Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 00:07
Static task
static1
Behavioral task
behavioral1
Sample
4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe
-
Size
5.5MB
-
MD5
4fc4d3801e9066cc655451d14dbb9857
-
SHA1
46be1887488322f527f32973e0a4ec106ebf5dc0
-
SHA256
6bb16c752fccad3cfc3dc2d625522fdb678b499060d88114ef7048a0639014f5
-
SHA512
210669aa41c90f333afacc770e161c34c5cf6054805d0631b00d838bd9059d0621173a879f587ffafddeff48f4e8716f21f0c21f9ca58b62b4aa922a6daeebf7
-
SSDEEP
98304:QG60o9NQd6SZjUofXQjAXmgUN9FdnTp+7HqMDMIXksdi4ynHU:U0o3QESZJfXQjImjNXdTU74IbdiTU
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\nsv9444.tmp 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Regsvr32.exe File opened for modification C:\Windows\system32\drivers\etc\hosts PPStream.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3756 PPStream.exe -
Loads dropped DLL 64 IoCs
pid Process 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3704 Regsvr32.exe 3524 Regsvr32.exe 4596 Regsvr32.exe 3228 Regsvr32.exe 2896 Regsvr32.exe 1416 Regsvr32.exe 1416 Regsvr32.exe 4492 Regsvr32.exe 3488 Regsvr32.exe 3208 Regsvr32.exe 4868 Regsvr32.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 PPStream.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\pncrt.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Windows\SysWOW64\ppsӰѶÆÁ±£.scr 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
Drops file in Program Files directory 32 IoCs
description ioc Process File created C:\Program Files (x86)\PPStream\PSNetwork.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\raac.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\assoc.ini 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Vodres.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\atrc.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\drv2.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\sipr.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\drvc.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\PPStream\cache PPStream.exe File created C:\Program Files (x86)\PPStream\PPSAP.exe 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\ppsimage.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Vodnet.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\PowerList.ocx 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\14_43260.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\MediaList.ocx 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\28_83260.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\cook.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\dnet3260.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\pncrt.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Vista.ssk 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\PPStream.exe 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\PowerPlayer.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Livenet.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Livenet2.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\fds.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\pncrt.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\FlashPlayDll.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\pp2play.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\PPStream\pps.url 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\unpps.exe 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\ralf.dll 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File created C:\Program Files (x86)\PPStream\Codec\rmsplt.ax 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\psnetwork.ini 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe File opened for modification C:\Windows\powerplayer.ini 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PPStream.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Regsvr32.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\PPSÓ°~1.SCR" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\Policy = "3" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D} 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppPath = "C:\\Program Files (x86)\\PPStream" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppName = "PPSAP.exe" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.wmv\ = "pps_wmv" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm\shell\open\command\ = "C:\\Program Files (x86)\\PPStream\\PPStream.exe \"%1\"" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\MiscStatus\ = "0" Regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.asf\ = "pps_asf" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\MEDIAL~1.OCX" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\4a69b442-28be-4991-969c-b500adf5d8a8\82d353df-90bd-4382-8bc2-3f6192b76e34 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage.1\ = "PPSImage Class" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C368CF95-9886-458A-B3F3-AA15F561C9E2} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps\ = "PPS²¥·ÅÐ\u00adÒé" PPStream.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pgf\DefaultIcon\ = "C:\\Program Files (x86)\\PPStream\\PPStream.exe,-317" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5} Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive\ = "C:\\Program Files (x86)\\PPStream\\Livenet.dll" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}\CLSID = "{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}" Regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.asf 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm\ = "RealMedia Media" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C35170-EF87-4227-8454-ECA14F23904C}\TypeLib Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\InprocServer32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AF34165-6CA9-4F08-BC21-49AEDC68D828}\InprocServer32 Regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C368CF95-9886-458A-B3F3-AA15F561C9E2}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\MEDIAL~1.OCX" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\TypeLib\Version = "1.1" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\TypeLib Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\ = "MediaList Control" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\MiscStatus Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\TypeLib Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\ProxyStubClsid32 Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps\shell\open\command\ = "\"C:\\Program Files (x86)\\PPStream\\PPStream.exe\" -ppstream \"%1\"" 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\TypeLib\ = "{C400B05B-CD0E-4ADF-9381-20A3C672B473}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\TypeLib Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\MiscStatus Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\TypeLib\Version = "1.1" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\MiscStatus\1 Regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{187463A0-5BB7-11D3-ACBE-0080C75E246E}\FilterData = 02000000000040000000000000000000 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\TypeLib\ = "{A0427FCE-9B13-4941-A194-3C6035260BDD}" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ = "_DPowerPlayerEvents" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F21FC66-D76B-48DD-94C0-278F8E677C3C}\TypeLib\Version = "1.0" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F21FC66-D76B-48DD-94C0-278F8E677C3C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\VersionIndependentProgID Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PPStream.exe\shell\open\command 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0427FCE-9B13-4941-A194-3C6035260BDD}\1.0\0\win32 Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30C35170-EF87-4227-8454-ECA14F23904C} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MEDIALIST.MediaListCtrl.1\ = "MediaList Control" Regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.wmv 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ = "_DPowerPlayerEvents" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\POWERP~1.DLL" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\Control\ Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wmv\DefaultIcon 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rmvb\shell 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage\CurVer Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\ProgID\ = "Image.PPSImage.1" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1\0 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F95A360-48CA-47B4-B9EF-CA19B94D074D}\ = "_DPowerList" Regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3756 PPStream.exe 3756 PPStream.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3756 PPStream.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
pid Process 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe 3756 PPStream.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3736 wrote to memory of 3180 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 97 PID 3736 wrote to memory of 3180 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 97 PID 3736 wrote to memory of 3180 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 97 PID 3736 wrote to memory of 4208 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 98 PID 3736 wrote to memory of 4208 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 98 PID 3736 wrote to memory of 4208 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 98 PID 3736 wrote to memory of 404 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 99 PID 3736 wrote to memory of 404 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 99 PID 3736 wrote to memory of 404 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 99 PID 3736 wrote to memory of 3664 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 100 PID 3736 wrote to memory of 3664 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 100 PID 3736 wrote to memory of 3664 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 100 PID 3736 wrote to memory of 4356 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 101 PID 3736 wrote to memory of 4356 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 101 PID 3736 wrote to memory of 4356 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 101 PID 3736 wrote to memory of 4352 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 102 PID 3736 wrote to memory of 4352 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 102 PID 3736 wrote to memory of 4352 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 102 PID 3736 wrote to memory of 1088 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 103 PID 3736 wrote to memory of 1088 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 103 PID 3736 wrote to memory of 1088 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 103 PID 3736 wrote to memory of 2980 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 104 PID 3736 wrote to memory of 2980 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 104 PID 3736 wrote to memory of 2980 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 104 PID 3736 wrote to memory of 3148 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 105 PID 3736 wrote to memory of 3148 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 105 PID 3736 wrote to memory of 3148 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 105 PID 3736 wrote to memory of 2256 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 106 PID 3736 wrote to memory of 2256 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 106 PID 3736 wrote to memory of 2256 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 106 PID 3736 wrote to memory of 1432 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 107 PID 3736 wrote to memory of 1432 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 107 PID 3736 wrote to memory of 1432 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 107 PID 3736 wrote to memory of 3088 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 108 PID 3736 wrote to memory of 3088 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 108 PID 3736 wrote to memory of 3088 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 108 PID 3736 wrote to memory of 2068 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 109 PID 3736 wrote to memory of 2068 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 109 PID 3736 wrote to memory of 2068 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 109 PID 3736 wrote to memory of 4988 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 110 PID 3736 wrote to memory of 4988 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 110 PID 3736 wrote to memory of 4988 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 110 PID 3736 wrote to memory of 4400 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 111 PID 3736 wrote to memory of 4400 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 111 PID 3736 wrote to memory of 4400 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 111 PID 3736 wrote to memory of 4456 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 112 PID 3736 wrote to memory of 4456 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 112 PID 3736 wrote to memory of 4456 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 112 PID 3736 wrote to memory of 3704 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 113 PID 3736 wrote to memory of 3704 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 113 PID 3736 wrote to memory of 3704 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 113 PID 3736 wrote to memory of 3524 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 114 PID 3736 wrote to memory of 3524 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 114 PID 3736 wrote to memory of 3524 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 114 PID 3736 wrote to memory of 4320 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 115 PID 3736 wrote to memory of 4320 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 115 PID 3736 wrote to memory of 4320 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 115 PID 3736 wrote to memory of 4596 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 116 PID 3736 wrote to memory of 4596 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 116 PID 3736 wrote to memory of 4596 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 116 PID 3736 wrote to memory of 3228 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 117 PID 3736 wrote to memory of 3228 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 117 PID 3736 wrote to memory of 3228 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 117 PID 3736 wrote to memory of 2896 3736 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:3180
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:4208
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:404
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:3664
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:1088
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:3148
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:1432
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:3088
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:4400
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:4456
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\FlashPlayDll.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3704
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsimage.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3524
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s ""2⤵
- System Location Discovery: System Language Discovery
PID:4320
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\MediaList.ocx"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4596
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodnet.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3228
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodres.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerPlayer.dll"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1416
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerList.ocx"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4492
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3488
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet2.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3208
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\fds.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4868
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsva.dll"2⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\qasf.dll"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3048
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmadmod.dll"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:684
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmsdmod.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmspdmod.dll"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4996
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\WMVDECOD.dll"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4436
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\l3Codecx.ax"2⤵
- System Location Discovery: System Language Discovery
PID:1448
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\xd.dll"2⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\PPSMedia.dll"2⤵
- System Location Discovery: System Language Discovery
PID:964
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\WatchList.ocx"2⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\tsr.dll"2⤵
- System Location Discovery: System Language Discovery
PID:2468
-
-
C:\Windows\SysWOW64\Regsvr32.exe"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\vodrc.dll"2⤵
- System Location Discovery: System Language Discovery
PID:4880
-
-
C:\Program Files (x86)\PPStream\PPStream.exe"C:\Program Files (x86)\PPStream\PPStream.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD541a73af32b92d4fe52f72574dfe8f87a
SHA1ba4579c0f997a219bf4950375b5c2349f6baa0b3
SHA256021fd444605ed00cdce049dac448f025fc1dbc462d618192c1e8cdcb1c12fb3e
SHA51261b91c12b88cb154d1d55ecf2c9d3b75ae2ed481dd0fd46f306c38e29f59f6bc43f986938ecbdd2a8e21f8ab5280b00d648fda5c309d7156b75b53c980cf5e35
-
Filesize
293KB
MD56c3e76309b1c3981b24ee57bfa05965d
SHA1dfdb30388c9e97a178cca1183989780670a30ff4
SHA25607a98a56841629c4fe071992fc2515dd4b79f3ed297e0e832157f6ffb426c1f7
SHA512f7f2efa633ffa4f03ced325e7fbc35ff6aca753e0a35e5f3df6fa6c037b50d24749f841ec84cca1545ac67a5b6616e8b659da5e7774ca993e252bd5980615bca
-
Filesize
965KB
MD5d6d8fa1f909fbd50d6e02efd0e034b97
SHA1c65b74e88e720c780f0de1898b89c701f48020b4
SHA256ed83d2aecfeffc6669905cf72bcf0cb34ad5f7a7b024087deb65515877ca0cda
SHA51252c4bf30d0361fa9cd53cc882630beec03170a836a6961efec8d8c3d04093b9c1457e6b307a49d0ba0b909fb628e8861128d707818171806ac7166ee4692d4f4
-
Filesize
1.2MB
MD5b12bbda671c6cec48bb5af66ad684af7
SHA1aa4d7c9623704846686fbe9c2d6f09f2121a836b
SHA256d11a84dc4a469054ea200783cf2ba07bf906cc64657b6ebaf1d9a78c6093a118
SHA51287d30c4a78727570770c9f7aa2c768dc892ba9c076555477c93d5f8c16a1e7c2fcdbf04cafc5a2070a2350a646815afb49b5be078cdb7ec51fb30a1e802a5bfd
-
Filesize
1.5MB
MD543c9b075a03d7b673b7a52d4d7ee7add
SHA1c09f44485264d1767f7cf6fb648d938f98de7307
SHA256afb969c56f0bac3ce4c460b9477b1f3685cb284fb12b29193dfa43e6e38ba962
SHA5124933c8d42b317989a451fe6da8772e68bbbaffd52d87be9a4a3f816bb836fca35e7086ecdbb2d93df54763a09d7c88323a383c28907d9e3a8bfdfd1a77d319f8
-
Filesize
2.5MB
MD5d5697843420ce9a6d2542cc78b550b24
SHA1734e7e827824729f87851bdb1896a62df5f880a3
SHA2568fb25e845c15f4bd126613d6663d513d970e6a4b544a6ccb7a5009c6873194c1
SHA5123892aa849db87c7af6dfda505c99314ed441b2dde3654ea1a1f47face5a1215050bbfc43a02e47ea383003d13438e17db659f69f0c705d4cf302449878dca6bb
-
Filesize
345KB
MD575d36a7d5f0442a4c97e548072d44ac1
SHA1ef0f0f852d0611af1b5c7a2a152700045a7148df
SHA256c7ff292192e20884f69bb45feebc0090685f69e7ce1a104b26d4eaa86d172b58
SHA512bf53a28e7bb78803713a1df75d64950b0e01d33ec6affc0505596e458df6080e4d761bb039b2250b22d9d6f589f2aef9a07b0e91c2374fb8f36ea27e9d5ec50e
-
Filesize
1.5MB
MD5b267aec2585644696044f6b6730d6a1a
SHA19722785bad1001a880f4eaddea4b71bb88e15d6e
SHA25679c0c0fdb12fd47b863b08283fc6cc71e081b55a22407ea12f0427ea2c5379ec
SHA512c7d42372bb1d4fdc5c454d87af22e8f118e216f8a7ad60300b00f70832d88b2243a17b99a2ba15698041e3e6ee5892e789d461622fc00b4fddd0122a6cec80bb
-
Filesize
1.3MB
MD561efd502973f406cea48d1d3ee4d5116
SHA1c2cd947eec5a4937715cdee68ce35fd0d15a5860
SHA256cad4a844421ae3a9732f2b2edd885b14a76795b85ded6beb84a5db5f24b5c8f2
SHA51255bf5d37d94503f3cb0a1bbe9bed6b89c09d9262e57c44ef970b27f30697af3fb10861bf34c2991186805fc08c2f647f055d3a95f3a4c3be6776fd97b401045f
-
Filesize
1.1MB
MD544cc4f6432ee946263fb6e6697fe4c75
SHA19ed41c970ddc22a5263db3ca897f8bfbb048eadf
SHA2562531ce68f021aa2f3eb3c0097b45eba5d1435d099c36372a88fa1665e491ed48
SHA51201246a815bdf15e3650987422dee14e54239169e7f86d1ec3a30ecc168469536a6a3b2cf09e42d05b864d581c5a997fb33ef04279c9c756ee4d9247985ad0121
-
Filesize
397KB
MD5bfab7e315b543a526ab04341a95688ea
SHA1007cd093cb0a6f0bf22553886a4ee4b3557f075c
SHA256048d05ae14dc3c38f7f49abc670e375c93341076fa7710730ad35fe230c42545
SHA51204d9b05298805072895a45976cde999348436f039c1c9dbfeb6929d0c85767c9a641acaca7469bb9f871561909848c87c21ac2bd0a8e856715160f97216135ca
-
Filesize
297KB
MD53405dbb8be0b5cbe22897a60f8f93157
SHA1c1f3d53992b08471290904276c3032753c0d8509
SHA256d478ce48dc810b1821a6e9f27586bcd758a4ad7d3e72de5286c236e6a0be063e
SHA51217a7f2c989e390ed09756234bad46f947e3a9e2d8f7937c6ce3b53ea9e792e6c1a28856076ce5a799dbe39b745c997c0691d00ef35324aec8f7a6b23c0ccab1f
-
Filesize
339KB
MD58c72ccfdc2433978491b3aa7464e6fdc
SHA18bef1052ae35db4583add9a8f1044904788fc0de
SHA25694e0ba93840a54508f098ef43aed4fb01f661606141223426d069a00d65b7fcd
SHA5120e76a8b3993fcb5e707b769f3dc7962e2e50626630ae2940a43a77d2c3883faecebea6258e5ef36b500db42746d36c6d98e72c54b3c95d53d21edaddd3bcd10e
-
Filesize
2KB
MD5a0736517388eac9c9eee9e20c7440ea2
SHA1671c5c5d633d96eb9075b2992ed93e7029f7cff4
SHA2562c52318115cfc47f7dfdc2dec9e9a921ba575874ca3427c58f45d0e8f281f3ab
SHA5127cc4cbe6fa527c0838dad31870f52dd2e6fefb76acdc76b5e68e379370f22338703dfd372fb71ce1159b0c10df713cdd42e0cd76a8ef928475d8277644d92e12
-
Filesize
2KB
MD5b3040c34cd007d678158ced31b8f1fed
SHA10b39b20ea0bc83852197c30701d6cfb311289089
SHA2567d686a4673bb4c735d37e84c4fff55f3fe709c3cbf27bfec759665fc1e684200
SHA51285b80ac51ea4b0c30c663db59ebb9e5b3ee4ba2bf033a0178953fc131aff36fb99fbf5840800c642bed2dd3d89e9a8f0d49a092ef5c687e2301151862e7205ea
-
Filesize
4KB
MD5fad9d09fc0267e8513b8628e767b2604
SHA1bea76a7621c07b30ed90bedef4d608a5b9e15300
SHA2565d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2
SHA512b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805
-
Filesize
7KB
MD5dd85ac7d85c92dd0e3cc17dfd4890f54
SHA1a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa
SHA25627abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504
SHA512e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1
-
Filesize
5KB
MD53de4b5a6d1098c217f7bdddbde113b81
SHA1aaea1d21b8910f1a14beb7a3138598fc5ac607e9
SHA2563dad1148e63594824861fd3359459f96f1e3322bcb5b04a6a2fca60370f97e3f
SHA5125fbfe530bfb39dada5369e6dcec6e1a2d1201ed2d104dd3f397244a5482525d16e0d8bc4fc0b1836794401fcc1c1aae3bc79aaf72d4ea7d034f39e4624d4aeec
-
Filesize
66KB
MD5b140459077c7c39be4bef249c2f84535
SHA1c56498241c2ddafb01961596da16d08d1b11cd35
SHA2560598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328
-
Filesize
24KB
MD50e1fbcbfec72e5c3f76024174980053d
SHA167e7f707b1e5d3f3665562f3519946a7a2859a78
SHA25683c6fb0ae59cc3d00638559fd87b860f61e7ad60c63551c2e9e78ffac71d4ef0
SHA512efb7736b103a5355356f1c4d109f27bd91cf40ae18b9dad1a81760688ca391c091e35208f368e8870523bc74ec7239f87b403513bc4a33fdf86314a43e4e48c4
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
20KB
MD5134b93f8bd1f82cd2f1b06c878580703
SHA129cdbce7a2caf1f7e4d2a139c42336d490074665
SHA25645153adf50541316468e2b189a0f8127be9fb29e2f920e7eeaa6aceb438db8c4
SHA512f970c38debb6631dab7369e2bc96237f16a8fd328d9d35a2b54cb688e1807f62cc6d63230afe89ce5c3945097ae4466872c72929a9623adde3ee57bddf54b692
-
Filesize
150KB
MD5f270bb2201c8595ccf77ab85c6ae4399
SHA184398bc484923ebb51f8f403b51b2579c7228db5
SHA256c2346f1adde353aeb6e5171d85433a3f831776607886dc3d1ac831d76631b552
SHA5122bfe55c653a4237dd7c14921a3ce467e726260f32a2cbc24029d5e8ede42aef45a1dce8e17009c02a26328e6c67552c4edbc9541f1ee3354c2907209258e93da
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
4KB
MD559e67d25d0a4eee6493f2c8467c42a8e
SHA1e1df50b38ac6e62a18eeae273eefbc63c80ec4cc
SHA256ffed8f040d06d09d4c1656ba8dbecca112a91fbfac0d9f2788b6e3b449f8a874
SHA512e558823ac2d66da49761690818d035ff728a154cc15148fd8376dffea1d9e0108b8b6f4776c1f7834f3aabfc8c0ab23aef4bac6d0b33cd73cc32635928350988
-
Filesize
8KB
MD569f2e8c6fd141e9e720b2c4c366a8154
SHA1a6279d93a102b6d7608dced32a36ddcd3e51994c
SHA2562e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107
SHA512bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2
-
Filesize
6KB
MD5f2b34b71784d11515c3100389a6c7a60
SHA1798aa07c1c069ded15787f726445153c93d8ca17
SHA256e75cffab1063e500383d642f9a7519ca20da247c72839f97d731edc84314d173
SHA512137ed1bf56955cc3cda6a219f9794fe5f59548a443d11b7f221acaf2887ece80e8e6efd3a9e0a4e64f8b13e99688b7a63f64f91efddd0fcd84a581fccf6fd8f2
-
Filesize
16KB
MD566f23be00723b2f54e7086ab37b9f273
SHA1591d749b09c88a6bf715f4f75d7a57bce309bcbe
SHA2563bd2b19b361864656d0cab5c66e76864313eff36e70b01086840689ab154b987
SHA5125d4b171d08ac1a6c62fd8f1ce14af0ca7f786b4ae8b74a7207034da30559bb2463aa3d655e2fca84fc4f8586b6e27a2558c34311f997d2736d131373ce360f1f
-
Filesize
19B
MD5d6c13cddb23726f99cdd9678debfe13b
SHA10a6d0f32c098f0e04ec3161f70782a593debfbeb
SHA2564098f924cc5ef44d576f033718bb2426d7b8c2074621e2dd22c6b8198ee716f9
SHA512a908bfeddb45d8cf6ebe549840ad2acc27818e15b859889041c3428a1fc9c504122c44d02783f60181c0c567a339f3ab3d74951ea7c6dcfcc38c286459ad223f
-
Filesize
93B
MD5ebf212d01ed390f12e0cc066e09d77a2
SHA1c0f787b9545b2728020f6023c588c551d494c336
SHA256d904871846c3d7e75c12d6fc71b1876966884aa9535e9fbcd4ca276e6bbc1852
SHA51239d714effb90a25a6fe51e54eaf072830a7298db72c06cd20dcb899c8a1d62dd3db0d124f8c29463efaeb93c0acbd4caeca1870e5b5ac103aa6cea03d570264f
-
Filesize
194B
MD542085a0684e65c67624dff4c4d5c172d
SHA1c5d4f907668c152b8eae49402d3e9523c3490a36
SHA256698822793660193abbd90e8131d32f11a2662228a31b5edffe1013cfb2a5c247
SHA5129dfef92f2ca029f0bcbcdfda53f26fe1111ed5da909c4da0d8c79ada495b68936a259a541db839f296210a73482395ecb33e31dd27e22e8736394e879ee41a0a
-
Filesize
369B
MD501514467db0a813c66be8057a31d7603
SHA13b6940d2c654d31026708742b1074163f097700e
SHA25663972669425d0cf5e7ef2226b4e4059f93a562b8e837402f675b5162aecd367a
SHA5121130e4cc42523b1c0d1ff4f0e9fc3d1ebc90f063e1fc2335b49b34ee952264d5b32663188710261adb49951861da9803b5f8c7b558d3defa3ee187a15861bf54
-
Filesize
417B
MD554a86af600fd34aa7d05688f858a9831
SHA137911deb98cab225e216be230be1469c9fc22a22
SHA2560be65edaa891c2fc84d1d6c6cc7e47ebbf88e1f8f80b0f1c6fd6642c4228ab3c
SHA5128b121db316f6f097fd4d9fb418db2972b78c50f1928bbed8b38e653993f2aab8216afbd49b7eb4a166e4d678dea6fd546dd69a767ea0f370845b13425e8a39bc
-
Filesize
81B
MD54a5e7138380177c56c39fa2df84b4ccd
SHA1cb71e0a77303c732d36eeb22f2b0d1ca042ece04
SHA25681f56f16bc35646ec9917b7d064d0b2bf58818700b99ac855f097355ca907e40
SHA51236efe58aa7cc3adcd323fb0b79dc92c76184d77b3baa41172418e6bef4b50b9ee80d074f29770feca2fba222b019b58b7f1011a0f2cdf32ae6444a4a83b631e0
-
Filesize
135B
MD5be475343536062c22b3d5df965c6f2d2
SHA11e9b991b1ca99d448cc1033c4f0fe6883265be37
SHA2567f8b3a9e13838a619a58acc56a2bf8cba4d768580ad480bcde989c616d9f5c8b
SHA512378dce7985318067283990a25408893d8d1d84db9e24e9cc29b3e2db7ec07ce0cb12f507ca0f3b9fb77f0f9d9974debd21078196eb5e2f0a65e3a4234a464b27
-
Filesize
163B
MD57894ec7921b9d852d65210346f390d56
SHA10b10bf8c90fd78c50e1d195b1d5f7200678c212f
SHA25696c38a1989e32542bcb3f94e5379673e99a04c5f4e5702b1192ac96d51f80300
SHA51273c48d7bcf8ab26154fbf0e485bb6d030b21d824a46b7fb3e4946cc5728092c0e8751ac68dcce72da10fad2c5c0e4a2c2e75dcb7c37fa6e733a2e0328f8e5cdb