Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 00:07

General

  • Target

    4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe

  • Size

    5.5MB

  • MD5

    4fc4d3801e9066cc655451d14dbb9857

  • SHA1

    46be1887488322f527f32973e0a4ec106ebf5dc0

  • SHA256

    6bb16c752fccad3cfc3dc2d625522fdb678b499060d88114ef7048a0639014f5

  • SHA512

    210669aa41c90f333afacc770e161c34c5cf6054805d0631b00d838bd9059d0621173a879f587ffafddeff48f4e8716f21f0c21f9ca58b62b4aa922a6daeebf7

  • SSDEEP

    98304:QG60o9NQd6SZjUofXQjAXmgUN9FdnTp+7HqMDMIXksdi4ynHU:U0o3QESZJfXQjImjNXdTU74IbdiTU

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3180
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4208
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:404
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3664
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4356
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4352
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1088
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2980
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3148
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2256
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1432
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3088
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2068
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4988
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4400
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4456
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\FlashPlayDll.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3704
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsimage.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3524
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s ""
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4320
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\MediaList.ocx"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4596
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodnet.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3228
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodres.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2896
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerPlayer.dll"
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:1416
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerList.ocx"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4492
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3488
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet2.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3208
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\fds.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4868
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsva.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3472
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\qasf.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3048
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmadmod.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:684
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmsdmod.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2268
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmspdmod.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4996
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\WMVDECOD.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4436
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\l3Codecx.ax"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1448
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\xd.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1844
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\PPSMedia.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:964
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\WatchList.ocx"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1968
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\tsr.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2468
    • C:\Windows\SysWOW64\Regsvr32.exe
      "C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\vodrc.dll"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4880
    • C:\Program Files (x86)\PPStream\PPStream.exe
      "C:\Program Files (x86)\PPStream\PPStream.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~2\PPStream\pp2play.dll

          Filesize

          242KB

          MD5

          41a73af32b92d4fe52f72574dfe8f87a

          SHA1

          ba4579c0f997a219bf4950375b5c2349f6baa0b3

          SHA256

          021fd444605ed00cdce049dac448f025fc1dbc462d618192c1e8cdcb1c12fb3e

          SHA512

          61b91c12b88cb154d1d55ecf2c9d3b75ae2ed481dd0fd46f306c38e29f59f6bc43f986938ecbdd2a8e21f8ab5280b00d648fda5c309d7156b75b53c980cf5e35

        • C:\Program Files (x86)\PPStream\FlashPlayDll.dll

          Filesize

          293KB

          MD5

          6c3e76309b1c3981b24ee57bfa05965d

          SHA1

          dfdb30388c9e97a178cca1183989780670a30ff4

          SHA256

          07a98a56841629c4fe071992fc2515dd4b79f3ed297e0e832157f6ffb426c1f7

          SHA512

          f7f2efa633ffa4f03ced325e7fbc35ff6aca753e0a35e5f3df6fa6c037b50d24749f841ec84cca1545ac67a5b6616e8b659da5e7774ca993e252bd5980615bca

        • C:\Program Files (x86)\PPStream\Livenet.dll

          Filesize

          965KB

          MD5

          d6d8fa1f909fbd50d6e02efd0e034b97

          SHA1

          c65b74e88e720c780f0de1898b89c701f48020b4

          SHA256

          ed83d2aecfeffc6669905cf72bcf0cb34ad5f7a7b024087deb65515877ca0cda

          SHA512

          52c4bf30d0361fa9cd53cc882630beec03170a836a6961efec8d8c3d04093b9c1457e6b307a49d0ba0b909fb628e8861128d707818171806ac7166ee4692d4f4

        • C:\Program Files (x86)\PPStream\Livenet2.dll

          Filesize

          1.2MB

          MD5

          b12bbda671c6cec48bb5af66ad684af7

          SHA1

          aa4d7c9623704846686fbe9c2d6f09f2121a836b

          SHA256

          d11a84dc4a469054ea200783cf2ba07bf906cc64657b6ebaf1d9a78c6093a118

          SHA512

          87d30c4a78727570770c9f7aa2c768dc892ba9c076555477c93d5f8c16a1e7c2fcdbf04cafc5a2070a2350a646815afb49b5be078cdb7ec51fb30a1e802a5bfd

        • C:\Program Files (x86)\PPStream\MediaList.ocx

          Filesize

          1.5MB

          MD5

          43c9b075a03d7b673b7a52d4d7ee7add

          SHA1

          c09f44485264d1767f7cf6fb648d938f98de7307

          SHA256

          afb969c56f0bac3ce4c460b9477b1f3685cb284fb12b29193dfa43e6e38ba962

          SHA512

          4933c8d42b317989a451fe6da8772e68bbbaffd52d87be9a4a3f816bb836fca35e7086ecdbb2d93df54763a09d7c88323a383c28907d9e3a8bfdfd1a77d319f8

        • C:\Program Files (x86)\PPStream\PPStream.exe

          Filesize

          2.5MB

          MD5

          d5697843420ce9a6d2542cc78b550b24

          SHA1

          734e7e827824729f87851bdb1896a62df5f880a3

          SHA256

          8fb25e845c15f4bd126613d6663d513d970e6a4b544a6ccb7a5009c6873194c1

          SHA512

          3892aa849db87c7af6dfda505c99314ed441b2dde3654ea1a1f47face5a1215050bbfc43a02e47ea383003d13438e17db659f69f0c705d4cf302449878dca6bb

        • C:\Program Files (x86)\PPStream\PSNetwork.dll

          Filesize

          345KB

          MD5

          75d36a7d5f0442a4c97e548072d44ac1

          SHA1

          ef0f0f852d0611af1b5c7a2a152700045a7148df

          SHA256

          c7ff292192e20884f69bb45feebc0090685f69e7ce1a104b26d4eaa86d172b58

          SHA512

          bf53a28e7bb78803713a1df75d64950b0e01d33ec6affc0505596e458df6080e4d761bb039b2250b22d9d6f589f2aef9a07b0e91c2374fb8f36ea27e9d5ec50e

        • C:\Program Files (x86)\PPStream\PowerList.ocx

          Filesize

          1.5MB

          MD5

          b267aec2585644696044f6b6730d6a1a

          SHA1

          9722785bad1001a880f4eaddea4b71bb88e15d6e

          SHA256

          79c0c0fdb12fd47b863b08283fc6cc71e081b55a22407ea12f0427ea2c5379ec

          SHA512

          c7d42372bb1d4fdc5c454d87af22e8f118e216f8a7ad60300b00f70832d88b2243a17b99a2ba15698041e3e6ee5892e789d461622fc00b4fddd0122a6cec80bb

        • C:\Program Files (x86)\PPStream\PowerPlayer.dll

          Filesize

          1.3MB

          MD5

          61efd502973f406cea48d1d3ee4d5116

          SHA1

          c2cd947eec5a4937715cdee68ce35fd0d15a5860

          SHA256

          cad4a844421ae3a9732f2b2edd885b14a76795b85ded6beb84a5db5f24b5c8f2

          SHA512

          55bf5d37d94503f3cb0a1bbe9bed6b89c09d9262e57c44ef970b27f30697af3fb10861bf34c2991186805fc08c2f647f055d3a95f3a4c3be6776fd97b401045f

        • C:\Program Files (x86)\PPStream\Vodnet.dll

          Filesize

          1.1MB

          MD5

          44cc4f6432ee946263fb6e6697fe4c75

          SHA1

          9ed41c970ddc22a5263db3ca897f8bfbb048eadf

          SHA256

          2531ce68f021aa2f3eb3c0097b45eba5d1435d099c36372a88fa1665e491ed48

          SHA512

          01246a815bdf15e3650987422dee14e54239169e7f86d1ec3a30ecc168469536a6a3b2cf09e42d05b864d581c5a997fb33ef04279c9c756ee4d9247985ad0121

        • C:\Program Files (x86)\PPStream\Vodres.dll

          Filesize

          397KB

          MD5

          bfab7e315b543a526ab04341a95688ea

          SHA1

          007cd093cb0a6f0bf22553886a4ee4b3557f075c

          SHA256

          048d05ae14dc3c38f7f49abc670e375c93341076fa7710730ad35fe230c42545

          SHA512

          04d9b05298805072895a45976cde999348436f039c1c9dbfeb6929d0c85767c9a641acaca7469bb9f871561909848c87c21ac2bd0a8e856715160f97216135ca

        • C:\Program Files (x86)\PPStream\fds.dll

          Filesize

          297KB

          MD5

          3405dbb8be0b5cbe22897a60f8f93157

          SHA1

          c1f3d53992b08471290904276c3032753c0d8509

          SHA256

          d478ce48dc810b1821a6e9f27586bcd758a4ad7d3e72de5286c236e6a0be063e

          SHA512

          17a7f2c989e390ed09756234bad46f947e3a9e2d8f7937c6ce3b53ea9e792e6c1a28856076ce5a799dbe39b745c997c0691d00ef35324aec8f7a6b23c0ccab1f

        • C:\Program Files (x86)\PPStream\ppsimage.dll

          Filesize

          339KB

          MD5

          8c72ccfdc2433978491b3aa7464e6fdc

          SHA1

          8bef1052ae35db4583add9a8f1044904788fc0de

          SHA256

          94e0ba93840a54508f098ef43aed4fb01f661606141223426d069a00d65b7fcd

          SHA512

          0e76a8b3993fcb5e707b769f3dc7962e2e50626630ae2940a43a77d2c3883faecebea6258e5ef36b500db42746d36c6d98e72c54b3c95d53d21edaddd3bcd10e

        • C:\Users\Admin\AppData\Local\Temp\nsl9455.tmp

          Filesize

          2KB

          MD5

          a0736517388eac9c9eee9e20c7440ea2

          SHA1

          671c5c5d633d96eb9075b2992ed93e7029f7cff4

          SHA256

          2c52318115cfc47f7dfdc2dec9e9a921ba575874ca3427c58f45d0e8f281f3ab

          SHA512

          7cc4cbe6fa527c0838dad31870f52dd2e6fefb76acdc76b5e68e379370f22338703dfd372fb71ce1159b0c10df713cdd42e0cd76a8ef928475d8277644d92e12

        • C:\Users\Admin\AppData\Local\Temp\nsl9455.tmp

          Filesize

          2KB

          MD5

          b3040c34cd007d678158ced31b8f1fed

          SHA1

          0b39b20ea0bc83852197c30701d6cfb311289089

          SHA256

          7d686a4673bb4c735d37e84c4fff55f3fe709c3cbf27bfec759665fc1e684200

          SHA512

          85b80ac51ea4b0c30c663db59ebb9e5b3ee4ba2bf033a0178953fc131aff36fb99fbf5840800c642bed2dd3d89e9a8f0d49a092ef5c687e2301151862e7205ea

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\ButtonEvent.dll

          Filesize

          4KB

          MD5

          fad9d09fc0267e8513b8628e767b2604

          SHA1

          bea76a7621c07b30ed90bedef4d608a5b9e15300

          SHA256

          5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2

          SHA512

          b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\ButtonLinker.dll

          Filesize

          7KB

          MD5

          dd85ac7d85c92dd0e3cc17dfd4890f54

          SHA1

          a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa

          SHA256

          27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504

          SHA512

          e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\EBanner.dll

          Filesize

          5KB

          MD5

          3de4b5a6d1098c217f7bdddbde113b81

          SHA1

          aaea1d21b8910f1a14beb7a3138598fc5ac607e9

          SHA256

          3dad1148e63594824861fd3359459f96f1e3322bcb5b04a6a2fca60370f97e3f

          SHA512

          5fbfe530bfb39dada5369e6dcec6e1a2d1201ed2d104dd3f397244a5482525d16e0d8bc4fc0b1836794401fcc1c1aae3bc79aaf72d4ea7d034f39e4624d4aeec

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\Math.dll

          Filesize

          66KB

          MD5

          b140459077c7c39be4bef249c2f84535

          SHA1

          c56498241c2ddafb01961596da16d08d1b11cd35

          SHA256

          0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

          SHA512

          fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\Registry.dll

          Filesize

          24KB

          MD5

          0e1fbcbfec72e5c3f76024174980053d

          SHA1

          67e7f707b1e5d3f3665562f3519946a7a2859a78

          SHA256

          83c6fb0ae59cc3d00638559fd87b860f61e7ad60c63551c2e9e78ffac71d4ef0

          SHA512

          efb7736b103a5355356f1c4d109f27bd91cf40ae18b9dad1a81760688ca391c091e35208f368e8870523bc74ec7239f87b403513bc4a33fdf86314a43e4e48c4

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\inetc.dll

          Filesize

          20KB

          MD5

          134b93f8bd1f82cd2f1b06c878580703

          SHA1

          29cdbce7a2caf1f7e4d2a139c42336d490074665

          SHA256

          45153adf50541316468e2b189a0f8127be9fb29e2f920e7eeaa6aceb438db8c4

          SHA512

          f970c38debb6631dab7369e2bc96237f16a8fd328d9d35a2b54cb688e1807f62cc6d63230afe89ce5c3945097ae4466872c72929a9623adde3ee57bddf54b692

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\modern-wizard.bmp

          Filesize

          150KB

          MD5

          f270bb2201c8595ccf77ab85c6ae4399

          SHA1

          84398bc484923ebb51f8f403b51b2579c7228db5

          SHA256

          c2346f1adde353aeb6e5171d85433a3f831776607886dc3d1ac831d76631b552

          SHA512

          2bfe55c653a4237dd7c14921a3ce467e726260f32a2cbc24029d5e8ede42aef45a1dce8e17009c02a26328e6c67552c4edbc9541f1ee3354c2907209258e93da

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsDialogs.dll

          Filesize

          9KB

          MD5

          c10e04dd4ad4277d5adc951bb331c777

          SHA1

          b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

          SHA256

          e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

          SHA512

          853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsProcess.dll

          Filesize

          4KB

          MD5

          59e67d25d0a4eee6493f2c8467c42a8e

          SHA1

          e1df50b38ac6e62a18eeae273eefbc63c80ec4cc

          SHA256

          ffed8f040d06d09d4c1656ba8dbecca112a91fbfac0d9f2788b6e3b449f8a874

          SHA512

          e558823ac2d66da49761690818d035ff728a154cc15148fd8376dffea1d9e0108b8b6f4776c1f7834f3aabfc8c0ab23aef4bac6d0b33cd73cc32635928350988

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsisFirewall.dll

          Filesize

          8KB

          MD5

          69f2e8c6fd141e9e720b2c4c366a8154

          SHA1

          a6279d93a102b6d7608dced32a36ddcd3e51994c

          SHA256

          2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107

          SHA512

          bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2

        • C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nxs.dll

          Filesize

          6KB

          MD5

          f2b34b71784d11515c3100389a6c7a60

          SHA1

          798aa07c1c069ded15787f726445153c93d8ca17

          SHA256

          e75cffab1063e500383d642f9a7519ca20da247c72839f97d731edc84314d173

          SHA512

          137ed1bf56955cc3cda6a219f9794fe5f59548a443d11b7f221acaf2887ece80e8e6efd3a9e0a4e64f8b13e99688b7a63f64f91efddd0fcd84a581fccf6fd8f2

        • C:\Users\Admin\AppData\Roaming\PPStream\adsys\ads_240652296.xml

          Filesize

          16KB

          MD5

          66f23be00723b2f54e7086ab37b9f273

          SHA1

          591d749b09c88a6bf715f4f75d7a57bce309bcbe

          SHA256

          3bd2b19b361864656d0cab5c66e76864313eff36e70b01086840689ab154b987

          SHA512

          5d4b171d08ac1a6c62fd8f1ce14af0ca7f786b4ae8b74a7207034da30559bb2463aa3d655e2fca84fc4f8586b6e27a2558c34311f997d2736d131373ce360f1f

        • C:\Users\Admin\AppData\Roaming\PPStream\powerlist.ini

          Filesize

          19B

          MD5

          d6c13cddb23726f99cdd9678debfe13b

          SHA1

          0a6d0f32c098f0e04ec3161f70782a593debfbeb

          SHA256

          4098f924cc5ef44d576f033718bb2426d7b8c2074621e2dd22c6b8198ee716f9

          SHA512

          a908bfeddb45d8cf6ebe549840ad2acc27818e15b859889041c3428a1fc9c504122c44d02783f60181c0c567a339f3ab3d74951ea7c6dcfcc38c286459ad223f

        • C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

          Filesize

          93B

          MD5

          ebf212d01ed390f12e0cc066e09d77a2

          SHA1

          c0f787b9545b2728020f6023c588c551d494c336

          SHA256

          d904871846c3d7e75c12d6fc71b1876966884aa9535e9fbcd4ca276e6bbc1852

          SHA512

          39d714effb90a25a6fe51e54eaf072830a7298db72c06cd20dcb899c8a1d62dd3db0d124f8c29463efaeb93c0acbd4caeca1870e5b5ac103aa6cea03d570264f

        • C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

          Filesize

          194B

          MD5

          42085a0684e65c67624dff4c4d5c172d

          SHA1

          c5d4f907668c152b8eae49402d3e9523c3490a36

          SHA256

          698822793660193abbd90e8131d32f11a2662228a31b5edffe1013cfb2a5c247

          SHA512

          9dfef92f2ca029f0bcbcdfda53f26fe1111ed5da909c4da0d8c79ada495b68936a259a541db839f296210a73482395ecb33e31dd27e22e8736394e879ee41a0a

        • C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

          Filesize

          369B

          MD5

          01514467db0a813c66be8057a31d7603

          SHA1

          3b6940d2c654d31026708742b1074163f097700e

          SHA256

          63972669425d0cf5e7ef2226b4e4059f93a562b8e837402f675b5162aecd367a

          SHA512

          1130e4cc42523b1c0d1ff4f0e9fc3d1ebc90f063e1fc2335b49b34ee952264d5b32663188710261adb49951861da9803b5f8c7b558d3defa3ee187a15861bf54

        • C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

          Filesize

          417B

          MD5

          54a86af600fd34aa7d05688f858a9831

          SHA1

          37911deb98cab225e216be230be1469c9fc22a22

          SHA256

          0be65edaa891c2fc84d1d6c6cc7e47ebbf88e1f8f80b0f1c6fd6642c4228ab3c

          SHA512

          8b121db316f6f097fd4d9fb418db2972b78c50f1928bbed8b38e653993f2aab8216afbd49b7eb4a166e4d678dea6fd546dd69a767ea0f370845b13425e8a39bc

        • C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

          Filesize

          81B

          MD5

          4a5e7138380177c56c39fa2df84b4ccd

          SHA1

          cb71e0a77303c732d36eeb22f2b0d1ca042ece04

          SHA256

          81f56f16bc35646ec9917b7d064d0b2bf58818700b99ac855f097355ca907e40

          SHA512

          36efe58aa7cc3adcd323fb0b79dc92c76184d77b3baa41172418e6bef4b50b9ee80d074f29770feca2fba222b019b58b7f1011a0f2cdf32ae6444a4a83b631e0

        • C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

          Filesize

          135B

          MD5

          be475343536062c22b3d5df965c6f2d2

          SHA1

          1e9b991b1ca99d448cc1033c4f0fe6883265be37

          SHA256

          7f8b3a9e13838a619a58acc56a2bf8cba4d768580ad480bcde989c616d9f5c8b

          SHA512

          378dce7985318067283990a25408893d8d1d84db9e24e9cc29b3e2db7ec07ce0cb12f507ca0f3b9fb77f0f9d9974debd21078196eb5e2f0a65e3a4234a464b27

        • C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

          Filesize

          163B

          MD5

          7894ec7921b9d852d65210346f390d56

          SHA1

          0b10bf8c90fd78c50e1d195b1d5f7200678c212f

          SHA256

          96c38a1989e32542bcb3f94e5379673e99a04c5f4e5702b1192ac96d51f80300

          SHA512

          73c48d7bcf8ab26154fbf0e485bb6d030b21d824a46b7fb3e4946cc5728092c0e8751ac68dcce72da10fad2c5c0e4a2c2e75dcb7c37fa6e733a2e0328f8e5cdb

        • memory/3736-358-0x0000000003460000-0x0000000003499000-memory.dmp

          Filesize

          228KB

        • memory/3736-87-0x0000000004190000-0x00000000041AA000-memory.dmp

          Filesize

          104KB

        • memory/3756-318-0x0000000007140000-0x00000000072C9000-memory.dmp

          Filesize

          1.5MB

        • memory/3756-306-0x0000000006400000-0x000000000657E000-memory.dmp

          Filesize

          1.5MB

        • memory/3756-233-0x00000000044B0000-0x00000000044FB000-memory.dmp

          Filesize

          300KB

        • memory/3756-264-0x0000000004CF0000-0x0000000004D46000-memory.dmp

          Filesize

          344KB

        • memory/3756-247-0x0000000004540000-0x000000000458C000-memory.dmp

          Filesize

          304KB