Analysis Overview
SHA256
6bb16c752fccad3cfc3dc2d625522fdb678b499060d88114ef7048a0639014f5
Threat Level: Likely malicious
The file 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Drops startup file
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-17 00:07
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-17 00:07
Reported
2024-10-17 00:10
Platform
win7-20240903-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\nse9F3.tmp | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | F:\PPS.tv\PPStream\PPStream.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | F:\PPS.tv\PPStream\PPStream.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | F:\PPS.tv\PPStream\PPStream.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\pncrt.dll | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ppsӰѶÆÁ±£.scr | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | F:\PPS.tv\PPStream\PPStream.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\PPSÓ°~1.SCR" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D} | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppPath = "F:\\PPS.tv\\PPStream" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppName = "PPSAP.exe" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | F:\PPS.tv\PPStream\PPStream.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\ = "IPPSPicture" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive2\ = "F:\\PPS.tv\\PPStream\\Livenet2.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\Programmable | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39A4D48D-0B87-41CA-A42D-78019F6A3C14}\1.0\HELPDIR\ | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\Implemented Categories | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MEDIALIST.MediaListCtrl.1 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AF34165-6CA9-4F08-BC21-49AEDC68D828}\ = "PowerPlayer Property Page" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\POWERPLAYER.PowerPlayerCtrl.1\CLSID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wma | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamvod | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\VersionIndependentProgID\ = "Image.PPSImage" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pmv\DefaultIcon\ = "F:\\PPS.tv\\PPStream\\PPStream.exe,-148" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wmv\ = "pps.wmv" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wma\shell\open\command\ = "F:\\PPS.tv\\PPStream\\PPStream.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rm\ = "pps_rm" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\POWERPLAYER.PowerPlayerCtrl.1 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71932D43-3CA5-46EF-B013-3F9A695996ED}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{187463A0-5BB7-11D3-ACBE-0080C75E246E} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wmv | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0427FCE-9B13-4941-A194-3C6035260BDD}\1.0\HELPDIR | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1\0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F95A360-48CA-47B4-B9EF-CA19B94D074D}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ = "pps_wma" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\InprocServer32\ = "F:\\PPS.tv\\PPStream\\POWERP~1.DLL" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}\FilterData = 02000000000040000000000000000000 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pmv | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PPStream.exe\shell\ | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSPicture.1\ = "PPSPicture Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BEBA807-5611-4E22-BCF7-280DAED9A1F3}\1.0\ = "PowerList of ppStream" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage.1\ = "PPSImage Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\Version\ = "1.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pps\DefaultIcon\ = "F:\\PPS.tv\\PPStream\\PPStream.exe,-0" | F:\PPS.tv\PPStream\PPStream.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream | F:\PPS.tv\PPStream\PPStream.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\VersionIndependentProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\ = "IPPSPicture" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1\0\win32\ = "F:\\PPS.tv\\PPStream\\PowerPlayer.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94297043-BD82-4DFD-B0DE-8177739C6D20}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rm\ = "pps.rm" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39A4D48D-0B87-41CA-A42D-78019F6A3C14}\1.0\0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39A4D48D-0B87-41CA-A42D-78019F6A3C14}\1.0\ = "MediaList ActiveX Control module" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C35170-EF87-4227-8454-ECA14F23904C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell\open\command\ = "\"F:\\PPS.tv\\PPStream\\PPStream.exe\" -ppstream \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.pgf | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\ProgID\ = "Image.PPSPicture.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\Programmable | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{187463A0-5BB7-11D3-ACBE-0080C75E246E} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wmv\shell\open | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| N/A | N/A | F:\PPS.tv\PPStream\PPStream.exe | N/A |
| N/A | N/A | F:\PPS.tv\PPStream\PPStream.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | F:\PPS.tv\PPStream\PPStream.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\FlashPlayDll.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\ppsimage.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\MediaList.ocx"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Vodnet.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Vodres.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\PowerPlayer.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\PowerList.ocx"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Livenet.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Livenet2.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\fds.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\ppsva.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\qasf.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmadmod.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmsdmod.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmspdmod.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\WMVDECOD.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\l3Codecx.ax"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\xd.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\PPSMedia.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\WatchList.ocx"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\tsr.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\vodrc.dll"
F:\PPS.tv\PPStream\PPStream.exe
"F:\PPS.tv\PPStream\PPStream.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spider.pps.tv | udp |
| SG | 118.26.120.3:80 | spider.pps.tv | tcp |
| US | 8.8.8.8:53 | fds.111222.cn | udp |
| US | 8.8.8.8:53 | stat.ppstream.com | udp |
| US | 8.8.8.8:53 | br.pps.tv | udp |
| US | 8.8.8.8:53 | stat.ppstream.com | udp |
| US | 8.8.8.8:53 | list1.ppstream.com | udp |
| US | 8.8.8.8:53 | br.pps.tv | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | www.ppstream.com | udp |
| US | 8.8.8.8:53 | vodguide.pps.tv | udp |
| CN | 113.207.90.11:80 | list1.ppstream.com | tcp |
| SG | 118.26.120.3:80 | vodguide.pps.tv | tcp |
| SG | 118.26.120.3:80 | vodguide.pps.tv | tcp |
| CN | 220.181.184.12:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | notice.ppstream.com | udp |
| SG | 118.26.120.1:80 | notice.ppstream.com | tcp |
| SG | 118.26.120.3:80 | notice.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| CN | 113.207.90.2:80 | list1.ppstream.com | tcp |
| CN | 220.181.184.20:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.ppstream.com | udp |
| US | 8.8.8.8:53 | fds.pps.tv | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| CN | 113.207.90.10:80 | list1.ppstream.com | tcp |
| CN | 220.181.184.24:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.ppstream.net | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | fds.ppstv.net | udp |
| CN | 220.181.184.40:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| CN | 113.207.90.7:80 | list1.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.ppstv.net | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| CN | 220.181.184.25:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.ppstv.net | udp |
| CN | 113.207.90.11:80 | list1.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| CN | 220.181.184.12:80 | www.ppstream.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nsProcess.dll
| MD5 | 59e67d25d0a4eee6493f2c8467c42a8e |
| SHA1 | e1df50b38ac6e62a18eeae273eefbc63c80ec4cc |
| SHA256 | ffed8f040d06d09d4c1656ba8dbecca112a91fbfac0d9f2788b6e3b449f8a874 |
| SHA512 | e558823ac2d66da49761690818d035ff728a154cc15148fd8376dffea1d9e0108b8b6f4776c1f7834f3aabfc8c0ab23aef4bac6d0b33cd73cc32635928350988 |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nxs.dll
| MD5 | f2b34b71784d11515c3100389a6c7a60 |
| SHA1 | 798aa07c1c069ded15787f726445153c93d8ca17 |
| SHA256 | e75cffab1063e500383d642f9a7519ca20da247c72839f97d731edc84314d173 |
| SHA512 | 137ed1bf56955cc3cda6a219f9794fe5f59548a443d11b7f221acaf2887ece80e8e6efd3a9e0a4e64f8b13e99688b7a63f64f91efddd0fcd84a581fccf6fd8f2 |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nsisFirewall.dll
| MD5 | 69f2e8c6fd141e9e720b2c4c366a8154 |
| SHA1 | a6279d93a102b6d7608dced32a36ddcd3e51994c |
| SHA256 | 2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107 |
| SHA512 | bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2 |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\inetc.dll
| MD5 | 134b93f8bd1f82cd2f1b06c878580703 |
| SHA1 | 29cdbce7a2caf1f7e4d2a139c42336d490074665 |
| SHA256 | 45153adf50541316468e2b189a0f8127be9fb29e2f920e7eeaa6aceb438db8c4 |
| SHA512 | f970c38debb6631dab7369e2bc96237f16a8fd328d9d35a2b54cb688e1807f62cc6d63230afe89ce5c3945097ae4466872c72929a9623adde3ee57bddf54b692 |
C:\Users\Admin\AppData\Local\Temp\nstA03.tmp
| MD5 | a0736517388eac9c9eee9e20c7440ea2 |
| SHA1 | 671c5c5d633d96eb9075b2992ed93e7029f7cff4 |
| SHA256 | 2c52318115cfc47f7dfdc2dec9e9a921ba575874ca3427c58f45d0e8f281f3ab |
| SHA512 | 7cc4cbe6fa527c0838dad31870f52dd2e6fefb76acdc76b5e68e379370f22338703dfd372fb71ce1159b0c10df713cdd42e0cd76a8ef928475d8277644d92e12 |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\ButtonEvent.dll
| MD5 | fad9d09fc0267e8513b8628e767b2604 |
| SHA1 | bea76a7621c07b30ed90bedef4d608a5b9e15300 |
| SHA256 | 5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2 |
| SHA512 | b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805 |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\ButtonLinker.dll
| MD5 | dd85ac7d85c92dd0e3cc17dfd4890f54 |
| SHA1 | a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa |
| SHA256 | 27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504 |
| SHA512 | e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1 |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\EBanner.dll
| MD5 | 3de4b5a6d1098c217f7bdddbde113b81 |
| SHA1 | aaea1d21b8910f1a14beb7a3138598fc5ac607e9 |
| SHA256 | 3dad1148e63594824861fd3359459f96f1e3322bcb5b04a6a2fca60370f97e3f |
| SHA512 | 5fbfe530bfb39dada5369e6dcec6e1a2d1201ed2d104dd3f397244a5482525d16e0d8bc4fc0b1836794401fcc1c1aae3bc79aaf72d4ea7d034f39e4624d4aeec |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
memory/3044-71-0x0000000004500000-0x000000000451A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\w7tbp.dll
| MD5 | 9a3031cc4cef0dba236a28eecdf0afb5 |
| SHA1 | 708a76aa56f77f1b0ebc62b023163c2e0426f3ac |
| SHA256 | 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00 |
| SHA512 | 8fddde526e7d10d77e247ea80b273beae9dde1d4112806f1f5c3e6a409247d54d8a4445ab5bdd77025a434c3d1dcfdf480dac21abbdb13a308d5eb74517fab53 |
F:\PPS.tv\PPStream\FlashPlayDll.dll
| MD5 | 6c3e76309b1c3981b24ee57bfa05965d |
| SHA1 | dfdb30388c9e97a178cca1183989780670a30ff4 |
| SHA256 | 07a98a56841629c4fe071992fc2515dd4b79f3ed297e0e832157f6ffb426c1f7 |
| SHA512 | f7f2efa633ffa4f03ced325e7fbc35ff6aca753e0a35e5f3df6fa6c037b50d24749f841ec84cca1545ac67a5b6616e8b659da5e7774ca993e252bd5980615bca |
F:\PPS.tv\PPStream\ppsimage.dll
| MD5 | 8c72ccfdc2433978491b3aa7464e6fdc |
| SHA1 | 8bef1052ae35db4583add9a8f1044904788fc0de |
| SHA256 | 94e0ba93840a54508f098ef43aed4fb01f661606141223426d069a00d65b7fcd |
| SHA512 | 0e76a8b3993fcb5e707b769f3dc7962e2e50626630ae2940a43a77d2c3883faecebea6258e5ef36b500db42746d36c6d98e72c54b3c95d53d21edaddd3bcd10e |
F:\PPS.tv\PPStream\MediaList.ocx
| MD5 | 43c9b075a03d7b673b7a52d4d7ee7add |
| SHA1 | c09f44485264d1767f7cf6fb648d938f98de7307 |
| SHA256 | afb969c56f0bac3ce4c460b9477b1f3685cb284fb12b29193dfa43e6e38ba962 |
| SHA512 | 4933c8d42b317989a451fe6da8772e68bbbaffd52d87be9a4a3f816bb836fca35e7086ecdbb2d93df54763a09d7c88323a383c28907d9e3a8bfdfd1a77d319f8 |
F:\PPS.tv\PPStream\Vodnet.dll
| MD5 | 44cc4f6432ee946263fb6e6697fe4c75 |
| SHA1 | 9ed41c970ddc22a5263db3ca897f8bfbb048eadf |
| SHA256 | 2531ce68f021aa2f3eb3c0097b45eba5d1435d099c36372a88fa1665e491ed48 |
| SHA512 | 01246a815bdf15e3650987422dee14e54239169e7f86d1ec3a30ecc168469536a6a3b2cf09e42d05b864d581c5a997fb33ef04279c9c756ee4d9247985ad0121 |
F:\PPS.tv\PPStream\Vodres.dll
| MD5 | bfab7e315b543a526ab04341a95688ea |
| SHA1 | 007cd093cb0a6f0bf22553886a4ee4b3557f075c |
| SHA256 | 048d05ae14dc3c38f7f49abc670e375c93341076fa7710730ad35fe230c42545 |
| SHA512 | 04d9b05298805072895a45976cde999348436f039c1c9dbfeb6929d0c85767c9a641acaca7469bb9f871561909848c87c21ac2bd0a8e856715160f97216135ca |
F:\PPS.tv\PPStream\PowerPlayer.dll
| MD5 | 61efd502973f406cea48d1d3ee4d5116 |
| SHA1 | c2cd947eec5a4937715cdee68ce35fd0d15a5860 |
| SHA256 | cad4a844421ae3a9732f2b2edd885b14a76795b85ded6beb84a5db5f24b5c8f2 |
| SHA512 | 55bf5d37d94503f3cb0a1bbe9bed6b89c09d9262e57c44ef970b27f30697af3fb10861bf34c2991186805fc08c2f647f055d3a95f3a4c3be6776fd97b401045f |
F:\PPS.tv\PPStream\PSNetwork.dll
| MD5 | 75d36a7d5f0442a4c97e548072d44ac1 |
| SHA1 | ef0f0f852d0611af1b5c7a2a152700045a7148df |
| SHA256 | c7ff292192e20884f69bb45feebc0090685f69e7ce1a104b26d4eaa86d172b58 |
| SHA512 | bf53a28e7bb78803713a1df75d64950b0e01d33ec6affc0505596e458df6080e4d761bb039b2250b22d9d6f589f2aef9a07b0e91c2374fb8f36ea27e9d5ec50e |
F:\PPS.tv\PPStream\PowerList.ocx
| MD5 | b267aec2585644696044f6b6730d6a1a |
| SHA1 | 9722785bad1001a880f4eaddea4b71bb88e15d6e |
| SHA256 | 79c0c0fdb12fd47b863b08283fc6cc71e081b55a22407ea12f0427ea2c5379ec |
| SHA512 | c7d42372bb1d4fdc5c454d87af22e8f118e216f8a7ad60300b00f70832d88b2243a17b99a2ba15698041e3e6ee5892e789d461622fc00b4fddd0122a6cec80bb |
F:\PPS.tv\PPStream\Livenet.dll
| MD5 | d6d8fa1f909fbd50d6e02efd0e034b97 |
| SHA1 | c65b74e88e720c780f0de1898b89c701f48020b4 |
| SHA256 | ed83d2aecfeffc6669905cf72bcf0cb34ad5f7a7b024087deb65515877ca0cda |
| SHA512 | 52c4bf30d0361fa9cd53cc882630beec03170a836a6961efec8d8c3d04093b9c1457e6b307a49d0ba0b909fb628e8861128d707818171806ac7166ee4692d4f4 |
F:\PPS.tv\PPStream\Livenet2.dll
| MD5 | b12bbda671c6cec48bb5af66ad684af7 |
| SHA1 | aa4d7c9623704846686fbe9c2d6f09f2121a836b |
| SHA256 | d11a84dc4a469054ea200783cf2ba07bf906cc64657b6ebaf1d9a78c6093a118 |
| SHA512 | 87d30c4a78727570770c9f7aa2c768dc892ba9c076555477c93d5f8c16a1e7c2fcdbf04cafc5a2070a2350a646815afb49b5be078cdb7ec51fb30a1e802a5bfd |
F:\PPS.tv\PPStream\fds.dll
| MD5 | 3405dbb8be0b5cbe22897a60f8f93157 |
| SHA1 | c1f3d53992b08471290904276c3032753c0d8509 |
| SHA256 | d478ce48dc810b1821a6e9f27586bcd758a4ad7d3e72de5286c236e6a0be063e |
| SHA512 | 17a7f2c989e390ed09756234bad46f947e3a9e2d8f7937c6ce3b53ea9e792e6c1a28856076ce5a799dbe39b745c997c0691d00ef35324aec8f7a6b23c0ccab1f |
F:\PPS.tv\PPStream\PPStream.exe
| MD5 | d5697843420ce9a6d2542cc78b550b24 |
| SHA1 | 734e7e827824729f87851bdb1896a62df5f880a3 |
| SHA256 | 8fb25e845c15f4bd126613d6663d513d970e6a4b544a6ccb7a5009c6873194c1 |
| SHA512 | 3892aa849db87c7af6dfda505c99314ed441b2dde3654ea1a1f47face5a1215050bbfc43a02e47ea383003d13438e17db659f69f0c705d4cf302449878dca6bb |
C:\Users\Admin\AppData\Local\Temp\nse9A4.tmp\modern-wizard.bmp
| MD5 | f270bb2201c8595ccf77ab85c6ae4399 |
| SHA1 | 84398bc484923ebb51f8f403b51b2579c7228db5 |
| SHA256 | c2346f1adde353aeb6e5171d85433a3f831776607886dc3d1ac831d76631b552 |
| SHA512 | 2bfe55c653a4237dd7c14921a3ce467e726260f32a2cbc24029d5e8ede42aef45a1dce8e17009c02a26328e6c67552c4edbc9541f1ee3354c2907209258e93da |
C:\Users\Admin\AppData\Roaming\ppStream\ppstream.ini
| MD5 | 2765a1232c30712303201cd49f2088cf |
| SHA1 | 22982bef1f647d67885c6726d212ec1c18eeef2c |
| SHA256 | 53ad24b4a870af60026cfa075cf88477636b3b5739d2ea48660faebedc62b2c5 |
| SHA512 | beb678ce41ba7540a4b119d8e0c76b2dc2e81ee5cdf2c987645c7d4993a0f991a7afb9aae474777c20cec8265b7e6b862c5728e545834f35aaea1e97b74b1016 |
C:\Users\Admin\AppData\Roaming\ppStream\powerplayer.ini
| MD5 | 920d2211dfc815cb5197ca8ebb7129d0 |
| SHA1 | 727a39d3839868c607166238a84514efb5a945ce |
| SHA256 | 129c8eb366578c321fd0cfe620beaa6584ae630c3137c9f1721ac57541dfebc6 |
| SHA512 | 50ad483070a99d1c7504e07a3aa44fcdc8d2affcb926baadc85fc721b4eddb3e675970e18b7dc1dc6b8896c8f5882c97e7d4a40bf75e40dc352880c904fafe3a |
C:\Users\Admin\AppData\Roaming\ppStream\psnetwork.ini
| MD5 | 28ac4a5a6a6d19ec39bcb8b956a6eb54 |
| SHA1 | 404ef12e8503132d118fa2351ba7bfb237086f11 |
| SHA256 | 31108dd398ec67433fcfbda90add2aacaf4d1e9e73af19cae27031b2da634e76 |
| SHA512 | 847a3fa8562462333c088e0c9e540f7ceefa529f038cf98ff7ff63c43a4d94b5e3923448ec4efaccc09f337d7238217d4e2be79152689182689c381e727f3da4 |
memory/1708-204-0x00000000006E0000-0x000000000072B000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini
| MD5 | b2897eee0ad5b2feedc84d4ff4fcaa96 |
| SHA1 | 0dc9c07a766e6bb720fbf36164938bd00b043c3f |
| SHA256 | 4e43736ed1c14aadbe359f0cf0e0bf3c9d9558df2e540d90800ffcc574adb04d |
| SHA512 | 266c0afe6cc90835142b2325ecbe4b92fd6c21eb0379fc574ce349d247926e61c3765fed2def597359c83310e8532d8f135d6534fc807a1b5027bf29dbd8735e |
memory/1708-216-0x0000000002CB0000-0x0000000002CFC000-memory.dmp
memory/1708-231-0x0000000003FE0000-0x0000000004036000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini
| MD5 | 3591669bb71181624c2b48cfec5805e4 |
| SHA1 | e1cfe830520738f2b310ca404ece6676076c046b |
| SHA256 | 78ee52bad550070d2380073fcd68b473d5ccb306ee553dc37647e05c7cc3d509 |
| SHA512 | 85e34fdd830fd890abcd52eecbc25248a39f693d97d1f57d9ca7ec5a25083cb3deaedfcf49db6f9f29e93e40c2644738bf3fe3158af803630eb669d468e385af |
C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini
| MD5 | 76035f68f52f611d1a6ae6185ef29556 |
| SHA1 | 3c89b49e3f6c1f9d6afa9b86cb752ada6fd7c0d5 |
| SHA256 | 3eaa439619303170f8d1f6fe5852f5d9682e05dc8a6658f6fcf9352c1c76d34f |
| SHA512 | ce7e9ac08035515be9ce0f90bf6b55bacbacaab6a93184c3d7a2be572ffd2e5191e307a9fe426936aeabc9edcfa1149f84161149248ac7fa8efec23b50bbdbe1 |
C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini
| MD5 | 24796dc640160d913f4e1d6476e484a2 |
| SHA1 | 97d6231a1a7a431cf3442bed6cd0fe497142ca06 |
| SHA256 | e16a5270240a1748327dce9605ebde3bd04393c58703cec9b97bf6c72e46d6e5 |
| SHA512 | a4acce59bc72c8d8714d3e556f200ef63389b8deecbc10887ad818e9028b7c522c57ad1090e837ce612f6f618d2fb5d694e0876c7b98814ed2639b71ee53684e |
F:\PPS.tv\PPStream\pp2play.dll
| MD5 | 41a73af32b92d4fe52f72574dfe8f87a |
| SHA1 | ba4579c0f997a219bf4950375b5c2349f6baa0b3 |
| SHA256 | 021fd444605ed00cdce049dac448f025fc1dbc462d618192c1e8cdcb1c12fb3e |
| SHA512 | 61b91c12b88cb154d1d55ecf2c9d3b75ae2ed481dd0fd46f306c38e29f59f6bc43f986938ecbdd2a8e21f8ab5280b00d648fda5c309d7156b75b53c980cf5e35 |
memory/1708-265-0x0000000005540000-0x00000000056BE000-memory.dmp
memory/1708-281-0x0000000006230000-0x00000000063B9000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\powerlist.ini
| MD5 | d6c13cddb23726f99cdd9678debfe13b |
| SHA1 | 0a6d0f32c098f0e04ec3161f70782a593debfbeb |
| SHA256 | 4098f924cc5ef44d576f033718bb2426d7b8c2074621e2dd22c6b8198ee716f9 |
| SHA512 | a908bfeddb45d8cf6ebe549840ad2acc27818e15b859889041c3428a1fc9c504122c44d02783f60181c0c567a339f3ab3d74951ea7c6dcfcc38c286459ad223f |
C:\Users\Admin\AppData\Roaming\ppStream\skin\Vista\Vista.ssk
| MD5 | f0d7d09b41a7a661f71f9a9d0bb47af8 |
| SHA1 | 9886480e62374405e2fb81eeebaf49ee3fe6e090 |
| SHA256 | ae6637034da3a072bbe7b364ee7ff9a9c4db0a4e5ee1fded177da59cc35afe33 |
| SHA512 | 3a57c1fa49422d3c5f590d0f42558cda682ac46f66b486128e95e0083e8e719b2c7a50102fe46e73f85cb860ccb7d0bdaf823aea3d5e56c67df5e718fab073d0 |
C:\Users\Admin\AppData\Local\Temp\nstA03.tmp
| MD5 | b3040c34cd007d678158ced31b8f1fed |
| SHA1 | 0b39b20ea0bc83852197c30701d6cfb311289089 |
| SHA256 | 7d686a4673bb4c735d37e84c4fff55f3fe709c3cbf27bfec759665fc1e684200 |
| SHA512 | 85b80ac51ea4b0c30c663db59ebb9e5b3ee4ba2bf033a0178953fc131aff36fb99fbf5840800c642bed2dd3d89e9a8f0d49a092ef5c687e2301151862e7205ea |
\Users\Admin\AppData\Local\Temp\nse9A4.tmp\Registry.dll
| MD5 | 0e1fbcbfec72e5c3f76024174980053d |
| SHA1 | 67e7f707b1e5d3f3665562f3519946a7a2859a78 |
| SHA256 | 83c6fb0ae59cc3d00638559fd87b860f61e7ad60c63551c2e9e78ffac71d4ef0 |
| SHA512 | efb7736b103a5355356f1c4d109f27bd91cf40ae18b9dad1a81760688ca391c091e35208f368e8870523bc74ec7239f87b403513bc4a33fdf86314a43e4e48c4 |
memory/3044-324-0x0000000004450000-0x0000000004489000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini
| MD5 | e9c01ad5184b2c72ce083f8b25487d8b |
| SHA1 | e41597f6e5bbfc51f02a101e195b0d17a21cb28b |
| SHA256 | 0347c55cd0865bd0e4c4e01bbd4f8952ea8355156f9c17aac56ab7901e12ab3b |
| SHA512 | b92e48ee6b45f9ebc0224de4cf4d403763b37298d8719fcc9a230ed9e072b170f45d12f03b5ed33f96a93d2b3a5107936285408273c4a509633c3a287e97ff30 |
C:\Users\Admin\AppData\Roaming\PPStream\adsys\ads_259491688.xml
| MD5 | 66f23be00723b2f54e7086ab37b9f273 |
| SHA1 | 591d749b09c88a6bf715f4f75d7a57bce309bcbe |
| SHA256 | 3bd2b19b361864656d0cab5c66e76864313eff36e70b01086840689ab154b987 |
| SHA512 | 5d4b171d08ac1a6c62fd8f1ce14af0ca7f786b4ae8b74a7207034da30559bb2463aa3d655e2fca84fc4f8586b6e27a2558c34311f997d2736d131373ce360f1f |
memory/1708-424-0x0000000010000000-0x000000001016B000-memory.dmp
memory/1708-430-0x0000000006230000-0x00000000063B9000-memory.dmp
memory/1708-429-0x0000000005540000-0x00000000056BE000-memory.dmp
memory/1708-428-0x0000000003FE0000-0x0000000004036000-memory.dmp
memory/1708-427-0x0000000002CB0000-0x0000000002CFC000-memory.dmp
memory/1708-426-0x00000000006E0000-0x000000000072B000-memory.dmp
memory/1708-425-0x0000000030000000-0x000000003006A000-memory.dmp
memory/1708-441-0x0000000005540000-0x00000000056BE000-memory.dmp
memory/1708-437-0x0000000030000000-0x000000003006A000-memory.dmp
memory/1708-442-0x0000000006230000-0x00000000063B9000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini
| MD5 | 282ffec41897358446acbc545a6e3acd |
| SHA1 | 3fda8e01763e06e077950598e8a0128802db474f |
| SHA256 | d5d8533d34aed8e6bd193c7fb4c1c3511c1d82769fff9dd9bcda927f115186c8 |
| SHA512 | 030d42859e8458068932bd90c5cc0e1faa639ce20ff5622a2df5f0d54e509fc1d3f4f20cd656a1188e6022dfba606a72d0093ca0bbb9a02f1319c69bfda0a795 |
memory/1708-446-0x0000000010000000-0x000000001016B000-memory.dmp
memory/1708-463-0x00000000006E0000-0x000000000072B000-memory.dmp
memory/1708-497-0x0000000006230000-0x00000000063B9000-memory.dmp
memory/1708-496-0x0000000005540000-0x00000000056BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-17 00:07
Reported
2024-10-17 00:10
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\nsv9444.tmp | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\pncrt.dll | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\ppsӰѶÆÁ±£.scr | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\psnetwork.ini | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\powerplayer.ini | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\PPSÓ°~1.SCR" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D} | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppPath = "C:\\Program Files (x86)\\PPStream" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppName = "PPSAP.exe" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.wmv\ = "pps_wmv" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm\shell\open\command\ = "C:\\Program Files (x86)\\PPStream\\PPStream.exe \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\MiscStatus\ = "0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.asf\ = "pps_asf" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\MEDIAL~1.OCX" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\4a69b442-28be-4991-969c-b500adf5d8a8\82d353df-90bd-4382-8bc2-3f6192b76e34 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage.1\ = "PPSImage Class" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C368CF95-9886-458A-B3F3-AA15F561C9E2} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pps\ = "PPS²¥·ÅÐ\u00adÒé" | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.pgf\DefaultIcon\ = "C:\\Program Files (x86)\\PPStream\\PPStream.exe,-317" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive\ = "C:\\Program Files (x86)\\PPStream\\Livenet.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}\CLSID = "{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.asf | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm\ = "RealMedia Media" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C35170-EF87-4227-8454-ECA14F23904C}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AF34165-6CA9-4F08-BC21-49AEDC68D828}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C368CF95-9886-458A-B3F3-AA15F561C9E2}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\MEDIAL~1.OCX" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\ = "MediaList Control" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\MiscStatus | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\pps\shell\open\command\ = "\"C:\\Program Files (x86)\\PPStream\\PPStream.exe\" -ppstream \"%1\"" | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\TypeLib\ = "{C400B05B-CD0E-4ADF-9381-20A3C672B473}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\TypeLib | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\MiscStatus | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\TypeLib\Version = "1.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\MiscStatus\1 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{187463A0-5BB7-11D3-ACBE-0080C75E246E}\FilterData = 02000000000040000000000000000000 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\TypeLib\ = "{A0427FCE-9B13-4941-A194-3C6035260BDD}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ = "_DPowerPlayerEvents" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F21FC66-D76B-48DD-94C0-278F8E677C3C}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F21FC66-D76B-48DD-94C0-278F8E677C3C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\VersionIndependentProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PPStream.exe\shell\open\command | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0427FCE-9B13-4941-A194-3C6035260BDD}\1.0\0\win32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30C35170-EF87-4227-8454-ECA14F23904C} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MEDIALIST.MediaListCtrl.1\ = "MediaList Control" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.wmv | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ = "_DPowerPlayerEvents" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\POWERP~1.DLL" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\Control\ | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wmv\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rmvb\shell | C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage\CurVer | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\ProgID\ = "Image.PPSImage.1" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1\0 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F95A360-48CA-47B4-B9EF-CA19B94D074D}\ = "_DPowerList" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\PPStream\PPStream.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\FlashPlayDll.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsimage.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s ""
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\MediaList.ocx"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodnet.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodres.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerPlayer.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerList.ocx"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet2.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\fds.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsva.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\qasf.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmadmod.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmsdmod.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmspdmod.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\WMVDECOD.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\l3Codecx.ax"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\xd.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\PPSMedia.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\WatchList.ocx"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\tsr.dll"
C:\Windows\SysWOW64\Regsvr32.exe
"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\vodrc.dll"
C:\Program Files (x86)\PPStream\PPStream.exe
"C:\Program Files (x86)\PPStream\PPStream.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spider.pps.tv | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| SG | 118.26.120.3:80 | spider.pps.tv | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.120.26.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fds.ppstv.net | udp |
| US | 8.8.8.8:53 | stat.ppstream.com | udp |
| US | 8.8.8.8:53 | br.pps.tv | udp |
| US | 8.8.8.8:53 | list1.ppstream.com | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| CN | 113.207.90.10:80 | list1.ppstream.com | tcp |
| US | 8.8.8.8:53 | tvguide.pps.tv | udp |
| US | 8.8.8.8:53 | www.ppstream.com | udp |
| CN | 220.181.184.20:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| SG | 118.26.120.1:80 | tvguide.pps.tv | tcp |
| SG | 118.26.120.1:80 | tvguide.pps.tv | tcp |
| US | 8.8.8.8:53 | notice.ppstream.com | udp |
| SG | 118.26.120.3:80 | notice.ppstream.com | tcp |
| SG | 118.26.120.3:80 | notice.ppstream.com | tcp |
| US | 8.8.8.8:53 | 1.120.26.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fds.111222.cn | udp |
| US | 8.8.8.8:53 | fds.ppstv.net | udp |
| US | 8.8.8.8:53 | fds.111222.cn | udp |
| US | 8.8.8.8:53 | fds.pps2008.net | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | fds.pps2008.net | udp |
| CN | 113.207.90.11:80 | list1.ppstream.com | tcp |
| CN | 220.181.184.24:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fds.pps2008.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| CN | 113.207.90.2:80 | list1.ppstream.com | tcp |
| CN | 220.181.184.25:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| US | 8.8.8.8:53 | stat.ppstream.com | udp |
| CN | 220.181.184.12:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fds.pps24.net | udp |
| US | 8.8.8.8:53 | fds.pps.tv | udp |
| US | 8.8.8.8:53 | fds.pps24.net | udp |
| US | 8.8.8.8:53 | fds.pps.tv | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | network.ini | udp |
| US | 8.8.8.8:53 | fds.ppstv.com | udp |
| CN | 125.46.104.75:7201 | fds.ppstv.com | udp |
| US | 8.8.8.8:53 | fds.pps24.net | udp |
| CN | 220.181.184.40:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | 75.104.46.125.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fds.ppstream.net | udp |
| US | 8.8.8.8:53 | fds.pps24.com | udp |
| US | 8.8.8.8:53 | network.ini | udp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| US | 8.8.8.8:53 | update.111222.cn | udp |
| US | 8.8.8.8:53 | fds.pps2008.net | udp |
| CN | 220.181.184.20:80 | www.ppstream.com | tcp |
| US | 8.8.8.8:53 | fds.pps2008.com | udp |
| US | 8.8.8.8:53 | fds.pps2008.net | udp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsProcess.dll
| MD5 | 59e67d25d0a4eee6493f2c8467c42a8e |
| SHA1 | e1df50b38ac6e62a18eeae273eefbc63c80ec4cc |
| SHA256 | ffed8f040d06d09d4c1656ba8dbecca112a91fbfac0d9f2788b6e3b449f8a874 |
| SHA512 | e558823ac2d66da49761690818d035ff728a154cc15148fd8376dffea1d9e0108b8b6f4776c1f7834f3aabfc8c0ab23aef4bac6d0b33cd73cc32635928350988 |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nxs.dll
| MD5 | f2b34b71784d11515c3100389a6c7a60 |
| SHA1 | 798aa07c1c069ded15787f726445153c93d8ca17 |
| SHA256 | e75cffab1063e500383d642f9a7519ca20da247c72839f97d731edc84314d173 |
| SHA512 | 137ed1bf56955cc3cda6a219f9794fe5f59548a443d11b7f221acaf2887ece80e8e6efd3a9e0a4e64f8b13e99688b7a63f64f91efddd0fcd84a581fccf6fd8f2 |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsisFirewall.dll
| MD5 | 69f2e8c6fd141e9e720b2c4c366a8154 |
| SHA1 | a6279d93a102b6d7608dced32a36ddcd3e51994c |
| SHA256 | 2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107 |
| SHA512 | bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2 |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\inetc.dll
| MD5 | 134b93f8bd1f82cd2f1b06c878580703 |
| SHA1 | 29cdbce7a2caf1f7e4d2a139c42336d490074665 |
| SHA256 | 45153adf50541316468e2b189a0f8127be9fb29e2f920e7eeaa6aceb438db8c4 |
| SHA512 | f970c38debb6631dab7369e2bc96237f16a8fd328d9d35a2b54cb688e1807f62cc6d63230afe89ce5c3945097ae4466872c72929a9623adde3ee57bddf54b692 |
C:\Users\Admin\AppData\Local\Temp\nsl9455.tmp
| MD5 | a0736517388eac9c9eee9e20c7440ea2 |
| SHA1 | 671c5c5d633d96eb9075b2992ed93e7029f7cff4 |
| SHA256 | 2c52318115cfc47f7dfdc2dec9e9a921ba575874ca3427c58f45d0e8f281f3ab |
| SHA512 | 7cc4cbe6fa527c0838dad31870f52dd2e6fefb76acdc76b5e68e379370f22338703dfd372fb71ce1159b0c10df713cdd42e0cd76a8ef928475d8277644d92e12 |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\ButtonEvent.dll
| MD5 | fad9d09fc0267e8513b8628e767b2604 |
| SHA1 | bea76a7621c07b30ed90bedef4d608a5b9e15300 |
| SHA256 | 5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2 |
| SHA512 | b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805 |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\ButtonLinker.dll
| MD5 | dd85ac7d85c92dd0e3cc17dfd4890f54 |
| SHA1 | a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa |
| SHA256 | 27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504 |
| SHA512 | e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1 |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\EBanner.dll
| MD5 | 3de4b5a6d1098c217f7bdddbde113b81 |
| SHA1 | aaea1d21b8910f1a14beb7a3138598fc5ac607e9 |
| SHA256 | 3dad1148e63594824861fd3359459f96f1e3322bcb5b04a6a2fca60370f97e3f |
| SHA512 | 5fbfe530bfb39dada5369e6dcec6e1a2d1201ed2d104dd3f397244a5482525d16e0d8bc4fc0b1836794401fcc1c1aae3bc79aaf72d4ea7d034f39e4624d4aeec |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
memory/3736-87-0x0000000004190000-0x00000000041AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsl9455.tmp
| MD5 | b3040c34cd007d678158ced31b8f1fed |
| SHA1 | 0b39b20ea0bc83852197c30701d6cfb311289089 |
| SHA256 | 7d686a4673bb4c735d37e84c4fff55f3fe709c3cbf27bfec759665fc1e684200 |
| SHA512 | 85b80ac51ea4b0c30c663db59ebb9e5b3ee4ba2bf033a0178953fc131aff36fb99fbf5840800c642bed2dd3d89e9a8f0d49a092ef5c687e2301151862e7205ea |
C:\Program Files (x86)\PPStream\FlashPlayDll.dll
| MD5 | 6c3e76309b1c3981b24ee57bfa05965d |
| SHA1 | dfdb30388c9e97a178cca1183989780670a30ff4 |
| SHA256 | 07a98a56841629c4fe071992fc2515dd4b79f3ed297e0e832157f6ffb426c1f7 |
| SHA512 | f7f2efa633ffa4f03ced325e7fbc35ff6aca753e0a35e5f3df6fa6c037b50d24749f841ec84cca1545ac67a5b6616e8b659da5e7774ca993e252bd5980615bca |
C:\Program Files (x86)\PPStream\ppsimage.dll
| MD5 | 8c72ccfdc2433978491b3aa7464e6fdc |
| SHA1 | 8bef1052ae35db4583add9a8f1044904788fc0de |
| SHA256 | 94e0ba93840a54508f098ef43aed4fb01f661606141223426d069a00d65b7fcd |
| SHA512 | 0e76a8b3993fcb5e707b769f3dc7962e2e50626630ae2940a43a77d2c3883faecebea6258e5ef36b500db42746d36c6d98e72c54b3c95d53d21edaddd3bcd10e |
C:\Program Files (x86)\PPStream\MediaList.ocx
| MD5 | 43c9b075a03d7b673b7a52d4d7ee7add |
| SHA1 | c09f44485264d1767f7cf6fb648d938f98de7307 |
| SHA256 | afb969c56f0bac3ce4c460b9477b1f3685cb284fb12b29193dfa43e6e38ba962 |
| SHA512 | 4933c8d42b317989a451fe6da8772e68bbbaffd52d87be9a4a3f816bb836fca35e7086ecdbb2d93df54763a09d7c88323a383c28907d9e3a8bfdfd1a77d319f8 |
C:\Program Files (x86)\PPStream\Vodnet.dll
| MD5 | 44cc4f6432ee946263fb6e6697fe4c75 |
| SHA1 | 9ed41c970ddc22a5263db3ca897f8bfbb048eadf |
| SHA256 | 2531ce68f021aa2f3eb3c0097b45eba5d1435d099c36372a88fa1665e491ed48 |
| SHA512 | 01246a815bdf15e3650987422dee14e54239169e7f86d1ec3a30ecc168469536a6a3b2cf09e42d05b864d581c5a997fb33ef04279c9c756ee4d9247985ad0121 |
C:\Program Files (x86)\PPStream\Vodres.dll
| MD5 | bfab7e315b543a526ab04341a95688ea |
| SHA1 | 007cd093cb0a6f0bf22553886a4ee4b3557f075c |
| SHA256 | 048d05ae14dc3c38f7f49abc670e375c93341076fa7710730ad35fe230c42545 |
| SHA512 | 04d9b05298805072895a45976cde999348436f039c1c9dbfeb6929d0c85767c9a641acaca7469bb9f871561909848c87c21ac2bd0a8e856715160f97216135ca |
C:\Program Files (x86)\PPStream\PowerPlayer.dll
| MD5 | 61efd502973f406cea48d1d3ee4d5116 |
| SHA1 | c2cd947eec5a4937715cdee68ce35fd0d15a5860 |
| SHA256 | cad4a844421ae3a9732f2b2edd885b14a76795b85ded6beb84a5db5f24b5c8f2 |
| SHA512 | 55bf5d37d94503f3cb0a1bbe9bed6b89c09d9262e57c44ef970b27f30697af3fb10861bf34c2991186805fc08c2f647f055d3a95f3a4c3be6776fd97b401045f |
C:\Program Files (x86)\PPStream\PSNetwork.dll
| MD5 | 75d36a7d5f0442a4c97e548072d44ac1 |
| SHA1 | ef0f0f852d0611af1b5c7a2a152700045a7148df |
| SHA256 | c7ff292192e20884f69bb45feebc0090685f69e7ce1a104b26d4eaa86d172b58 |
| SHA512 | bf53a28e7bb78803713a1df75d64950b0e01d33ec6affc0505596e458df6080e4d761bb039b2250b22d9d6f589f2aef9a07b0e91c2374fb8f36ea27e9d5ec50e |
C:\Program Files (x86)\PPStream\PowerList.ocx
| MD5 | b267aec2585644696044f6b6730d6a1a |
| SHA1 | 9722785bad1001a880f4eaddea4b71bb88e15d6e |
| SHA256 | 79c0c0fdb12fd47b863b08283fc6cc71e081b55a22407ea12f0427ea2c5379ec |
| SHA512 | c7d42372bb1d4fdc5c454d87af22e8f118e216f8a7ad60300b00f70832d88b2243a17b99a2ba15698041e3e6ee5892e789d461622fc00b4fddd0122a6cec80bb |
C:\Program Files (x86)\PPStream\Livenet.dll
| MD5 | d6d8fa1f909fbd50d6e02efd0e034b97 |
| SHA1 | c65b74e88e720c780f0de1898b89c701f48020b4 |
| SHA256 | ed83d2aecfeffc6669905cf72bcf0cb34ad5f7a7b024087deb65515877ca0cda |
| SHA512 | 52c4bf30d0361fa9cd53cc882630beec03170a836a6961efec8d8c3d04093b9c1457e6b307a49d0ba0b909fb628e8861128d707818171806ac7166ee4692d4f4 |
C:\Program Files (x86)\PPStream\Livenet2.dll
| MD5 | b12bbda671c6cec48bb5af66ad684af7 |
| SHA1 | aa4d7c9623704846686fbe9c2d6f09f2121a836b |
| SHA256 | d11a84dc4a469054ea200783cf2ba07bf906cc64657b6ebaf1d9a78c6093a118 |
| SHA512 | 87d30c4a78727570770c9f7aa2c768dc892ba9c076555477c93d5f8c16a1e7c2fcdbf04cafc5a2070a2350a646815afb49b5be078cdb7ec51fb30a1e802a5bfd |
C:\Program Files (x86)\PPStream\fds.dll
| MD5 | 3405dbb8be0b5cbe22897a60f8f93157 |
| SHA1 | c1f3d53992b08471290904276c3032753c0d8509 |
| SHA256 | d478ce48dc810b1821a6e9f27586bcd758a4ad7d3e72de5286c236e6a0be063e |
| SHA512 | 17a7f2c989e390ed09756234bad46f947e3a9e2d8f7937c6ce3b53ea9e792e6c1a28856076ce5a799dbe39b745c997c0691d00ef35324aec8f7a6b23c0ccab1f |
C:\Program Files (x86)\PPStream\PPStream.exe
| MD5 | d5697843420ce9a6d2542cc78b550b24 |
| SHA1 | 734e7e827824729f87851bdb1896a62df5f880a3 |
| SHA256 | 8fb25e845c15f4bd126613d6663d513d970e6a4b544a6ccb7a5009c6873194c1 |
| SHA512 | 3892aa849db87c7af6dfda505c99314ed441b2dde3654ea1a1f47face5a1215050bbfc43a02e47ea383003d13438e17db659f69f0c705d4cf302449878dca6bb |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\modern-wizard.bmp
| MD5 | f270bb2201c8595ccf77ab85c6ae4399 |
| SHA1 | 84398bc484923ebb51f8f403b51b2579c7228db5 |
| SHA256 | c2346f1adde353aeb6e5171d85433a3f831776607886dc3d1ac831d76631b552 |
| SHA512 | 2bfe55c653a4237dd7c14921a3ce467e726260f32a2cbc24029d5e8ede42aef45a1dce8e17009c02a26328e6c67552c4edbc9541f1ee3354c2907209258e93da |
memory/3756-247-0x0000000004540000-0x000000000458C000-memory.dmp
memory/3756-264-0x0000000004CF0000-0x0000000004D46000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini
| MD5 | ebf212d01ed390f12e0cc066e09d77a2 |
| SHA1 | c0f787b9545b2728020f6023c588c551d494c336 |
| SHA256 | d904871846c3d7e75c12d6fc71b1876966884aa9535e9fbcd4ca276e6bbc1852 |
| SHA512 | 39d714effb90a25a6fe51e54eaf072830a7298db72c06cd20dcb899c8a1d62dd3db0d124f8c29463efaeb93c0acbd4caeca1870e5b5ac103aa6cea03d570264f |
memory/3756-233-0x00000000044B0000-0x00000000044FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini
| MD5 | 4a5e7138380177c56c39fa2df84b4ccd |
| SHA1 | cb71e0a77303c732d36eeb22f2b0d1ca042ece04 |
| SHA256 | 81f56f16bc35646ec9917b7d064d0b2bf58818700b99ac855f097355ca907e40 |
| SHA512 | 36efe58aa7cc3adcd323fb0b79dc92c76184d77b3baa41172418e6bef4b50b9ee80d074f29770feca2fba222b019b58b7f1011a0f2cdf32ae6444a4a83b631e0 |
C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini
| MD5 | 42085a0684e65c67624dff4c4d5c172d |
| SHA1 | c5d4f907668c152b8eae49402d3e9523c3490a36 |
| SHA256 | 698822793660193abbd90e8131d32f11a2662228a31b5edffe1013cfb2a5c247 |
| SHA512 | 9dfef92f2ca029f0bcbcdfda53f26fe1111ed5da909c4da0d8c79ada495b68936a259a541db839f296210a73482395ecb33e31dd27e22e8736394e879ee41a0a |
C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini
| MD5 | be475343536062c22b3d5df965c6f2d2 |
| SHA1 | 1e9b991b1ca99d448cc1033c4f0fe6883265be37 |
| SHA256 | 7f8b3a9e13838a619a58acc56a2bf8cba4d768580ad480bcde989c616d9f5c8b |
| SHA512 | 378dce7985318067283990a25408893d8d1d84db9e24e9cc29b3e2db7ec07ce0cb12f507ca0f3b9fb77f0f9d9974debd21078196eb5e2f0a65e3a4234a464b27 |
memory/3756-306-0x0000000006400000-0x000000000657E000-memory.dmp
C:\PROGRA~2\PPStream\pp2play.dll
| MD5 | 41a73af32b92d4fe52f72574dfe8f87a |
| SHA1 | ba4579c0f997a219bf4950375b5c2349f6baa0b3 |
| SHA256 | 021fd444605ed00cdce049dac448f025fc1dbc462d618192c1e8cdcb1c12fb3e |
| SHA512 | 61b91c12b88cb154d1d55ecf2c9d3b75ae2ed481dd0fd46f306c38e29f59f6bc43f986938ecbdd2a8e21f8ab5280b00d648fda5c309d7156b75b53c980cf5e35 |
memory/3756-318-0x0000000007140000-0x00000000072C9000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\powerlist.ini
| MD5 | d6c13cddb23726f99cdd9678debfe13b |
| SHA1 | 0a6d0f32c098f0e04ec3161f70782a593debfbeb |
| SHA256 | 4098f924cc5ef44d576f033718bb2426d7b8c2074621e2dd22c6b8198ee716f9 |
| SHA512 | a908bfeddb45d8cf6ebe549840ad2acc27818e15b859889041c3428a1fc9c504122c44d02783f60181c0c567a339f3ab3d74951ea7c6dcfcc38c286459ad223f |
C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\Registry.dll
| MD5 | 0e1fbcbfec72e5c3f76024174980053d |
| SHA1 | 67e7f707b1e5d3f3665562f3519946a7a2859a78 |
| SHA256 | 83c6fb0ae59cc3d00638559fd87b860f61e7ad60c63551c2e9e78ffac71d4ef0 |
| SHA512 | efb7736b103a5355356f1c4d109f27bd91cf40ae18b9dad1a81760688ca391c091e35208f368e8870523bc74ec7239f87b403513bc4a33fdf86314a43e4e48c4 |
memory/3736-358-0x0000000003460000-0x0000000003499000-memory.dmp
C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini
| MD5 | 01514467db0a813c66be8057a31d7603 |
| SHA1 | 3b6940d2c654d31026708742b1074163f097700e |
| SHA256 | 63972669425d0cf5e7ef2226b4e4059f93a562b8e837402f675b5162aecd367a |
| SHA512 | 1130e4cc42523b1c0d1ff4f0e9fc3d1ebc90f063e1fc2335b49b34ee952264d5b32663188710261adb49951861da9803b5f8c7b558d3defa3ee187a15861bf54 |
C:\Users\Admin\AppData\Roaming\PPStream\adsys\ads_240652296.xml
| MD5 | 66f23be00723b2f54e7086ab37b9f273 |
| SHA1 | 591d749b09c88a6bf715f4f75d7a57bce309bcbe |
| SHA256 | 3bd2b19b361864656d0cab5c66e76864313eff36e70b01086840689ab154b987 |
| SHA512 | 5d4b171d08ac1a6c62fd8f1ce14af0ca7f786b4ae8b74a7207034da30559bb2463aa3d655e2fca84fc4f8586b6e27a2558c34311f997d2736d131373ce360f1f |
C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini
| MD5 | 7894ec7921b9d852d65210346f390d56 |
| SHA1 | 0b10bf8c90fd78c50e1d195b1d5f7200678c212f |
| SHA256 | 96c38a1989e32542bcb3f94e5379673e99a04c5f4e5702b1192ac96d51f80300 |
| SHA512 | 73c48d7bcf8ab26154fbf0e485bb6d030b21d824a46b7fb3e4946cc5728092c0e8751ac68dcce72da10fad2c5c0e4a2c2e75dcb7c37fa6e733a2e0328f8e5cdb |
C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini
| MD5 | 54a86af600fd34aa7d05688f858a9831 |
| SHA1 | 37911deb98cab225e216be230be1469c9fc22a22 |
| SHA256 | 0be65edaa891c2fc84d1d6c6cc7e47ebbf88e1f8f80b0f1c6fd6642c4228ab3c |
| SHA512 | 8b121db316f6f097fd4d9fb418db2972b78c50f1928bbed8b38e653993f2aab8216afbd49b7eb4a166e4d678dea6fd546dd69a767ea0f370845b13425e8a39bc |