Malware Analysis Report

2025-08-05 10:48

Sample ID 241017-aejphsvajl
Target 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118
SHA256 6bb16c752fccad3cfc3dc2d625522fdb678b499060d88114ef7048a0639014f5
Tags
bootkit discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6bb16c752fccad3cfc3dc2d625522fdb678b499060d88114ef7048a0639014f5

Threat Level: Likely malicious

The file 4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Drops startup file

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 00:07

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 00:07

Reported

2024-10-17 00:10

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\nse9F3.tmp C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\Regsvr32.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts F:\PPS.tv\PPStream\PPStream.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 F:\PPS.tv\PPStream\PPStream.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pncrt.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ppsӰѶÆÁ±£.scr C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F:\PPS.tv\PPStream\PPStream.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\PPSÓ°~1.SCR" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D} C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppPath = "F:\\PPS.tv\\PPStream" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppName = "PPSAP.exe" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main F:\PPS.tv\PPStream\PPStream.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\ = "IPPSPicture" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive2\ = "F:\\PPS.tv\\PPStream\\Livenet2.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\Programmable C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39A4D48D-0B87-41CA-A42D-78019F6A3C14}\1.0\HELPDIR\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\Implemented Categories C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MEDIALIST.MediaListCtrl.1 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AF34165-6CA9-4F08-BC21-49AEDC68D828}\ = "PowerPlayer Property Page" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\POWERPLAYER.PowerPlayerCtrl.1\CLSID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wma C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamvod C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rmvb C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\VersionIndependentProgID\ = "Image.PPSImage" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pmv\DefaultIcon\ = "F:\\PPS.tv\\PPStream\\PPStream.exe,-148" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wmv\ = "pps.wmv" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wma\shell\open\command\ = "F:\\PPS.tv\\PPStream\\PPStream.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rm\ = "pps_rm" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\POWERPLAYER.PowerPlayerCtrl.1 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71932D43-3CA5-46EF-B013-3F9A695996ED}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{187463A0-5BB7-11D3-ACBE-0080C75E246E} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps\shell\open\command C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wmv C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0427FCE-9B13-4941-A194-3C6035260BDD}\1.0\HELPDIR C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1\0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F95A360-48CA-47B4-B9EF-CA19B94D074D}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ = "pps_wma" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\InprocServer32\ = "F:\\PPS.tv\\PPStream\\POWERP~1.DLL" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}\FilterData = 02000000000040000000000000000000 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pmv C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PPStream.exe\shell\ C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSPicture.1\ = "PPSPicture Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BEBA807-5611-4E22-BCF7-280DAED9A1F3}\1.0\ = "PowerList of ppStream" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage.1\ = "PPSImage Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\Version\ = "1.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps\DefaultIcon\ = "F:\\PPS.tv\\PPStream\\PPStream.exe,-0" F:\PPS.tv\PPStream\PPStream.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream F:\PPS.tv\PPStream\PPStream.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\VersionIndependentProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\ = "IPPSPicture" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1\0\win32\ = "F:\\PPS.tv\\PPStream\\PowerPlayer.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94297043-BD82-4DFD-B0DE-8177739C6D20}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\MediaFoundation\Transforms C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rm\ = "pps.rm" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39A4D48D-0B87-41CA-A42D-78019F6A3C14}\1.0\0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{39A4D48D-0B87-41CA-A42D-78019F6A3C14}\1.0\ = "MediaList ActiveX Control module" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C35170-EF87-4227-8454-ECA14F23904C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell\open\command\ = "\"F:\\PPS.tv\\PPStream\\PPStream.exe\" -ppstream \"%1\"" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pgf C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\ProgID\ = "Image.PPSPicture.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\Programmable C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{187463A0-5BB7-11D3-ACBE-0080C75E246E} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wmv\shell\open C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A
N/A N/A F:\PPS.tv\PPStream\PPStream.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3044 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\FlashPlayDll.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\ppsimage.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\MediaList.ocx"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Vodnet.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Vodres.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\PowerPlayer.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\PowerList.ocx"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Livenet.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\Livenet2.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\fds.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "F:\PPS.tv\PPStream\ppsva.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\qasf.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmadmod.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmsdmod.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmspdmod.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\WMVDECOD.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\l3Codecx.ax"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\xd.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\PPSMedia.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\WatchList.ocx"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\tsr.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "F:\PPS.tv\PPStream\vodrc.dll"

F:\PPS.tv\PPStream\PPStream.exe

"F:\PPS.tv\PPStream\PPStream.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 spider.pps.tv udp
SG 118.26.120.3:80 spider.pps.tv tcp
US 8.8.8.8:53 fds.111222.cn udp
US 8.8.8.8:53 stat.ppstream.com udp
US 8.8.8.8:53 br.pps.tv udp
US 8.8.8.8:53 stat.ppstream.com udp
US 8.8.8.8:53 list1.ppstream.com udp
US 8.8.8.8:53 br.pps.tv udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 www.ppstream.com udp
US 8.8.8.8:53 vodguide.pps.tv udp
CN 113.207.90.11:80 list1.ppstream.com tcp
SG 118.26.120.3:80 vodguide.pps.tv tcp
SG 118.26.120.3:80 vodguide.pps.tv tcp
CN 220.181.184.12:80 www.ppstream.com tcp
US 8.8.8.8:53 notice.ppstream.com udp
SG 118.26.120.1:80 notice.ppstream.com tcp
SG 118.26.120.3:80 notice.ppstream.com tcp
US 8.8.8.8:53 fds.pps2008.com udp
US 8.8.8.8:53 fds.pps2008.com udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 fds.pps2008.com udp
CN 113.207.90.2:80 list1.ppstream.com tcp
CN 220.181.184.20:80 www.ppstream.com tcp
US 8.8.8.8:53 fds.ppstream.com udp
US 8.8.8.8:53 fds.pps.tv udp
US 8.8.8.8:53 fds.pps24.com udp
CN 113.207.90.10:80 list1.ppstream.com tcp
CN 220.181.184.24:80 www.ppstream.com tcp
US 8.8.8.8:53 fds.ppstream.net udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 fds.ppstv.net udp
CN 220.181.184.40:80 www.ppstream.com tcp
US 8.8.8.8:53 fds.pps24.com udp
CN 113.207.90.7:80 list1.ppstream.com tcp
US 8.8.8.8:53 fds.ppstv.net udp
US 8.8.8.8:53 fds.pps24.com udp
CN 220.181.184.25:80 www.ppstream.com tcp
US 8.8.8.8:53 fds.ppstv.net udp
CN 113.207.90.11:80 list1.ppstream.com tcp
US 8.8.8.8:53 fds.pps24.com udp
CN 220.181.184.12:80 www.ppstream.com tcp

Files

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nsProcess.dll

MD5 59e67d25d0a4eee6493f2c8467c42a8e
SHA1 e1df50b38ac6e62a18eeae273eefbc63c80ec4cc
SHA256 ffed8f040d06d09d4c1656ba8dbecca112a91fbfac0d9f2788b6e3b449f8a874
SHA512 e558823ac2d66da49761690818d035ff728a154cc15148fd8376dffea1d9e0108b8b6f4776c1f7834f3aabfc8c0ab23aef4bac6d0b33cd73cc32635928350988

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nxs.dll

MD5 f2b34b71784d11515c3100389a6c7a60
SHA1 798aa07c1c069ded15787f726445153c93d8ca17
SHA256 e75cffab1063e500383d642f9a7519ca20da247c72839f97d731edc84314d173
SHA512 137ed1bf56955cc3cda6a219f9794fe5f59548a443d11b7f221acaf2887ece80e8e6efd3a9e0a4e64f8b13e99688b7a63f64f91efddd0fcd84a581fccf6fd8f2

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nsisFirewall.dll

MD5 69f2e8c6fd141e9e720b2c4c366a8154
SHA1 a6279d93a102b6d7608dced32a36ddcd3e51994c
SHA256 2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107
SHA512 bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\inetc.dll

MD5 134b93f8bd1f82cd2f1b06c878580703
SHA1 29cdbce7a2caf1f7e4d2a139c42336d490074665
SHA256 45153adf50541316468e2b189a0f8127be9fb29e2f920e7eeaa6aceb438db8c4
SHA512 f970c38debb6631dab7369e2bc96237f16a8fd328d9d35a2b54cb688e1807f62cc6d63230afe89ce5c3945097ae4466872c72929a9623adde3ee57bddf54b692

C:\Users\Admin\AppData\Local\Temp\nstA03.tmp

MD5 a0736517388eac9c9eee9e20c7440ea2
SHA1 671c5c5d633d96eb9075b2992ed93e7029f7cff4
SHA256 2c52318115cfc47f7dfdc2dec9e9a921ba575874ca3427c58f45d0e8f281f3ab
SHA512 7cc4cbe6fa527c0838dad31870f52dd2e6fefb76acdc76b5e68e379370f22338703dfd372fb71ce1159b0c10df713cdd42e0cd76a8ef928475d8277644d92e12

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\ButtonEvent.dll

MD5 fad9d09fc0267e8513b8628e767b2604
SHA1 bea76a7621c07b30ed90bedef4d608a5b9e15300
SHA256 5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2
SHA512 b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\ButtonLinker.dll

MD5 dd85ac7d85c92dd0e3cc17dfd4890f54
SHA1 a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa
SHA256 27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504
SHA512 e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\EBanner.dll

MD5 3de4b5a6d1098c217f7bdddbde113b81
SHA1 aaea1d21b8910f1a14beb7a3138598fc5ac607e9
SHA256 3dad1148e63594824861fd3359459f96f1e3322bcb5b04a6a2fca60370f97e3f
SHA512 5fbfe530bfb39dada5369e6dcec6e1a2d1201ed2d104dd3f397244a5482525d16e0d8bc4fc0b1836794401fcc1c1aae3bc79aaf72d4ea7d034f39e4624d4aeec

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/3044-71-0x0000000004500000-0x000000000451A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\w7tbp.dll

MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
SHA512 8fddde526e7d10d77e247ea80b273beae9dde1d4112806f1f5c3e6a409247d54d8a4445ab5bdd77025a434c3d1dcfdf480dac21abbdb13a308d5eb74517fab53

F:\PPS.tv\PPStream\FlashPlayDll.dll

MD5 6c3e76309b1c3981b24ee57bfa05965d
SHA1 dfdb30388c9e97a178cca1183989780670a30ff4
SHA256 07a98a56841629c4fe071992fc2515dd4b79f3ed297e0e832157f6ffb426c1f7
SHA512 f7f2efa633ffa4f03ced325e7fbc35ff6aca753e0a35e5f3df6fa6c037b50d24749f841ec84cca1545ac67a5b6616e8b659da5e7774ca993e252bd5980615bca

F:\PPS.tv\PPStream\ppsimage.dll

MD5 8c72ccfdc2433978491b3aa7464e6fdc
SHA1 8bef1052ae35db4583add9a8f1044904788fc0de
SHA256 94e0ba93840a54508f098ef43aed4fb01f661606141223426d069a00d65b7fcd
SHA512 0e76a8b3993fcb5e707b769f3dc7962e2e50626630ae2940a43a77d2c3883faecebea6258e5ef36b500db42746d36c6d98e72c54b3c95d53d21edaddd3bcd10e

F:\PPS.tv\PPStream\MediaList.ocx

MD5 43c9b075a03d7b673b7a52d4d7ee7add
SHA1 c09f44485264d1767f7cf6fb648d938f98de7307
SHA256 afb969c56f0bac3ce4c460b9477b1f3685cb284fb12b29193dfa43e6e38ba962
SHA512 4933c8d42b317989a451fe6da8772e68bbbaffd52d87be9a4a3f816bb836fca35e7086ecdbb2d93df54763a09d7c88323a383c28907d9e3a8bfdfd1a77d319f8

F:\PPS.tv\PPStream\Vodnet.dll

MD5 44cc4f6432ee946263fb6e6697fe4c75
SHA1 9ed41c970ddc22a5263db3ca897f8bfbb048eadf
SHA256 2531ce68f021aa2f3eb3c0097b45eba5d1435d099c36372a88fa1665e491ed48
SHA512 01246a815bdf15e3650987422dee14e54239169e7f86d1ec3a30ecc168469536a6a3b2cf09e42d05b864d581c5a997fb33ef04279c9c756ee4d9247985ad0121

F:\PPS.tv\PPStream\Vodres.dll

MD5 bfab7e315b543a526ab04341a95688ea
SHA1 007cd093cb0a6f0bf22553886a4ee4b3557f075c
SHA256 048d05ae14dc3c38f7f49abc670e375c93341076fa7710730ad35fe230c42545
SHA512 04d9b05298805072895a45976cde999348436f039c1c9dbfeb6929d0c85767c9a641acaca7469bb9f871561909848c87c21ac2bd0a8e856715160f97216135ca

F:\PPS.tv\PPStream\PowerPlayer.dll

MD5 61efd502973f406cea48d1d3ee4d5116
SHA1 c2cd947eec5a4937715cdee68ce35fd0d15a5860
SHA256 cad4a844421ae3a9732f2b2edd885b14a76795b85ded6beb84a5db5f24b5c8f2
SHA512 55bf5d37d94503f3cb0a1bbe9bed6b89c09d9262e57c44ef970b27f30697af3fb10861bf34c2991186805fc08c2f647f055d3a95f3a4c3be6776fd97b401045f

F:\PPS.tv\PPStream\PSNetwork.dll

MD5 75d36a7d5f0442a4c97e548072d44ac1
SHA1 ef0f0f852d0611af1b5c7a2a152700045a7148df
SHA256 c7ff292192e20884f69bb45feebc0090685f69e7ce1a104b26d4eaa86d172b58
SHA512 bf53a28e7bb78803713a1df75d64950b0e01d33ec6affc0505596e458df6080e4d761bb039b2250b22d9d6f589f2aef9a07b0e91c2374fb8f36ea27e9d5ec50e

F:\PPS.tv\PPStream\PowerList.ocx

MD5 b267aec2585644696044f6b6730d6a1a
SHA1 9722785bad1001a880f4eaddea4b71bb88e15d6e
SHA256 79c0c0fdb12fd47b863b08283fc6cc71e081b55a22407ea12f0427ea2c5379ec
SHA512 c7d42372bb1d4fdc5c454d87af22e8f118e216f8a7ad60300b00f70832d88b2243a17b99a2ba15698041e3e6ee5892e789d461622fc00b4fddd0122a6cec80bb

F:\PPS.tv\PPStream\Livenet.dll

MD5 d6d8fa1f909fbd50d6e02efd0e034b97
SHA1 c65b74e88e720c780f0de1898b89c701f48020b4
SHA256 ed83d2aecfeffc6669905cf72bcf0cb34ad5f7a7b024087deb65515877ca0cda
SHA512 52c4bf30d0361fa9cd53cc882630beec03170a836a6961efec8d8c3d04093b9c1457e6b307a49d0ba0b909fb628e8861128d707818171806ac7166ee4692d4f4

F:\PPS.tv\PPStream\Livenet2.dll

MD5 b12bbda671c6cec48bb5af66ad684af7
SHA1 aa4d7c9623704846686fbe9c2d6f09f2121a836b
SHA256 d11a84dc4a469054ea200783cf2ba07bf906cc64657b6ebaf1d9a78c6093a118
SHA512 87d30c4a78727570770c9f7aa2c768dc892ba9c076555477c93d5f8c16a1e7c2fcdbf04cafc5a2070a2350a646815afb49b5be078cdb7ec51fb30a1e802a5bfd

F:\PPS.tv\PPStream\fds.dll

MD5 3405dbb8be0b5cbe22897a60f8f93157
SHA1 c1f3d53992b08471290904276c3032753c0d8509
SHA256 d478ce48dc810b1821a6e9f27586bcd758a4ad7d3e72de5286c236e6a0be063e
SHA512 17a7f2c989e390ed09756234bad46f947e3a9e2d8f7937c6ce3b53ea9e792e6c1a28856076ce5a799dbe39b745c997c0691d00ef35324aec8f7a6b23c0ccab1f

F:\PPS.tv\PPStream\PPStream.exe

MD5 d5697843420ce9a6d2542cc78b550b24
SHA1 734e7e827824729f87851bdb1896a62df5f880a3
SHA256 8fb25e845c15f4bd126613d6663d513d970e6a4b544a6ccb7a5009c6873194c1
SHA512 3892aa849db87c7af6dfda505c99314ed441b2dde3654ea1a1f47face5a1215050bbfc43a02e47ea383003d13438e17db659f69f0c705d4cf302449878dca6bb

C:\Users\Admin\AppData\Local\Temp\nse9A4.tmp\modern-wizard.bmp

MD5 f270bb2201c8595ccf77ab85c6ae4399
SHA1 84398bc484923ebb51f8f403b51b2579c7228db5
SHA256 c2346f1adde353aeb6e5171d85433a3f831776607886dc3d1ac831d76631b552
SHA512 2bfe55c653a4237dd7c14921a3ce467e726260f32a2cbc24029d5e8ede42aef45a1dce8e17009c02a26328e6c67552c4edbc9541f1ee3354c2907209258e93da

C:\Users\Admin\AppData\Roaming\ppStream\ppstream.ini

MD5 2765a1232c30712303201cd49f2088cf
SHA1 22982bef1f647d67885c6726d212ec1c18eeef2c
SHA256 53ad24b4a870af60026cfa075cf88477636b3b5739d2ea48660faebedc62b2c5
SHA512 beb678ce41ba7540a4b119d8e0c76b2dc2e81ee5cdf2c987645c7d4993a0f991a7afb9aae474777c20cec8265b7e6b862c5728e545834f35aaea1e97b74b1016

C:\Users\Admin\AppData\Roaming\ppStream\powerplayer.ini

MD5 920d2211dfc815cb5197ca8ebb7129d0
SHA1 727a39d3839868c607166238a84514efb5a945ce
SHA256 129c8eb366578c321fd0cfe620beaa6584ae630c3137c9f1721ac57541dfebc6
SHA512 50ad483070a99d1c7504e07a3aa44fcdc8d2affcb926baadc85fc721b4eddb3e675970e18b7dc1dc6b8896c8f5882c97e7d4a40bf75e40dc352880c904fafe3a

C:\Users\Admin\AppData\Roaming\ppStream\psnetwork.ini

MD5 28ac4a5a6a6d19ec39bcb8b956a6eb54
SHA1 404ef12e8503132d118fa2351ba7bfb237086f11
SHA256 31108dd398ec67433fcfbda90add2aacaf4d1e9e73af19cae27031b2da634e76
SHA512 847a3fa8562462333c088e0c9e540f7ceefa529f038cf98ff7ff63c43a4d94b5e3923448ec4efaccc09f337d7238217d4e2be79152689182689c381e727f3da4

memory/1708-204-0x00000000006E0000-0x000000000072B000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

MD5 b2897eee0ad5b2feedc84d4ff4fcaa96
SHA1 0dc9c07a766e6bb720fbf36164938bd00b043c3f
SHA256 4e43736ed1c14aadbe359f0cf0e0bf3c9d9558df2e540d90800ffcc574adb04d
SHA512 266c0afe6cc90835142b2325ecbe4b92fd6c21eb0379fc574ce349d247926e61c3765fed2def597359c83310e8532d8f135d6534fc807a1b5027bf29dbd8735e

memory/1708-216-0x0000000002CB0000-0x0000000002CFC000-memory.dmp

memory/1708-231-0x0000000003FE0000-0x0000000004036000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

MD5 3591669bb71181624c2b48cfec5805e4
SHA1 e1cfe830520738f2b310ca404ece6676076c046b
SHA256 78ee52bad550070d2380073fcd68b473d5ccb306ee553dc37647e05c7cc3d509
SHA512 85e34fdd830fd890abcd52eecbc25248a39f693d97d1f57d9ca7ec5a25083cb3deaedfcf49db6f9f29e93e40c2644738bf3fe3158af803630eb669d468e385af

C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

MD5 76035f68f52f611d1a6ae6185ef29556
SHA1 3c89b49e3f6c1f9d6afa9b86cb752ada6fd7c0d5
SHA256 3eaa439619303170f8d1f6fe5852f5d9682e05dc8a6658f6fcf9352c1c76d34f
SHA512 ce7e9ac08035515be9ce0f90bf6b55bacbacaab6a93184c3d7a2be572ffd2e5191e307a9fe426936aeabc9edcfa1149f84161149248ac7fa8efec23b50bbdbe1

C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

MD5 24796dc640160d913f4e1d6476e484a2
SHA1 97d6231a1a7a431cf3442bed6cd0fe497142ca06
SHA256 e16a5270240a1748327dce9605ebde3bd04393c58703cec9b97bf6c72e46d6e5
SHA512 a4acce59bc72c8d8714d3e556f200ef63389b8deecbc10887ad818e9028b7c522c57ad1090e837ce612f6f618d2fb5d694e0876c7b98814ed2639b71ee53684e

F:\PPS.tv\PPStream\pp2play.dll

MD5 41a73af32b92d4fe52f72574dfe8f87a
SHA1 ba4579c0f997a219bf4950375b5c2349f6baa0b3
SHA256 021fd444605ed00cdce049dac448f025fc1dbc462d618192c1e8cdcb1c12fb3e
SHA512 61b91c12b88cb154d1d55ecf2c9d3b75ae2ed481dd0fd46f306c38e29f59f6bc43f986938ecbdd2a8e21f8ab5280b00d648fda5c309d7156b75b53c980cf5e35

memory/1708-265-0x0000000005540000-0x00000000056BE000-memory.dmp

memory/1708-281-0x0000000006230000-0x00000000063B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\powerlist.ini

MD5 d6c13cddb23726f99cdd9678debfe13b
SHA1 0a6d0f32c098f0e04ec3161f70782a593debfbeb
SHA256 4098f924cc5ef44d576f033718bb2426d7b8c2074621e2dd22c6b8198ee716f9
SHA512 a908bfeddb45d8cf6ebe549840ad2acc27818e15b859889041c3428a1fc9c504122c44d02783f60181c0c567a339f3ab3d74951ea7c6dcfcc38c286459ad223f

C:\Users\Admin\AppData\Roaming\ppStream\skin\Vista\Vista.ssk

MD5 f0d7d09b41a7a661f71f9a9d0bb47af8
SHA1 9886480e62374405e2fb81eeebaf49ee3fe6e090
SHA256 ae6637034da3a072bbe7b364ee7ff9a9c4db0a4e5ee1fded177da59cc35afe33
SHA512 3a57c1fa49422d3c5f590d0f42558cda682ac46f66b486128e95e0083e8e719b2c7a50102fe46e73f85cb860ccb7d0bdaf823aea3d5e56c67df5e718fab073d0

C:\Users\Admin\AppData\Local\Temp\nstA03.tmp

MD5 b3040c34cd007d678158ced31b8f1fed
SHA1 0b39b20ea0bc83852197c30701d6cfb311289089
SHA256 7d686a4673bb4c735d37e84c4fff55f3fe709c3cbf27bfec759665fc1e684200
SHA512 85b80ac51ea4b0c30c663db59ebb9e5b3ee4ba2bf033a0178953fc131aff36fb99fbf5840800c642bed2dd3d89e9a8f0d49a092ef5c687e2301151862e7205ea

\Users\Admin\AppData\Local\Temp\nse9A4.tmp\Registry.dll

MD5 0e1fbcbfec72e5c3f76024174980053d
SHA1 67e7f707b1e5d3f3665562f3519946a7a2859a78
SHA256 83c6fb0ae59cc3d00638559fd87b860f61e7ad60c63551c2e9e78ffac71d4ef0
SHA512 efb7736b103a5355356f1c4d109f27bd91cf40ae18b9dad1a81760688ca391c091e35208f368e8870523bc74ec7239f87b403513bc4a33fdf86314a43e4e48c4

memory/3044-324-0x0000000004450000-0x0000000004489000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

MD5 e9c01ad5184b2c72ce083f8b25487d8b
SHA1 e41597f6e5bbfc51f02a101e195b0d17a21cb28b
SHA256 0347c55cd0865bd0e4c4e01bbd4f8952ea8355156f9c17aac56ab7901e12ab3b
SHA512 b92e48ee6b45f9ebc0224de4cf4d403763b37298d8719fcc9a230ed9e072b170f45d12f03b5ed33f96a93d2b3a5107936285408273c4a509633c3a287e97ff30

C:\Users\Admin\AppData\Roaming\PPStream\adsys\ads_259491688.xml

MD5 66f23be00723b2f54e7086ab37b9f273
SHA1 591d749b09c88a6bf715f4f75d7a57bce309bcbe
SHA256 3bd2b19b361864656d0cab5c66e76864313eff36e70b01086840689ab154b987
SHA512 5d4b171d08ac1a6c62fd8f1ce14af0ca7f786b4ae8b74a7207034da30559bb2463aa3d655e2fca84fc4f8586b6e27a2558c34311f997d2736d131373ce360f1f

memory/1708-424-0x0000000010000000-0x000000001016B000-memory.dmp

memory/1708-430-0x0000000006230000-0x00000000063B9000-memory.dmp

memory/1708-429-0x0000000005540000-0x00000000056BE000-memory.dmp

memory/1708-428-0x0000000003FE0000-0x0000000004036000-memory.dmp

memory/1708-427-0x0000000002CB0000-0x0000000002CFC000-memory.dmp

memory/1708-426-0x00000000006E0000-0x000000000072B000-memory.dmp

memory/1708-425-0x0000000030000000-0x000000003006A000-memory.dmp

memory/1708-441-0x0000000005540000-0x00000000056BE000-memory.dmp

memory/1708-437-0x0000000030000000-0x000000003006A000-memory.dmp

memory/1708-442-0x0000000006230000-0x00000000063B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

MD5 282ffec41897358446acbc545a6e3acd
SHA1 3fda8e01763e06e077950598e8a0128802db474f
SHA256 d5d8533d34aed8e6bd193c7fb4c1c3511c1d82769fff9dd9bcda927f115186c8
SHA512 030d42859e8458068932bd90c5cc0e1faa639ce20ff5622a2df5f0d54e509fc1d3f4f20cd656a1188e6022dfba606a72d0093ca0bbb9a02f1319c69bfda0a795

memory/1708-446-0x0000000010000000-0x000000001016B000-memory.dmp

memory/1708-463-0x00000000006E0000-0x000000000072B000-memory.dmp

memory/1708-497-0x0000000006230000-0x00000000063B9000-memory.dmp

memory/1708-496-0x0000000005540000-0x00000000056BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 00:07

Reported

2024-10-17 00:10

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\nsv9444.tmp C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\Regsvr32.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Program Files (x86)\PPStream\PPStream.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\PPStream\PPStream.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\pncrt.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\ppsӰѶÆÁ±£.scr C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PPStream\PSNetwork.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\raac.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\assoc.ini C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Vodres.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\atrc.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\drv2.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\sipr.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\drvc.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\PPStream\cache C:\Program Files (x86)\PPStream\PPStream.exe N/A
File created C:\Program Files (x86)\PPStream\PPSAP.exe C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\ppsimage.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Vodnet.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\PowerList.ocx C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\14_43260.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\MediaList.ocx C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\28_83260.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\cook.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\dnet3260.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\pncrt.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Vista.ssk C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\PPStream.exe C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\PowerPlayer.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Livenet.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Livenet2.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\fds.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\pncrt.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\FlashPlayDll.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\pp2play.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\PPStream\pps.url C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\unpps.exe C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\real\Codecs\ralf.dll C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\PPStream\Codec\rmsplt.ax C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\psnetwork.ini C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
File opened for modification C:\Windows\powerplayer.ini C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\PPStream\PPStream.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regsvr32.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\PPSÓ°~1.SCR" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D} C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppPath = "C:\\Program Files (x86)\\PPStream" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F527659-7814-4B10-824B-C763CC31B79D}\AppName = "PPSAP.exe" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.wmv\ = "pps_wmv" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm\shell\open\command\ = "C:\\Program Files (x86)\\PPStream\\PPStream.exe \"%1\"" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\MiscStatus\ = "0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.asf\ = "pps_asf" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\MEDIAL~1.OCX" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\4a69b442-28be-4991-969c-b500adf5d8a8\82d353df-90bd-4382-8bc2-3f6192b76e34 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage.1\ = "PPSImage Class" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C368CF95-9886-458A-B3F3-AA15F561C9E2} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps\ = "PPS²¥·ÅÐ\u00adÒé" C:\Program Files (x86)\PPStream\PPStream.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pgf\DefaultIcon\ = "C:\\Program Files (x86)\\PPStream\\PPStream.exe,-317" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive\ = "C:\\Program Files (x86)\\PPStream\\Livenet.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}\CLSID = "{7C23220E-55BB-11D3-8B16-00C04FB6BD3D}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.asf C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rm\ = "RealMedia Media" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C35170-EF87-4227-8454-ECA14F23904C}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AF34165-6CA9-4F08-BC21-49AEDC68D828}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{7C23220E-55BB-11D3-8B16-00C04FB6BD3D} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C368CF95-9886-458A-B3F3-AA15F561C9E2}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\MEDIAL~1.OCX" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35BC41F4-274A-4C1A-9D32-E666DF185AD0}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\ = "MediaList Control" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C921ABA-8602-4588-9157-1AAAD9396180}\MiscStatus C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps\shell\open\command\ = "\"C:\\Program Files (x86)\\PPStream\\PPStream.exe\" -ppstream \"%1\"" C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\TypeLib\ = "{C400B05B-CD0E-4ADF-9381-20A3C672B473}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\TypeLib C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20C2C286-BDE8-441B-B73D-AFA22D914DA5}\MiscStatus C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\TypeLib\Version = "1.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\MiscStatus\1 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{187463A0-5BB7-11D3-ACBE-0080C75E246E}\FilterData = 02000000000040000000000000000000 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\TypeLib\ = "{A0427FCE-9B13-4941-A194-3C6035260BDD}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ = "_DPowerPlayerEvents" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppstreamlive C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F21FC66-D76B-48DD-94C0-278F8E677C3C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F21FC66-D76B-48DD-94C0-278F8E677C3C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00FBDAD7-B253-40FD-86C7-0FE4034A03C5}\VersionIndependentProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F27E175E-4118-4098-A6F7-4B40C7321B77}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\PPStream.exe\shell\open\command C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0427FCE-9B13-4941-A194-3C6035260BDD}\1.0\0\win32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30C35170-EF87-4227-8454-ECA14F23904C} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MEDIALIST.MediaListCtrl.1\ = "MediaList Control" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.wmv C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98CB8A58-AF21-45A2-9B41-6626C2F79665}\ProxyStubClsid32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D0CE636-38CD-4AE7-8BEF-D33CE4A01C83}\ = "_DPowerPlayerEvents" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\InprocServer32\ = "C:\\PROGRA~2\\PPStream\\POWERP~1.DLL" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}\Control\ C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3790C037-C104-4AAC-97D4-0DE9280AF7E3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_wmv\DefaultIcon C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_rmvb\shell C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Image.PPSImage\CurVer C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77272D62-F21A-4D7B-9D44-AE04220B9086}\ProgID\ = "Image.PPSImage.1" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C400B05B-CD0E-4ADF-9381-20A3C672B473}\1.1\0 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F95A360-48CA-47B4-B9EF-CA19B94D074D}\ = "_DPowerList" C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A
N/A N/A C:\Program Files (x86)\PPStream\PPStream.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 3736 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe C:\Windows\SysWOW64\Regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4fc4d3801e9066cc655451d14dbb9857_JaffaCakes118.exe"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\FlashPlayDll.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsimage.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s ""

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\MediaList.ocx"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodnet.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Vodres.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerPlayer.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\PowerList.ocx"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\Livenet2.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\fds.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Program Files (x86)\PPStream\ppsva.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\qasf.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmadmod.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmsdmod.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\wmspdmod.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\WMVDECOD.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /s "C:\Windows\system32\l3Codecx.ax"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\xd.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\PPSMedia.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\WatchList.ocx"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\tsr.dll"

C:\Windows\SysWOW64\Regsvr32.exe

"C:\Windows\system32\Regsvr32.exe" /u /s "C:\Program Files (x86)\PPStream\vodrc.dll"

C:\Program Files (x86)\PPStream\PPStream.exe

"C:\Program Files (x86)\PPStream\PPStream.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 spider.pps.tv udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
SG 118.26.120.3:80 spider.pps.tv tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 3.120.26.118.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 fds.ppstv.net udp
US 8.8.8.8:53 stat.ppstream.com udp
US 8.8.8.8:53 br.pps.tv udp
US 8.8.8.8:53 list1.ppstream.com udp
US 8.8.8.8:53 update.111222.cn udp
CN 113.207.90.10:80 list1.ppstream.com tcp
US 8.8.8.8:53 tvguide.pps.tv udp
US 8.8.8.8:53 www.ppstream.com udp
CN 220.181.184.20:80 www.ppstream.com tcp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
SG 118.26.120.1:80 tvguide.pps.tv tcp
SG 118.26.120.1:80 tvguide.pps.tv tcp
US 8.8.8.8:53 notice.ppstream.com udp
SG 118.26.120.3:80 notice.ppstream.com tcp
SG 118.26.120.3:80 notice.ppstream.com tcp
US 8.8.8.8:53 1.120.26.118.in-addr.arpa udp
US 8.8.8.8:53 fds.111222.cn udp
US 8.8.8.8:53 fds.ppstv.net udp
US 8.8.8.8:53 fds.111222.cn udp
US 8.8.8.8:53 fds.pps2008.net udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 fds.pps2008.net udp
CN 113.207.90.11:80 list1.ppstream.com tcp
CN 220.181.184.24:80 www.ppstream.com tcp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 fds.pps2008.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 update.111222.cn udp
CN 113.207.90.2:80 list1.ppstream.com tcp
CN 220.181.184.25:80 www.ppstream.com tcp
US 8.8.8.8:53 fds.pps2008.com udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 fds.pps2008.com udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 fds.pps2008.com udp
US 8.8.8.8:53 stat.ppstream.com udp
CN 220.181.184.12:80 www.ppstream.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 fds.pps24.net udp
US 8.8.8.8:53 fds.pps.tv udp
US 8.8.8.8:53 fds.pps24.net udp
US 8.8.8.8:53 fds.pps.tv udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 network.ini udp
US 8.8.8.8:53 fds.ppstv.com udp
CN 125.46.104.75:7201 fds.ppstv.com udp
US 8.8.8.8:53 fds.pps24.net udp
CN 220.181.184.40:80 www.ppstream.com tcp
US 8.8.8.8:53 75.104.46.125.in-addr.arpa udp
US 8.8.8.8:53 fds.ppstream.net udp
US 8.8.8.8:53 fds.pps24.com udp
US 8.8.8.8:53 network.ini udp
US 8.8.8.8:53 fds.pps2008.com udp
US 8.8.8.8:53 update.111222.cn udp
US 8.8.8.8:53 fds.pps2008.net udp
CN 220.181.184.20:80 www.ppstream.com tcp
US 8.8.8.8:53 fds.pps2008.com udp
US 8.8.8.8:53 fds.pps2008.net udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsProcess.dll

MD5 59e67d25d0a4eee6493f2c8467c42a8e
SHA1 e1df50b38ac6e62a18eeae273eefbc63c80ec4cc
SHA256 ffed8f040d06d09d4c1656ba8dbecca112a91fbfac0d9f2788b6e3b449f8a874
SHA512 e558823ac2d66da49761690818d035ff728a154cc15148fd8376dffea1d9e0108b8b6f4776c1f7834f3aabfc8c0ab23aef4bac6d0b33cd73cc32635928350988

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nxs.dll

MD5 f2b34b71784d11515c3100389a6c7a60
SHA1 798aa07c1c069ded15787f726445153c93d8ca17
SHA256 e75cffab1063e500383d642f9a7519ca20da247c72839f97d731edc84314d173
SHA512 137ed1bf56955cc3cda6a219f9794fe5f59548a443d11b7f221acaf2887ece80e8e6efd3a9e0a4e64f8b13e99688b7a63f64f91efddd0fcd84a581fccf6fd8f2

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsisFirewall.dll

MD5 69f2e8c6fd141e9e720b2c4c366a8154
SHA1 a6279d93a102b6d7608dced32a36ddcd3e51994c
SHA256 2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107
SHA512 bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\inetc.dll

MD5 134b93f8bd1f82cd2f1b06c878580703
SHA1 29cdbce7a2caf1f7e4d2a139c42336d490074665
SHA256 45153adf50541316468e2b189a0f8127be9fb29e2f920e7eeaa6aceb438db8c4
SHA512 f970c38debb6631dab7369e2bc96237f16a8fd328d9d35a2b54cb688e1807f62cc6d63230afe89ce5c3945097ae4466872c72929a9623adde3ee57bddf54b692

C:\Users\Admin\AppData\Local\Temp\nsl9455.tmp

MD5 a0736517388eac9c9eee9e20c7440ea2
SHA1 671c5c5d633d96eb9075b2992ed93e7029f7cff4
SHA256 2c52318115cfc47f7dfdc2dec9e9a921ba575874ca3427c58f45d0e8f281f3ab
SHA512 7cc4cbe6fa527c0838dad31870f52dd2e6fefb76acdc76b5e68e379370f22338703dfd372fb71ce1159b0c10df713cdd42e0cd76a8ef928475d8277644d92e12

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\ButtonEvent.dll

MD5 fad9d09fc0267e8513b8628e767b2604
SHA1 bea76a7621c07b30ed90bedef4d608a5b9e15300
SHA256 5d913c6be9c9e13801acc5d78b11d9f3cd42c1b3b3cad8272eb6e1bfb06730c2
SHA512 b39c5ea8aea0640f5a32a1fc03e8c8382a621c168980b3bc5e2897932878003b2b8ef75b3ad68149c35420d652143e2ef763b6a47d84ec73621017f0273e2805

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\ButtonLinker.dll

MD5 dd85ac7d85c92dd0e3cc17dfd4890f54
SHA1 a128fb7a05965c1a9913c6f5e419e6c4c0a7d2fa
SHA256 27abd2a4fb1bf66add60221b52d061bbe24d2d21e13600725ff7a5c6c777b504
SHA512 e4ff8216c65110a9d156f37c2062acb53a72daa8af12dfc24278920d9e1a4083a81b1446759df75405b2da34c7bfb1afc33184feedd0aee4ed73f79fcbb1a8a1

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\EBanner.dll

MD5 3de4b5a6d1098c217f7bdddbde113b81
SHA1 aaea1d21b8910f1a14beb7a3138598fc5ac607e9
SHA256 3dad1148e63594824861fd3359459f96f1e3322bcb5b04a6a2fca60370f97e3f
SHA512 5fbfe530bfb39dada5369e6dcec6e1a2d1201ed2d104dd3f397244a5482525d16e0d8bc4fc0b1836794401fcc1c1aae3bc79aaf72d4ea7d034f39e4624d4aeec

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/3736-87-0x0000000004190000-0x00000000041AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsl9455.tmp

MD5 b3040c34cd007d678158ced31b8f1fed
SHA1 0b39b20ea0bc83852197c30701d6cfb311289089
SHA256 7d686a4673bb4c735d37e84c4fff55f3fe709c3cbf27bfec759665fc1e684200
SHA512 85b80ac51ea4b0c30c663db59ebb9e5b3ee4ba2bf033a0178953fc131aff36fb99fbf5840800c642bed2dd3d89e9a8f0d49a092ef5c687e2301151862e7205ea

C:\Program Files (x86)\PPStream\FlashPlayDll.dll

MD5 6c3e76309b1c3981b24ee57bfa05965d
SHA1 dfdb30388c9e97a178cca1183989780670a30ff4
SHA256 07a98a56841629c4fe071992fc2515dd4b79f3ed297e0e832157f6ffb426c1f7
SHA512 f7f2efa633ffa4f03ced325e7fbc35ff6aca753e0a35e5f3df6fa6c037b50d24749f841ec84cca1545ac67a5b6616e8b659da5e7774ca993e252bd5980615bca

C:\Program Files (x86)\PPStream\ppsimage.dll

MD5 8c72ccfdc2433978491b3aa7464e6fdc
SHA1 8bef1052ae35db4583add9a8f1044904788fc0de
SHA256 94e0ba93840a54508f098ef43aed4fb01f661606141223426d069a00d65b7fcd
SHA512 0e76a8b3993fcb5e707b769f3dc7962e2e50626630ae2940a43a77d2c3883faecebea6258e5ef36b500db42746d36c6d98e72c54b3c95d53d21edaddd3bcd10e

C:\Program Files (x86)\PPStream\MediaList.ocx

MD5 43c9b075a03d7b673b7a52d4d7ee7add
SHA1 c09f44485264d1767f7cf6fb648d938f98de7307
SHA256 afb969c56f0bac3ce4c460b9477b1f3685cb284fb12b29193dfa43e6e38ba962
SHA512 4933c8d42b317989a451fe6da8772e68bbbaffd52d87be9a4a3f816bb836fca35e7086ecdbb2d93df54763a09d7c88323a383c28907d9e3a8bfdfd1a77d319f8

C:\Program Files (x86)\PPStream\Vodnet.dll

MD5 44cc4f6432ee946263fb6e6697fe4c75
SHA1 9ed41c970ddc22a5263db3ca897f8bfbb048eadf
SHA256 2531ce68f021aa2f3eb3c0097b45eba5d1435d099c36372a88fa1665e491ed48
SHA512 01246a815bdf15e3650987422dee14e54239169e7f86d1ec3a30ecc168469536a6a3b2cf09e42d05b864d581c5a997fb33ef04279c9c756ee4d9247985ad0121

C:\Program Files (x86)\PPStream\Vodres.dll

MD5 bfab7e315b543a526ab04341a95688ea
SHA1 007cd093cb0a6f0bf22553886a4ee4b3557f075c
SHA256 048d05ae14dc3c38f7f49abc670e375c93341076fa7710730ad35fe230c42545
SHA512 04d9b05298805072895a45976cde999348436f039c1c9dbfeb6929d0c85767c9a641acaca7469bb9f871561909848c87c21ac2bd0a8e856715160f97216135ca

C:\Program Files (x86)\PPStream\PowerPlayer.dll

MD5 61efd502973f406cea48d1d3ee4d5116
SHA1 c2cd947eec5a4937715cdee68ce35fd0d15a5860
SHA256 cad4a844421ae3a9732f2b2edd885b14a76795b85ded6beb84a5db5f24b5c8f2
SHA512 55bf5d37d94503f3cb0a1bbe9bed6b89c09d9262e57c44ef970b27f30697af3fb10861bf34c2991186805fc08c2f647f055d3a95f3a4c3be6776fd97b401045f

C:\Program Files (x86)\PPStream\PSNetwork.dll

MD5 75d36a7d5f0442a4c97e548072d44ac1
SHA1 ef0f0f852d0611af1b5c7a2a152700045a7148df
SHA256 c7ff292192e20884f69bb45feebc0090685f69e7ce1a104b26d4eaa86d172b58
SHA512 bf53a28e7bb78803713a1df75d64950b0e01d33ec6affc0505596e458df6080e4d761bb039b2250b22d9d6f589f2aef9a07b0e91c2374fb8f36ea27e9d5ec50e

C:\Program Files (x86)\PPStream\PowerList.ocx

MD5 b267aec2585644696044f6b6730d6a1a
SHA1 9722785bad1001a880f4eaddea4b71bb88e15d6e
SHA256 79c0c0fdb12fd47b863b08283fc6cc71e081b55a22407ea12f0427ea2c5379ec
SHA512 c7d42372bb1d4fdc5c454d87af22e8f118e216f8a7ad60300b00f70832d88b2243a17b99a2ba15698041e3e6ee5892e789d461622fc00b4fddd0122a6cec80bb

C:\Program Files (x86)\PPStream\Livenet.dll

MD5 d6d8fa1f909fbd50d6e02efd0e034b97
SHA1 c65b74e88e720c780f0de1898b89c701f48020b4
SHA256 ed83d2aecfeffc6669905cf72bcf0cb34ad5f7a7b024087deb65515877ca0cda
SHA512 52c4bf30d0361fa9cd53cc882630beec03170a836a6961efec8d8c3d04093b9c1457e6b307a49d0ba0b909fb628e8861128d707818171806ac7166ee4692d4f4

C:\Program Files (x86)\PPStream\Livenet2.dll

MD5 b12bbda671c6cec48bb5af66ad684af7
SHA1 aa4d7c9623704846686fbe9c2d6f09f2121a836b
SHA256 d11a84dc4a469054ea200783cf2ba07bf906cc64657b6ebaf1d9a78c6093a118
SHA512 87d30c4a78727570770c9f7aa2c768dc892ba9c076555477c93d5f8c16a1e7c2fcdbf04cafc5a2070a2350a646815afb49b5be078cdb7ec51fb30a1e802a5bfd

C:\Program Files (x86)\PPStream\fds.dll

MD5 3405dbb8be0b5cbe22897a60f8f93157
SHA1 c1f3d53992b08471290904276c3032753c0d8509
SHA256 d478ce48dc810b1821a6e9f27586bcd758a4ad7d3e72de5286c236e6a0be063e
SHA512 17a7f2c989e390ed09756234bad46f947e3a9e2d8f7937c6ce3b53ea9e792e6c1a28856076ce5a799dbe39b745c997c0691d00ef35324aec8f7a6b23c0ccab1f

C:\Program Files (x86)\PPStream\PPStream.exe

MD5 d5697843420ce9a6d2542cc78b550b24
SHA1 734e7e827824729f87851bdb1896a62df5f880a3
SHA256 8fb25e845c15f4bd126613d6663d513d970e6a4b544a6ccb7a5009c6873194c1
SHA512 3892aa849db87c7af6dfda505c99314ed441b2dde3654ea1a1f47face5a1215050bbfc43a02e47ea383003d13438e17db659f69f0c705d4cf302449878dca6bb

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\modern-wizard.bmp

MD5 f270bb2201c8595ccf77ab85c6ae4399
SHA1 84398bc484923ebb51f8f403b51b2579c7228db5
SHA256 c2346f1adde353aeb6e5171d85433a3f831776607886dc3d1ac831d76631b552
SHA512 2bfe55c653a4237dd7c14921a3ce467e726260f32a2cbc24029d5e8ede42aef45a1dce8e17009c02a26328e6c67552c4edbc9541f1ee3354c2907209258e93da

memory/3756-247-0x0000000004540000-0x000000000458C000-memory.dmp

memory/3756-264-0x0000000004CF0000-0x0000000004D46000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

MD5 ebf212d01ed390f12e0cc066e09d77a2
SHA1 c0f787b9545b2728020f6023c588c551d494c336
SHA256 d904871846c3d7e75c12d6fc71b1876966884aa9535e9fbcd4ca276e6bbc1852
SHA512 39d714effb90a25a6fe51e54eaf072830a7298db72c06cd20dcb899c8a1d62dd3db0d124f8c29463efaeb93c0acbd4caeca1870e5b5ac103aa6cea03d570264f

memory/3756-233-0x00000000044B0000-0x00000000044FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

MD5 4a5e7138380177c56c39fa2df84b4ccd
SHA1 cb71e0a77303c732d36eeb22f2b0d1ca042ece04
SHA256 81f56f16bc35646ec9917b7d064d0b2bf58818700b99ac855f097355ca907e40
SHA512 36efe58aa7cc3adcd323fb0b79dc92c76184d77b3baa41172418e6bef4b50b9ee80d074f29770feca2fba222b019b58b7f1011a0f2cdf32ae6444a4a83b631e0

C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

MD5 42085a0684e65c67624dff4c4d5c172d
SHA1 c5d4f907668c152b8eae49402d3e9523c3490a36
SHA256 698822793660193abbd90e8131d32f11a2662228a31b5edffe1013cfb2a5c247
SHA512 9dfef92f2ca029f0bcbcdfda53f26fe1111ed5da909c4da0d8c79ada495b68936a259a541db839f296210a73482395ecb33e31dd27e22e8736394e879ee41a0a

C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

MD5 be475343536062c22b3d5df965c6f2d2
SHA1 1e9b991b1ca99d448cc1033c4f0fe6883265be37
SHA256 7f8b3a9e13838a619a58acc56a2bf8cba4d768580ad480bcde989c616d9f5c8b
SHA512 378dce7985318067283990a25408893d8d1d84db9e24e9cc29b3e2db7ec07ce0cb12f507ca0f3b9fb77f0f9d9974debd21078196eb5e2f0a65e3a4234a464b27

memory/3756-306-0x0000000006400000-0x000000000657E000-memory.dmp

C:\PROGRA~2\PPStream\pp2play.dll

MD5 41a73af32b92d4fe52f72574dfe8f87a
SHA1 ba4579c0f997a219bf4950375b5c2349f6baa0b3
SHA256 021fd444605ed00cdce049dac448f025fc1dbc462d618192c1e8cdcb1c12fb3e
SHA512 61b91c12b88cb154d1d55ecf2c9d3b75ae2ed481dd0fd46f306c38e29f59f6bc43f986938ecbdd2a8e21f8ab5280b00d648fda5c309d7156b75b53c980cf5e35

memory/3756-318-0x0000000007140000-0x00000000072C9000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\powerlist.ini

MD5 d6c13cddb23726f99cdd9678debfe13b
SHA1 0a6d0f32c098f0e04ec3161f70782a593debfbeb
SHA256 4098f924cc5ef44d576f033718bb2426d7b8c2074621e2dd22c6b8198ee716f9
SHA512 a908bfeddb45d8cf6ebe549840ad2acc27818e15b859889041c3428a1fc9c504122c44d02783f60181c0c567a339f3ab3d74951ea7c6dcfcc38c286459ad223f

C:\Users\Admin\AppData\Local\Temp\nsp9339.tmp\Registry.dll

MD5 0e1fbcbfec72e5c3f76024174980053d
SHA1 67e7f707b1e5d3f3665562f3519946a7a2859a78
SHA256 83c6fb0ae59cc3d00638559fd87b860f61e7ad60c63551c2e9e78ffac71d4ef0
SHA512 efb7736b103a5355356f1c4d109f27bd91cf40ae18b9dad1a81760688ca391c091e35208f368e8870523bc74ec7239f87b403513bc4a33fdf86314a43e4e48c4

memory/3736-358-0x0000000003460000-0x0000000003499000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

MD5 01514467db0a813c66be8057a31d7603
SHA1 3b6940d2c654d31026708742b1074163f097700e
SHA256 63972669425d0cf5e7ef2226b4e4059f93a562b8e837402f675b5162aecd367a
SHA512 1130e4cc42523b1c0d1ff4f0e9fc3d1ebc90f063e1fc2335b49b34ee952264d5b32663188710261adb49951861da9803b5f8c7b558d3defa3ee187a15861bf54

C:\Users\Admin\AppData\Roaming\PPStream\adsys\ads_240652296.xml

MD5 66f23be00723b2f54e7086ab37b9f273
SHA1 591d749b09c88a6bf715f4f75d7a57bce309bcbe
SHA256 3bd2b19b361864656d0cab5c66e76864313eff36e70b01086840689ab154b987
SHA512 5d4b171d08ac1a6c62fd8f1ce14af0ca7f786b4ae8b74a7207034da30559bb2463aa3d655e2fca84fc4f8586b6e27a2558c34311f997d2736d131373ce360f1f

C:\Users\Admin\AppData\Roaming\PPStream\psnetwork.ini

MD5 7894ec7921b9d852d65210346f390d56
SHA1 0b10bf8c90fd78c50e1d195b1d5f7200678c212f
SHA256 96c38a1989e32542bcb3f94e5379673e99a04c5f4e5702b1192ac96d51f80300
SHA512 73c48d7bcf8ab26154fbf0e485bb6d030b21d824a46b7fb3e4946cc5728092c0e8751ac68dcce72da10fad2c5c0e4a2c2e75dcb7c37fa6e733a2e0328f8e5cdb

C:\Users\Admin\AppData\Roaming\PPStream\powerplayer.ini

MD5 54a86af600fd34aa7d05688f858a9831
SHA1 37911deb98cab225e216be230be1469c9fc22a22
SHA256 0be65edaa891c2fc84d1d6c6cc7e47ebbf88e1f8f80b0f1c6fd6642c4228ab3c
SHA512 8b121db316f6f097fd4d9fb418db2972b78c50f1928bbed8b38e653993f2aab8216afbd49b7eb4a166e4d678dea6fd546dd69a767ea0f370845b13425e8a39bc