fea1b65adfd4768822e6e638a9215841bf

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\MP4Splitter.ax

Filesize
509KB

MD5
bb01bfdc1bfe48cf9c18180bf6539917

SHA1
25d0a11d31857fef74e9b98dcabd96f24d89c774

SHA256
050649bb8dc43e68753de7567e17972cbcec1a2dacf243befeb12dc51517f7cc

SHA512
f4fa00923ee61f0fcb53c8ebfd65b27db54a7663e5d60d8a56f7d08f33e2e1c467aa0b58899fbd62ac2261b185655cc94bac9ce85e2ed3b0c32336daa5346ba5

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\OPlayer.ocx

Filesize
1.2MB

MD5
ca3028a6adee108bb3fd4657e9632355

SHA1
43be6285c5f7ed07062dce2f23171b7965147f98

SHA256
57ee68455ef1219b05d8efea12beeba73a1ef03608756e693706b5096c2a558f

SHA512
47461d1797170e62fcb5170f22b859046dc09541614044a29c8c56377ffa30780dc8e1210b6a2600232f1e3fd68c26493e47d6b90367acf8396b430f7092e601

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPHookShell.dll

Filesize
135KB

MD5
ff74898a1917a40565dc34f4ec75a5f6

SHA1
b27a1d9ac2a1a71d47de41f2dbad10462ae74f33

SHA256
7d2ab6ccc068dc15b7fec19c5ec44d42ba4707cdbad47bcab2c5458ce1df134e

SHA512
105d3575403cf83854df60ff1d660fcbcdc27910140c92a06757c67d0ec0fd140c6ff8a09e00d49b527b7bc3acda724f8a8819a0db3d184446602e29a852f1dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPHookShell.dll

Filesize
61KB

MD5
9b9ffae9f9b61e1a32171ea172d66dc8

SHA1
e4cef153503c3ad58a0b201d0d7e165e850ca3b9

SHA256
0dcc22d0f1a77247e4b8b0018eae72ea3a6f95b3b6b85e6998978ec38a7ad492

SHA512
4918dc4cef9799576ea3bd6c88f90589acb5807f76add063b3831f8ac3a7ff2557ef749334c586754e6387a3d19fbd4093c36c9cb43fecef24fb75f0a91fea6b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\PPInstallLog.dll

Filesize
41KB

MD5
a04d44787b28d37b4334c184ea4faae8

SHA1
47a5038f2fc45841420a89f08eefd35191aa1fe7

SHA256
34f0eb6f3b7deda82929fba6993eb27cd26d0b791be8031ce0b4729a7dc9dd46

SHA512
a529e5c412dce90f34e13a185e81b757adf140447167b310d056d2b380873683e5b6681f5810be7d1194cfdd64eda25b87a1a5aae70ed4e48be5aa64acbd5346

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\pnsis.dll

Filesize
72KB

MD5
dde7cd3719145ecf3c89d2a1e79ca1f3

SHA1
92802c38f88c4d57f0b1153b04b4de43af4adcde

SHA256
c930819a0f64879fe3a96c606da4be49613693a43b9b1060dc870bec7b3ab47a

SHA512
dd67858919fea31f0d4df0c012dc9605fc68bb7512924fee04ae41528d02f8f7ddfd32949841b676735a9d3d81f7dcb455854f20467a4a40ee9f48babd5bee5a

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\sop.dll

Filesize
455KB

MD5
aec9302b4c826d91b1cd0666404354ab

SHA1
ea8be9a7420c972b3501cfde374a3630873fae61

SHA256
8dceb44c06f1cc5bc819944b9816d9c9e1ddab6d734f76ca96c56006cc0455b8

SHA512
287f31a2f021f4ff47abefcead9ce0ffc6d49f7ae156c1a259f3e6e98eb30641ffb2cb1166c8931916af21faf4d5f1eec2bca106f90328b9a50a007eb37c4593

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1D43.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/2156-2202-0x0000000060900000-0x000000006096E000-memory.dmp

Filesize
440KB

Download
memory/2212-1951-0x0000000004200000-0x00000000042FB000-memory.dmp

Filesize
1004KB

Download
memory/2212-2151-0x0000000003960000-0x000000000396E000-memory.dmp

Filesize
56KB

Download
memory/2212-666-0x0000000003C00000-0x0000000003CFB000-memory.dmp

Filesize
1004KB

Download
memory/2212-353-0x0000000003B60000-0x0000000003B72000-memory.dmp

Filesize
72KB

Download
memory/2212-283-0x0000000004200000-0x00000000042FB000-memory.dmp

Filesize
1004KB

Download
memory/2212-79-0x0000000003B40000-0x0000000003B52000-memory.dmp

Filesize
72KB

Download
memory/2212-671-0x0000000074780000-0x0000000074892000-memory.dmp

Filesize
1.1MB

Download
memory/2212-2344-0x0000000074780000-0x0000000074789000-memory.dmp

Filesize
36KB

Download
memory/2212-2142-0x0000000003960000-0x0000000003972000-memory.dmp

Filesize
72KB

Download
memory/2212-296-0x0000000074510000-0x0000000074622000-memory.dmp

Filesize
1.1MB

Download
memory/2212-2156-0x0000000003960000-0x000000000396F000-memory.dmp

Filesize
60KB

Download
memory/2212-2163-0x0000000003960000-0x000000000396C000-memory.dmp

Filesize
48KB

Download
memory/2212-2171-0x0000000003980000-0x0000000003992000-memory.dmp

Filesize
72KB

Download
memory/2212-2175-0x0000000003970000-0x0000000003982000-memory.dmp

Filesize
72KB

Download
memory/2212-284-0x0000000004200000-0x00000000042FB000-memory.dmp

Filesize
1004KB

Download
memory/2212-291-0x00000000747A0000-0x00000000748B2000-memory.dmp

Filesize
1.1MB

Download
memory/2232-15-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2232-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2232-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download