Edit tour

Windows Analysis Report
PPTV(pplive)_forap_1084_9993.exe

Overview

General Information

Sample name:PPTV(pplive)_forap_1084_9993.exe
Analysis ID:1654799
MD5:edb25d93f8a837aaa38faa49a5f97bca
SHA1:62d11cab837802d66b9bfbf7106c826889d492d0
SHA256:5985eba3003cadb7b5c70985ad9c9d0ecc49b1814cdda3de1010a581c9ff56b2
Tags:exeuser-zhuzhu0009
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Joe Sandbox ML detected suspicious sample
Contains capabilities to detect virtual machines
Detected TCP or UDP traffic on non-standard ports
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
No configs have been found
No yara matches
Source: Registry Key setAuthor: frack113: Data: Details: Compatible win32 190.49.196.96Windows/1743605309, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe, ProcessId: 2692, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: PPTV(pplive)_forap_1084_9993.exeVirustotal: Detection: 19%Perma Link
Source: PPTV(pplive)_forap_1084_9993.exeReversingLabs: Detection: 25%
Source: Submited SampleNeural Call Log Analysis: 99.4%
Source: PPTV(pplive)_forap_1084_9993.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: global trafficUDP traffic: 192.168.2.4:50267 -> 47.246.8.183:4226
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: unknownUDP traffic detected without corresponding DNS query: 47.246.8.183
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000000.1188766402.0000000000443000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKeniu.exe vs PPTV(pplive)_forap_1084_9993.exe
Source: PPTV(pplive)_forap_1084_9993.exeBinary or memory string: OriginalFilenameKeniu.exe vs PPTV(pplive)_forap_1084_9993.exe
Source: PPTV(pplive)_forap_1084_9993.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal52.winEXE@1/26@0/1
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeMutant created: \Sessions\1\BaseNamedObjects\7021da5380cdc0965af0b803c63a8a3duser
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile created: C:\Users\user\AppData\Local\Temp\9ca9f808Jump to behavior
Source: PPTV(pplive)_forap_1084_9993.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PPTV(pplive)_forap_1084_9993.exeVirustotal: Detection: 19%
Source: PPTV(pplive)_forap_1084_9993.exeReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: msvcp60.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeAutomated click: OK
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeWindow / User API: threadDelayed 887Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeWindow / User API: threadDelayed 2191Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeWindow / User API: threadDelayed 1625Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe TID: 1236Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe TID: 7868Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe TID: 7868Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeThread delayed: delay time: 60000Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeThread delayed: delay time: 60000Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.2114309664.00000000007A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.2883600508.0000000002C5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.2114309664.00000000007A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.2715270894.00000000007C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.1192328407.0000000000762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.1192328407.000000000076A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\ROOT#SPACEPORT#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}\\?\ROOT#VOLMGR#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}e#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ef0-472a-8085-5ad023ecbccd}\\?\swd#printenum#{5c736109-be51-45be-96bc-5b957d00b020}#{0ecef634-6ef0-472a-8085-5ad023ecbccd}
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.1192806487.0000000000779000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.1192328407.0000000000762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: PPTV(pplive)_forap_1084_9993.exe, 00000000.00000003.2114309664.00000000007A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
31
Virtualization/Sandbox Evasion
OS Credential Dumping21
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager31
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials32
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1654799 Sample: PPTV(pplive)_forap_1084_9993.exe Startdate: 02/04/2025 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 Joe Sandbox ML detected suspicious sample 2->12 5 PPTV(pplive)_forap_1084_9993.exe 1 28 2->5         started        process3 dnsIp4 8 47.246.8.183, 4226, 6666 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 5->8

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
PPTV(pplive)_forap_1084_9993.exe20%VirustotalBrowse
PPTV(pplive)_forap_1084_9993.exe25%ReversingLabs
SAMPLE100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
47.246.8.183
unknownUnited States
24429TAOBAOZhejiangTaobaoNetworkCoLtdCNfalse
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654799
Start date and time:2025-04-02 16:46:30 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 11s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:PPTV(pplive)_forap_1084_9993.exe
Detection:MAL
Classification:mal52.winEXE@1/26@0/1
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
  • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 184.31.69.3, 172.202.163.200
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
No simulations
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
TAOBAOZhejiangTaobaoNetworkCoLtdCNxd.spc.elfGet hashmaliciousMiraiBrowse
  • 163.181.237.255
http://url5432.inclusiveguide.com/ls/click?upn=u001.Qh-2BzOqQ65HVxjtnkYhEgqJ-2BCr-2BLmXYBuZYLp5m5HXZzcMElKRqH9EwyU8eZsO-2BWa7-2Blc9wB1-2Bg5KmW4MlrJRmLNolzlmeUZ9fLCPJITv27U3154aGX40QhUEZQ2PdiNpKnGytXhldbulEcik6fNG-2BQULEvTFxFjWtf23HwB2xnNvEqlpgWhHHS08WGw6rEON67mp-2FdwrMyRUXsypsLq2SIAzF6DGWrKj-2FBPgLWv-2BPk3nDPWlWslMF-2BTirXGfTIK0B4ZU_GQ6i-2FhfMpbAxWRy-2FcexWZ9TflPtdv0zQzg1njOHi9MOzatZhH1eXTlepztz-2FiMaDyQA5Ne0llBJ-2BwHWoSOh2odkdx1sICi-2Ba1mG817wATwAbYdeSq65x-2BTYwJyMyrth0KVapIWpC3UsxLMSzGfFjcbdUIK3X-2FLx7lYRZkM7VWmly-2Bg0yu0yvZCRmiI2diI-2FatGycVc141tNYm1DTtq-2FFZQ-3D-3DGet hashmaliciousScreenConnect ToolBrowse
  • 47.246.23.240
http://url5432.inclusiveguide.com/ls/click?upn=u001.Qh-2BzOqQ65HVxjtnkYhEgqJ-2BCr-2BLmXYBuZYLp5m5HXZzcMElKRqH9EwyU8eZsO-2BWa7-2Blc9wB1-2Bg5KmW4MlrJRmLNolzlmeUZ9fLCPJITv27U3154aGX40QhUEZQ2PdiNpKnGytXhldbulEcik6fNG-2BQULEvTFxFjWtf23HwB2xnNvEqlpgWhHHS08WGw6rEON67mp-2FdwrMyRUXsypsLq2SIAzF6DGWrKj-2FBPgLWv-2BPk3nDPWlWslMF-2BTirXGfTIK0B4ZU_GQ6i-2FhfMpbAxWRy-2FcexWZ9TflPtdv0zQzg1njOHi9MOzatZhH1eXTlepztz-2FiMaDyQA5Ne0llBJ-2BwHWoSOh2odkdx1sICi-2Ba1mG817wATwAbYdeSq65x-2BTYwJyMyrth0KVapIWpC3UsxLMSzGfFjcbdUIK3X-2FLx7lYRZkM7VWmly-2Bg0yu0yvZCRmiI2diI-2FatGycVc141tNYm1DTtq-2FFZQ-3D-3DGet hashmaliciousScreenConnect ToolBrowse
  • 163.181.246.233
http://url5432.inclusiveguide.com/ls/click?upn=u001.Qh-2BzOqQ65HVxjtnkYhEgqJ-2BCr-2BLmXYBuZYLp5m5HXZzcMElKRqH9EwyU8eZsO-2BWa7-2Blc9wB1-2Bg5KmW4MlrJRmLNolzlmeUZ9fLCPJITv27U3154aGX40QhUEZQ2PdiNpKnGytXhldbulEcik6fNG-2BQULEvTFxFjWtf23HwB2xnNvEqlpgWhHHS08WGw6rEON67mp-2FdwrMyRUXsypsLq2SIAzF6DGWrKj-2FBPgLWv-2BPk3nDPWlWslMF-2BTirXGfTIK0B4ZU_GQ6i-2FhfMpbAxWRy-2FcexWZ9TflPtdv0zQzg1njOHi9MOzatZhH1eXTlepztz-2FiMaDyQA5Ne0llBJ-2BwHWoSOh2odkdx1sICi-2Ba1mG817wATwAbYdeSq65x-2BTYwJyMyrth0KVapIWpC3UsxLMSzGfFjcbdUIK3X-2FLx7lYRZkM7VWmly-2Bg0yu0yvZCRmiI2diI-2FatGycVc141tNYm1DTtq-2FFZQ-3D-3DGet hashmaliciousScreenConnect ToolBrowse
  • 163.181.246.233
http://url5432.inclusiveguide.com/ls/click?upn=u001.Qh-2BzOqQ65HVxjtnkYhEgqJ-2BCr-2BLmXYBuZYLp5m5HXZzcMElKRqH9EwyU8eZsO-2BWa7-2Blc9wB1-2Bg5KmW4MlrJRmLNolzlmeUZ9fLCPJITv27U3154aGX40QhUEZQ2PdiNpKnGytXhldbulEcik6fNG-2BQULEvTFxFjWtf23HwB2xnNvEqlpgWhHHS08WGw6rEON67mp-2FdwrMyRUXsypsLq2SIAzF6DGWrKj-2FBPgLWv-2BPk3nDPWlWslMF-2BTirXGfTIK0B4ZU_GQ6i-2FhfMpbAxWRy-2FcexWZ9TflPtdv0zQzg1njOHi9MOzatZhH1eXTlepztz-2FiMaDyQA5Ne0llBJ-2BwHWoSOh2odkdx1sICi-2Ba1mG817wATwAbYdeSq65x-2BTYwJyMyrth0KVapIWpC3UsxLMSzGfFjcbdUIK3X-2FLx7lYRZkM7VWmly-2Bg0yu0yvZCRmiI2diI-2FatGycVc141tNYm1DTtq-2FFZQ-3D-3DGet hashmaliciousUnknownBrowse
  • 163.181.246.233
https://is.gd/UFQVAx/Get hashmaliciousUnknownBrowse
  • 47.246.22.201
https://crazy-moments.com/Get hashmaliciousUnknownBrowse
  • 163.181.131.243
https://wwre.lanzoup.com/iUb312qvvxydGet hashmaliciousUnknownBrowse
  • 163.181.131.211
http://must.com.py/vhnm/Get hashmaliciousHTMLPhisherBrowse
  • 163.181.131.209
douyin-5-5-0.exeGet hashmaliciousSalityBrowse
  • 163.181.92.205
No context
No context
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):10
Entropy (8bit):2.9219280948873623
Encrypted:false
SSDEEP:3:LwZ2:v
MD5:DE6386C7531D5CDF989F8998FB3085D7
SHA1:EBBB390267789033055A2378BCF7BB4F1BDAF370
SHA-256:1C000DDB478DEB4656A67391CDDB87A749F2CD0D2C06742B19AFEF2CF1CC3EB6
SHA-512:7C1500855A4C3C3C6E141945400862AB441B2A3F6F04C6BE7ECD97D2354CC5B66DA5E7A710CFEB67E5E0FE7F6F9961B81E8557FA6A178884EFE1168B3A6B87AC
Malicious:false
Reputation:low
Preview:1743605309
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):32
Entropy (8bit):3.5223683589017414
Encrypted:false
SSDEEP:3:+UaklTAnWGEn+n:+UaEMWo
MD5:B4A677E8E15E8D797CFF157C6CE9FEEF
SHA1:A448A58AF657E6213B606269627DCCB6B13E8A8C
SHA-256:30F1C91492D624311154D320C4D5DE620F552D4E4A24830B826A553512AD5D1B
SHA-512:B43F147F79CD6A56BD2100E31605A0EFF16B3BF90BE0B7861E84180DBC110928E5DF088C3E4C0EEA88F458ACF4D8598EAD4D5102DE035C958CE6E925C84C32E2
Malicious:false
Reputation:low
Preview:a21075a36eeddd084e17611a238c7101
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:dropped
Size (bytes):30089
Entropy (8bit):6.307647211039881
Encrypted:false
SSDEEP:384:cD/E3rhXfc08A9i8rp5882PP0i93pwA628jo5boR0R5W:cD/ElzHhkTlX8U5bs0DW
MD5:911BBFA77837472F03BF7D64A5DB3BE9
SHA1:A7F2A13B16CBD9B61E47B01C11E83B00D0F50462
SHA-256:1E2713C843D13B2962AF513FD02261DD403492286471B0DAD23C66DE01CDBD7C
SHA-512:D901929163EE68E42E39B3F212897EB8E3BF17FE665D10131624BA6AE7F756DF34BAB0A4AD13AB5848520C4848B821D5E0CBE5592BDD6CC0852D6251B6D28BCC
Malicious:false
Reputation:low
Preview:......JFIF.....`.`.....C.Y=CNC8YNHNd^Yi...zz..............................................C.^dd.u......................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.J(..0.)B..j]..J.a.S........)H#... ..(...(...1c..I....Ts.FGEK....Td`..MI=....QE.B.(...(.b@..&.4.EEX.S.%=.s"..^......QSN.`..).(...(...(...(...(...(...(...(...(...(...J(...(...(...(....Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.%-...QE..QE..QE..QE..QE..QE..QE..(...(...JZ(.(.....(...(...(...(...(...(...(...(...(........Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@.E-..RR.
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):32
Entropy (8bit):3.6709585933443494
Encrypted:false
SSDEEP:3:JRDdVIyWx1cQnX:fDdVIFxXX
MD5:B427C90B069896A917D44AD8C9407CC5
SHA1:9E821972073AA9DC8D3583D3DF0723300A5F1B75
SHA-256:70C0DA5F827CD844FECFCD86CA8B8217AAFADF3445CDD4AD7E43C868507704BD
SHA-512:BB8AE4B19A1B980F026160859B59163B227C6AB08A459F919C1232E6493AE06D6779177458CF28D5062A265404397A1302D54F33451D3C5B572FEE8D9911FDF9
Malicious:false
Reputation:low
Preview:594f803b380a41396ed63dca39503542
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):30089
Entropy (8bit):6.307647211039879
Encrypted:false
SSDEEP:384:CVL55px6LriVXivbrJfKJceAUwdWj7mXGl6nSmq6K:CVL55pxCriVQbrt0Xwu7mXG6nq
MD5:252116322329CAA967C3F61A416E63F0
SHA1:DB8AA50C0AF136EE1BE0692CDF3E043CDA5BF2F1
SHA-256:AC8717E62C5A416CC80DDB2DDC24E69A1454735BC463D423F376CDF3B1F4254E
SHA-512:8805FD697E5D1855A42603F7DD93224B7BB4DB085B8C82082E9F42DF687AD5651D5115736263AEB3B532F69CC6035A7915C525C50E42EC9C0875BFA8268688B6
Malicious:false
Reputation:low
Preview:....YI....YXXXY9Y9YY..Y.Y.d...a....=..0...##.............................................Y.X.==.,...........................................................YHQ]Y\YZX{Y[HXZHX..YFYYX\XXXXXXYYYYYYYYX[Z]\_^QPSR..Y.IY[XZZ[]Z\\]]YYX$X[ZY]H\Kxh._J.8^{(Mk...Qz..L...}j;+.PSONA@C|.~qpsmlona`c................:=<?>103*-,/.! #.........................................................................YFXYZXXXXXXXXXYYYYYYX[Z]\_^QPSR..Y.HY[X[]]Z]^\]]YX[.YX[ZH]\xh_K..^8(J{k.QM....Pzj..L;+.SO}m.|.NA@C.~qpslona`c................:=<?>103*-,/.! #........................................................................YUZXY[HZHYfY.q..iSp..3.....8..........p.z...y..qY..qY..h:...&..*.......&..=9...d.....L.Sq..Sq.;......m........|d.*{.@...........9..p.q..Yq..Yq..Yq..Yq..Yq..Yq..Yq..Yq..Yq..Y.q..Sq..Sq..Sq...M..\M..\M..\M..\M..\M..\M..\M..\M..\|tMY...YM..YM..YM..YM..YM..YM..ZSq..Sq..S..qXq...[.q.[.q.[.q.[.q.[.q.[.q.[.q.[.q.[.q.].....M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..P.tMY...
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):30089
Entropy (8bit):6.307647211039879
Encrypted:false
SSDEEP:384:CVL55px6LriVXivbrJfKJceAUwdWj7mXGl6nSmq6K:CVL55pxCriVQbrt0Xwu7mXG6nq
MD5:252116322329CAA967C3F61A416E63F0
SHA1:DB8AA50C0AF136EE1BE0692CDF3E043CDA5BF2F1
SHA-256:AC8717E62C5A416CC80DDB2DDC24E69A1454735BC463D423F376CDF3B1F4254E
SHA-512:8805FD697E5D1855A42603F7DD93224B7BB4DB085B8C82082E9F42DF687AD5651D5115736263AEB3B532F69CC6035A7915C525C50E42EC9C0875BFA8268688B6
Malicious:false
Reputation:low
Preview:....YI....YXXXY9Y9YY..Y.Y.d...a....=..0...##.............................................Y.X.==.,...........................................................YHQ]Y\YZX{Y[HXZHX..YFYYX\XXXXXXYYYYYYYYX[Z]\_^QPSR..Y.IY[XZZ[]Z\\]]YYX$X[ZY]H\Kxh._J.8^{(Mk...Qz..L...}j;+.PSONA@C|.~qpsmlona`c................:=<?>103*-,/.! #.........................................................................YFXYZXXXXXXXXXYYYYYYX[Z]\_^QPSR..Y.HY[X[]]Z]^\]]YX[.YX[ZH]\xh_K..^8(J{k.QM....Pzj..L;+.SO}m.|.NA@C.~qpslona`c................:=<?>103*-,/.! #........................................................................YUZXY[HZHYfY.q..iSp..3.....8..........p.z...y..qY..qY..h:...&..*.......&..=9...d.....L.Sq..Sq.;......m........|d.*{.@...........9..p.q..Yq..Yq..Yq..Yq..Yq..Yq..Yq..Yq..Yq..Y.q..Sq..Sq..Sq...M..\M..\M..\M..\M..\M..\M..\M..\M..\|tMY...YM..YM..YM..YM..YM..YM..ZSq..Sq..S..qXq...[.q.[.q.[.q.[.q.[.q.[.q.[.q.[.q.[.q.].....M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..\M..P.tMY...
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):725
Entropy (8bit):4.559175139022602
Encrypted:false
SSDEEP:12:8IbrEGMhaUsEk1qIkkTOOjVHGTeUM9Ai1kdeq2ZeVMA1PVMA12:8I4s3rpHGTZM91Hq2ZFld
MD5:AE1F2FBB17CF117018E2F100AC5ECB95
SHA1:0A51AC207E9017BF37C4B2113FC2AE18C3ACDD38
SHA-256:001AC23B6482F6F660E5E3303299FE052AEB0EC24FC2F53C6FB4E1C021044D3D
SHA-512:BA13323FBD6E891AE6116C18D21933EB741E9A9326EB77FA51AE4F0F61350CAF1AB702F0BF79E893CD04C1084872D05BD85CD39AA667700D0A2F390CE5115C7A
Malicious:false
Reputation:low
Preview:.cP}.<: :5<w.07PiPiPho`ojjjni`PPhlnlnhii`kPhnmhjmjjoiS.cP}.07...><7-PiPiPho`ojji`nnPPho`ojji`nnPho`ojji`nnS.cP.,4).-8:2w56>w-4)PhPah`kPhnmhjmjlmiPPho`ojh`nm`PhnmhjmjlmiS.cP)8><?05<w* *PhPmk`m`onk`oPhnmhjmjlmiPPho`ojh`nm`PhnmhjmjlmiS.cP.<+?.6>*PiPiPhlnlnhii`kPPhlnlnhii`kPho`omhonjhS.cP.+6>+84y.05<*PiPiPho`omhonoaPPhlnlnhii`kPhnmhjmjojjS.cP.+6>+84y.05<*yq!aopPiPiPhnmhjmjojoPPhlnlnhii`kPhnmhjmjojoS.cP.+6>+84.8-8PiPiPhnmjoilji`PPhlnlnhii`kPhnmjoilji`S.cP.<:6/<+ PiPiPho`ojh`ajlPPho`ojh`ajlPho`ojh`ajlS.cP*.8)?05<w* *PhPhonnnkhoPhnmhjmjlmiPPho`ojh`nm`PhnmhjmjlmiS.cP. *-<4y.65,4<y.7?6+48-067PiPiPho`ojh`ajnPPho`ojh`nmaPhnmhjmjhalS.cP.*<+*PiPiPho`ojjjn`kPPhlnlni`mkmPhnmjoilkmmS.cP.07=6.*PiPiPhnmhjmjojkPPhlnlni`mkmPhnmjoilkmmS
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):725
Entropy (8bit):4.559175139022602
Encrypted:false
SSDEEP:12:8IbrEGMhaUsEk1qIkkTOOjVHGTeUM9Ai1kdeq2ZeVMA1PVMA12:8I4s3rpHGTZM91Hq2ZFld
MD5:AE1F2FBB17CF117018E2F100AC5ECB95
SHA1:0A51AC207E9017BF37C4B2113FC2AE18C3ACDD38
SHA-256:001AC23B6482F6F660E5E3303299FE052AEB0EC24FC2F53C6FB4E1C021044D3D
SHA-512:BA13323FBD6E891AE6116C18D21933EB741E9A9326EB77FA51AE4F0F61350CAF1AB702F0BF79E893CD04C1084872D05BD85CD39AA667700D0A2F390CE5115C7A
Malicious:false
Reputation:low
Preview:.cP}.<: :5<w.07PiPiPho`ojjjni`PPhlnlnhii`kPhnmhjmjjoiS.cP}.07...><7-PiPiPho`ojji`nnPPho`ojji`nnPho`ojji`nnS.cP.,4).-8:2w56>w-4)PhPah`kPhnmhjmjlmiPPho`ojh`nm`PhnmhjmjlmiS.cP)8><?05<w* *PhPmk`m`onk`oPhnmhjmjlmiPPho`ojh`nm`PhnmhjmjlmiS.cP.<+?.6>*PiPiPhlnlnhii`kPPhlnlnhii`kPho`omhonjhS.cP.+6>+84y.05<*PiPiPho`omhonoaPPhlnlnhii`kPhnmhjmjojjS.cP.+6>+84y.05<*yq!aopPiPiPhnmhjmjojoPPhlnlnhii`kPhnmhjmjojoS.cP.+6>+84.8-8PiPiPhnmjoilji`PPhlnlnhii`kPhnmjoilji`S.cP.<:6/<+ PiPiPho`ojh`ajlPPho`ojh`ajlPho`ojh`ajlS.cP*.8)?05<w* *PhPhonnnkhoPhnmhjmjlmiPPho`ojh`nm`PhnmhjmjlmiS.cP. *-<4y.65,4<y.7?6+48-067PiPiPho`ojh`ajnPPho`ojh`nmaPhnmhjmjhalS.cP.*<+*PiPiPho`ojjjn`kPPhlnlni`mkmPhnmjoilkmmS.cP.07=6.*PiPiPhnmhjmjojkPPhlnlni`mkmPhnmjoilkmmS
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):66
Entropy (8bit):4.437498476202223
Encrypted:false
SSDEEP:3:gBSQbHySMGGM7C:aSQbH7MGGM7C
MD5:B551EC3E4F8DC28B910D38E3FC592C8B
SHA1:ED314E34220438D1D9F0F9EAC59457F4DF228E63
SHA-256:A668A6447623AAD0B0B97FC0DCD160D30DEF43AF5341AA7AC0E2B5A52DCBB3B5
SHA-512:63E134D810A05FBA531A2AA523F1CF3ABEC677F111D2670AD9F6194BB7F04768502E3FE2F124A02CA37C9EB9A374A8464628F01978B16942A9BCD2AE699BAF84
Malicious:false
Reputation:low
Preview:.c.}.07...><7-P.:+8-:1PiPiPho`ojji`nnPPho`ojji`nnPho`ojji`nnSe...g
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):66
Entropy (8bit):4.437498476202223
Encrypted:false
SSDEEP:3:gBSQbHySMGGM7C:aSQbH7MGGM7C
MD5:B551EC3E4F8DC28B910D38E3FC592C8B
SHA1:ED314E34220438D1D9F0F9EAC59457F4DF228E63
SHA-256:A668A6447623AAD0B0B97FC0DCD160D30DEF43AF5341AA7AC0E2B5A52DCBB3B5
SHA-512:63E134D810A05FBA531A2AA523F1CF3ABEC677F111D2670AD9F6194BB7F04768502E3FE2F124A02CA37C9EB9A374A8464628F01978B16942A9BCD2AE699BAF84
Malicious:false
Reputation:low
Preview:.c.}.07...><7-P.:+8-:1PiPiPho`ojji`nnPPho`ojji`nnPho`ojji`nnSe...g
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):5
Entropy (8bit):2.321928094887362
Encrypted:false
SSDEEP:3:DP:DP
MD5:B6509A0C82AAD15784C18C175062DA7B
SHA1:C16FE8D66FFBF8CAB0E641AB8CFA28034BA2ECE3
SHA-256:398175423E0DEC505B7961569848E10E50860212FE6FC5CFF790BA66A6858DE9
SHA-512:22C4C5D2D14B8517FAB4787002DB95915F43F3CACAA5D0DA22F1849394ABDC3398A9E4A319D48F7B2571090A5DA5D9C4979D2EDBC1433C8140E60E7A8A7B66FC
Malicious:false
Preview:e...g
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):5
Entropy (8bit):2.321928094887362
Encrypted:false
SSDEEP:3:DP:DP
MD5:B6509A0C82AAD15784C18C175062DA7B
SHA1:C16FE8D66FFBF8CAB0E641AB8CFA28034BA2ECE3
SHA-256:398175423E0DEC505B7961569848E10E50860212FE6FC5CFF790BA66A6858DE9
SHA-512:22C4C5D2D14B8517FAB4787002DB95915F43F3CACAA5D0DA22F1849394ABDC3398A9E4A319D48F7B2571090A5DA5D9C4979D2EDBC1433C8140E60E7A8A7B66FC
Malicious:false
Preview:e...g
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):278
Entropy (8bit):4.915578835547007
Encrypted:false
SSDEEP:6:qXOniIXyGI0XbYlFbddBGexIZbggCbTTEhNqHf8jVxPs6dX/:qHIFbYlPdBGLM1nTTHf8jVJs6dP
MD5:EA27B463F79AF42C7E2664823A4C9110
SHA1:291B694BC41440A33F3828559F1489ECBFE81913
SHA-256:2E08E855441352856C02076DD1F4273FCC8E1A66954CECF1BF9EE028D4393D2E
SHA-512:4D4005787B3C51B996EC3583D3A9E66708BB2C059B7F8CA923A601E691121633E6CA92D7F97484A0D543B6B87D2E3E11D7E6E9B626358965F82A2F875E68C3C7
Malicious:false
Preview:.Pi=oh?ajni:8=h=mhk?ai;am=hmj<hklnS..}.<: :5<w.07Pnmi8j;aoj=na8?=o;ao;hkm<im=mj8;`S..}.07...><7-Phj88<j?o=`a;h<=j?`;;<;:<ii?`jk=jS...<+?.6>*Pl8llmho<inj8:::m=hl=h<h<`m?hnomaS...+6>+84y.05<*P=?omj8lmjioi8a==n:<:h88;hm:h?j8mS...+6>+84y.05<*yq!aopP;i;k;:mm;nj```amijn;ikmk8oh:`om<S
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):653
Entropy (8bit):4.400975260323991
Encrypted:false
SSDEEP:12:tUWPlL5/+HYYUWPlLkXNJMSUWPlLFXaWPlL/eKl/+HYnaWPlLtpKgJtJM+aWPlLr:VPt5/+HYuPtcnNPtFpPtWY/+HY5Pttpr
MD5:2DBDE768AF8DC80C125986D730917C18
SHA1:86C9758735363D32C80B4D8406D5682A34D0AA26
SHA-256:62DB7614944ED287862A72999D5BC340CC5161978805DD16A400469D5599674A
SHA-512:4D289D49FFAB58B1D61904D6C15B01ABE57F42057607C67D954B488C788A488AB9AC4B2BF719E133C0A76B541C898F24167AC1CD1F42352B65739EA5086A4072
Malicious:false
Preview:.c.}.<: :5<w.07P.thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiiiPiPiPho`ojkjmonPPho`ojkjmonPho`ojkjmonS.c.}.<: :5<w.07P.thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiihPiPiPho`ojji`omPPho`ojkjoaoPho`ojji`omS.c.}.<: :5<w.07P.thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiikPiPiPhnmhjmjjokPPho`ojjjni`PhnmhjmjlmmS.c.}.<: :5<w.07..thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiiiP=<*2-6)w070PhPhk`Pho`ojkjmonPPho`ojkjmonPho`ojkjmonS.c.}.<: :5<w.07..thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiihP=<*2-6)w070PhPhk`Pho`ojkjoaoPPho`ojkjoaoPho`ojjilhkS.c.}.<: :5<w.07..thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiikP=<*2-6)w070PhPhk`Pho`ojjjni`PPho`ojjjni`PhnmjoilkjjSe...g
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):653
Entropy (8bit):4.400975260323991
Encrypted:false
SSDEEP:12:tUWPlL5/+HYYUWPlLkXNJMSUWPlLFXaWPlL/eKl/+HYnaWPlLtpKgJtJM+aWPlLr:VPt5/+HYuPtcnNPtFpPtWY/+HY5Pttpr
MD5:2DBDE768AF8DC80C125986D730917C18
SHA1:86C9758735363D32C80B4D8406D5682A34D0AA26
SHA-256:62DB7614944ED287862A72999D5BC340CC5161978805DD16A400469D5599674A
SHA-512:4D289D49FFAB58B1D61904D6C15B01ABE57F42057607C67D954B488C788A488AB9AC4B2BF719E133C0A76B541C898F24167AC1CD1F42352B65739EA5086A4072
Malicious:false
Preview:.c.}.<: :5<w.07P.thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiiiPiPiPho`ojkjmonPPho`ojkjmonPho`ojkjmonS.c.}.<: :5<w.07P.thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiihPiPiPho`ojji`omPPho`ojkjoaoPho`ojji`omS.c.}.<: :5<w.07P.thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiikPiPiPhnmhjmjjokPPho`ojjjni`PhnmhjmjlmmS.c.}.<: :5<w.07..thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiiiP=<*2-6)w070PhPhk`Pho`ojkjmonPPho`ojkjmonPho`ojkjmonS.c.}.<: :5<w.07..thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiihP=<*2-6)w070PhPhk`Pho`ojkjoaoPPho`ojkjoaoPho`ojjilhkS.c.}.<: :5<w.07..thtltkhtkkmohkkolatjo`jmilhhntkmnonloojmthiikP=<*2-6)w070PhPhk`Pho`ojjjni`PPho`ojjjni`PhnmjoilkjjSe...g
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):757760
Entropy (8bit):5.343362298310796
Encrypted:false
SSDEEP:3072:1ILDYmLt+dfs3oBfYkJARJ0XUO/fRofXXVHAi5x9a4K0m9cne26NcP5BEQFY:qt+d03oBfvEXKiK01nKNMBEQe
MD5:354A9BB55038621D99261847FDC6B897
SHA1:2E42C0C690263F1C8F5F67DB4F669843BBD33A72
SHA-256:103A0CDE7D2D250B26AE986C2B767CDB2C24E382EA05FB6123A51E8FD2974BF1
SHA-512:1E4A505E78AB2A58D3A0F758886CD10A0557A6FDC3AF532F6AEB83E00A4F64324C93D3F985ECA4A6F52BCE80324CABF87B80B194AF411D18EC7A0553CEF5E2E9
Malicious:false
Preview:.c..+6>+84y.05<*yq!aopP8,-60-jPiPiPhnmhjmjojnPPho`ojjijh`PhnmhjmjojnS.c..+6>+84y.05<*yq!aopP:64467y?05<*PiPiPho`omhniinPPhlnlnhii`kPhnmhjmjkilS.c..+6>+84y.05<*yq!aopP=<*2-6)w070PhPhnmPhlnlni``okPPhlnlnhii`mPhnmjoilkjjS.c..+6>+84y.05<*yq!aopP>66>5<PiPiPhnmhjmjklkPPho`ojjii`aPhnmhjmjklkS.c..+6>+84y.05<*yq!aopP07-<+7<-y<!)56+<+PiPiPhookoiooalPPhlnlnhii`kPho`omhoa`hS.c..+6>+84y.05<*yq!aopP38/8PiPiPho`ojjioojPPho`ojjioojPho`omia`ohS.c..+6>+84y.05<*yq!aopP3=6.7568=<+PiPiPhnmhjmjojoPPhnmhjmjojoPhnmhjmjojoS.c..+6>+84y.05<*yq!aopP40:+6*6?-PiPiPho`ojjmnmhPPhookoioninPhnmhjmjkanS.c..+6>+84y.05<*yq!aopP40:+6*6?-y6??0:<PiPiPho`omhoa``PPho`omhonoaPhnmhjmjohoS.c..+6>+84y.05<*yq!aopP40:+6*6?-y67<=+0/<PiPiPho`omhnkhaPPho`ojjmo`hPhnmhjmjlmmS.c..+6>+84y.05<*yq!aopP40:+6*6?-w7<-PiPiPho`omhniinPPhlnlnhii`kPho`omhniinS.c..+6>+84y.05<*yq!aopP46#0558y4807-<787:<y*<+/0:<PiPiPho`ojjin``PPho`ojjin``Pho`omhnijlS.c..+6>+84y.05<*yq!aopP4*;,05=PiPiPho`ojjihooPPho`ojjihooPho`omia`okS.c..+6>+84y.05<*yq!aopP4*<:8:1<PiP
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):2736221
Entropy (8bit):5.361776331943547
Encrypted:false
SSDEEP:24576:9UBVRJ8NppjY/FwDDRkmQN76al90bd2U2Amr0Qu:9UBVCppdQu
MD5:5CCD24AF8A23BA1ACE513CDB2615B900
SHA1:7796472D667813EF3B59772AF50A2BF66F5A2145
SHA-256:A6B4D718072AE1D5055720E2C481BAC835E5AFD680DFFAF46DD1D767DE3C7E40
SHA-512:7FE4EE24461267D2AF55F1B3AD90D1E86459C4839DEB31A1D54AA27641A4D363038C45B6EC9D0EA55D675291C32727F025E4359BAEAC9A0D680B78E39A4F421E
Malicious:false
Preview:.c..+6>+84y.05<*Pnt.0)PiPiPho`ojjikaaPPho`ojjikaaPho`omhoaikS.c..+6>+84y.05<*P.=6;<PiPiPho`ojjim`mPPho`ojjim`mPho`omhoaaaS.c..+6>+84y.05<*P.64467y.05<*PiPiPho`ojjimlkPPhlnlnhii`kPhnmhjmjkilS.c..+6>+84y.05<*P=<*2-6)w070PhPhnmPhlnlni``okPPhlnlnhii`mPhnmjoilkjjS.c..+6>+84y.05<*P.66>5<PiPiPho`ojjihhlPPho`ojjihhlPhnmhjmjlaiS.c..+6>+84y.05<*P.7-<+7<-y.!)56+<+PiPiPhookoiooalPPhlnlnhii`kPho`omia`okS.c..+6>+84y.05<*P.0:+6*6?-PiPiPho`ojjlhjmPPho`ojjlhjmPho`omia`okS.c..+6>+84y.05<*P.0:+6*6?-y.??0:<yhlPiPiPho`omhonoaPPho`omhonoaPho`omhonoaS.c..+6>+84y.05<*P.6=0?08;5<.07=6.*.))*PiPiPhlnlnhii`kPPhlnlnhii`kPho`omia`okS.c..+6>+84y.05<*P.6#0558y.0+<?6!PiPiPho`ojjiaihPPho`ojjin`oPho`omhonjmS.c..+6>+84y.05<*P...,05=PiPiPho`ojjihooPPho`ojjihooPho`omia`okS.c..+6>+84y.05<*P.<?<+<7:<y.**<4;50<*PiPiPho`ojjihooPPho`ojjihooPhnmhjmjkilS.c..+6>+84y.05<*P.707*-855y.7?6+48-067PiPiPho`ojh`nokPPho`ojh`nokPho`omia`okS.c..+6>+84y.05<*P.07=6.*y.<?<7=<+PiPiPho`ojjh``aPPhlnlnhii`kPho`omhoniaS.c..+6>+84y.05<*P.07=6.*y.<?<7
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):2736221
Entropy (8bit):5.361776331943547
Encrypted:false
SSDEEP:24576:9UBVRJ8NppjY/FwDDRkmQN76al90bd2U2Amr0Qu:9UBVCppdQu
MD5:5CCD24AF8A23BA1ACE513CDB2615B900
SHA1:7796472D667813EF3B59772AF50A2BF66F5A2145
SHA-256:A6B4D718072AE1D5055720E2C481BAC835E5AFD680DFFAF46DD1D767DE3C7E40
SHA-512:7FE4EE24461267D2AF55F1B3AD90D1E86459C4839DEB31A1D54AA27641A4D363038C45B6EC9D0EA55D675291C32727F025E4359BAEAC9A0D680B78E39A4F421E
Malicious:false
Preview:.c..+6>+84y.05<*Pnt.0)PiPiPho`ojjikaaPPho`ojjikaaPho`omhoaikS.c..+6>+84y.05<*P.=6;<PiPiPho`ojjim`mPPho`ojjim`mPho`omhoaaaS.c..+6>+84y.05<*P.64467y.05<*PiPiPho`ojjimlkPPhlnlnhii`kPhnmhjmjkilS.c..+6>+84y.05<*P=<*2-6)w070PhPhnmPhlnlni``okPPhlnlnhii`mPhnmjoilkjjS.c..+6>+84y.05<*P.66>5<PiPiPho`ojjihhlPPho`ojjihhlPhnmhjmjlaiS.c..+6>+84y.05<*P.7-<+7<-y.!)56+<+PiPiPhookoiooalPPhlnlnhii`kPho`omia`okS.c..+6>+84y.05<*P.0:+6*6?-PiPiPho`ojjlhjmPPho`ojjlhjmPho`omia`okS.c..+6>+84y.05<*P.0:+6*6?-y.??0:<yhlPiPiPho`omhonoaPPho`omhonoaPho`omhonoaS.c..+6>+84y.05<*P.6=0?08;5<.07=6.*.))*PiPiPhlnlnhii`kPPhlnlnhii`kPho`omia`okS.c..+6>+84y.05<*P.6#0558y.0+<?6!PiPiPho`ojjiaihPPho`ojjin`oPho`omhonjmS.c..+6>+84y.05<*P...,05=PiPiPho`ojjihooPPho`ojjihooPho`omia`okS.c..+6>+84y.05<*P.<?<+<7:<y.**<4;50<*PiPiPho`ojjihooPPho`ojjihooPhnmhjmjkilS.c..+6>+84y.05<*P.707*-855y.7?6+48-067PiPiPho`ojh`nokPPho`ojh`nokPho`omia`okS.c..+6>+84y.05<*P.07=6.*y.<?<7=<+PiPiPho`ojjh``aPPhlnlnhii`kPho`omhoniaS.c..+6>+84y.05<*P.07=6.*y.<?<7
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):427
Entropy (8bit):5.031365650954939
Encrypted:false
SSDEEP:6:dz2bCpRYgUohm2DcLNr2TKNhJgYSKLVSKzeTKNhJgYSKLVSKFn:dz2bCLt6NSTefgY3eTefgYJn
MD5:1ACEDD7561796EC339677291EA696E30
SHA1:91F5A52A55F3536B4C8B415BEFB66B282501D7A5
SHA-256:2009C93FE8D3A26879EA9765AEAA42D72B18CCD8E7A4A70EF0CEBAA81BBD7B09
SHA-512:B7AA64F370AB5CCB20AF21125F550E5299846494AA55DA5BF32AA410420F432FBFCFE7531E501871145C93F7C1D34B26242C046021691E95CB7081476F9D2865
Malicious:false
Preview:o`kk:mk;cykiklimikhimnk`TS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimnk`.hw8+3TSi8nhnk=;cykahTSh?ok:nincy=onh88?<TSTSiP.cPkj``ahk`noomP,3:(26P376*7(?>:2?+P,3:(26rr376*7(?>:2?+rrioiik:m`?k<:=moioo`j`ol?kjm<=l8hrri!8=m??`kaPiPioiik:m`?k<:=moioo`j`ol?kjm<=l8hShP.cPkj``ahk`noomP,3:(26P376*7(?>:2?+P,3:(26rr376*7(?>:2?+rrioiik:m`?k<:=moioo`j`ol?kjm<=l8hrri!8=m??`kaPiPioiik:m`?k<:=moioo`j`ol?kjm<=l8hSk
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):427
Entropy (8bit):5.031365650954939
Encrypted:false
SSDEEP:6:dz2bCpRYgUohm2DcLNr2TKNhJgYSKLVSKzeTKNhJgYSKLVSKFn:dz2bCLt6NSTefgY3eTefgYJn
MD5:1ACEDD7561796EC339677291EA696E30
SHA1:91F5A52A55F3536B4C8B415BEFB66B282501D7A5
SHA-256:2009C93FE8D3A26879EA9765AEAA42D72B18CCD8E7A4A70EF0CEBAA81BBD7B09
SHA-512:B7AA64F370AB5CCB20AF21125F550E5299846494AA55DA5BF32AA410420F432FBFCFE7531E501871145C93F7C1D34B26242C046021691E95CB7081476F9D2865
Malicious:false
Preview:o`kk:mk;cykiklimikhimnk`TS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimnk`.hw8+3TSi8nhnk=;cykahTSh?ok:nincy=onh88?<TSTSiP.cPkj``ahk`noomP,3:(26P376*7(?>:2?+P,3:(26rr376*7(?>:2?+rrioiik:m`?k<:=moioo`j`ol?kjm<=l8hrri!8=m??`kaPiPioiik:m`?k<:=moioo`j`ol?kjm<=l8hShP.cPkj``ahk`noomP,3:(26P376*7(?>:2?+P,3:(26rr376*7(?>:2?+rrioiik:m`?k<:=moioo`j`ol?kjm<=l8hrri!8=m??`kaPiPioiik:m`?k<:=moioo`j`ol?kjm<=l8hSk
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):378
Entropy (8bit):5.469344631595856
Encrypted:false
SSDEEP:6:dHUpRYgUohmLvL8wgaf9EtcKzH/sQcKYgWXH+CVHOKPHS6S98YgWXH+CVHOKPHSy:dHULST8wbOjxsXHTVHOKPG8sXHTVHOKZ
MD5:24B55F1C583CC74ECA1541B572FF684E
SHA1:5844C304864492181BC694DAA01557DCAD66906D
SHA-256:F886E3C1538A362C6F15ECB014274EBEC6734E7158800982ACA1D24EE486AC2B
SHA-512:30F9D59F76B92195AAA3F23CC4EA488469CDC95B615E423911B56726CCE0FFF90955A129E782C6DC43B2FD42CDFD231FA6831754839EBF45A0A300BF32E90FFF
Malicious:false
Preview:o`kk:mk;cykiklimikhimalmTS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimalm.kw8+3TSi8nhnk=;cykjkTSh?ok:nincyoj<klo;`TSTSjili`iX.7-<5q.py.6+<q..pky...yooiiy.ykwmiy..#XraXPowkw`kiiyXjkjkkjoijoP..t.mt..t..thltaaPjkjkkjoijjSXX367<*Xhnjk`jionnX.c..*<+*.367<*..<*2-6).....q))50/<p.?6+8).hiam.```jw<!<XkX.c..*<+*.367<*..<*2-6).....q))50/<p.?6+8).hiam.```jw<!<
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):378
Entropy (8bit):5.469344631595856
Encrypted:false
SSDEEP:6:dHUpRYgUohmLvL8wgaf9EtcKzH/sQcKYgWXH+CVHOKPHS6S98YgWXH+CVHOKPHSy:dHULST8wbOjxsXHTVHOKPG8sXHTVHOKZ
MD5:24B55F1C583CC74ECA1541B572FF684E
SHA1:5844C304864492181BC694DAA01557DCAD66906D
SHA-256:F886E3C1538A362C6F15ECB014274EBEC6734E7158800982ACA1D24EE486AC2B
SHA-512:30F9D59F76B92195AAA3F23CC4EA488469CDC95B615E423911B56726CCE0FFF90955A129E782C6DC43B2FD42CDFD231FA6831754839EBF45A0A300BF32E90FFF
Malicious:false
Preview:o`kk:mk;cykiklimikhimalmTS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimalm.kw8+3TSi8nhnk=;cykjkTSh?ok:nincyoj<klo;`TSTSjili`iX.7-<5q.py.6+<q..pky...yooiiy.ykwmiy..#XraXPowkw`kiiyXjkjkkjoijoP..t.mt..t..thltaaPjkjkkjoijjSXX367<*Xhnjk`jionnX.c..*<+*.367<*..<*2-6).....q))50/<p.?6+8).hiam.```jw<!<XkX.c..*<+*.367<*..<*2-6).....q))50/<p.?6+8).hiam.```jw<!<
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):5272
Entropy (8bit):4.948068060623485
Encrypted:false
SSDEEP:96:lcYWrKOCGT7eBw/afu9umTBDYJdUqM6BXpbEYKlWP3jY9zGCfw:Cc+e6/Hkmd0Qqboxl76Cfw
MD5:269369DCF4CA0922638B72F9B0597F05
SHA1:B0BC2EDC5CCABE6B6EC955B4E3D30161C2DB77BA
SHA-256:BB1D46A23446FB891E10E7B1F95C8D9CF84AABBF99258ECE71F127221210A08F
SHA-512:B811D0D4EC137B27C2464C665FC3D5F89554CA3232BE033DC069564102057987842EBD2EC2A4D9182A18A775E2495590D1DA9E7F55A7879EC7291BC81A906920
Malicious:false
Preview:o`kk:mk;cykiklimikhimalmTS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimalm.jw8+3TSi8nhnk=;cylhklTSh?ok:nincym=ha?<j:TSTSiP. *-<4PmPPPPPShP.<>0*-+ P`kPPPPPSkP*4**w<!<PjkaPPPPPSjP:*+**w<!<PmhkPPPPPSmP.07070-w<!<PmaaPPPPPSlP:*+**w<!<Pm`oPPPPPSoP.0756>67w<!<PloiPPPPPSnP*<+/0:<*w<!<PojkPPPPPSaP5*8**w<!<PomiPPPPPS`P*/:16*-w<!<PnoiPPPPPShiP?67-=+/16*-w<!<PnamPPPPPShhP?67-=+/16*-w<!<Pn`kPPPPPShkP*/:16*-w<!<PaaiPPPPPShjP*/:16*-w<!<P`kaPPPPPShmP=.4w<!<P``kPPPPPShlP*/:16*-w<!<PjnkPPPPPShoP*/:16*-w<!<Pj`oPPPPPShnP*/:16*-w<!<PokaPPPPPShaP*/:16*-w<!<PhikaPPPPPSh`P*/:16*-w<!<PhimaPPPPPSkiP*/:16*-w<!<PhhiaPPPPPSkhP*/:16*-w<!<PhhhoPPPPPSkkP*/:16*-w<!<PhhnkPPPPPSkjP*/:16*-w<!<PhknoPPPPPSkmP*/:16*-w<!<PhjmaPPPPPSklP*/:16*-w<!<PhjloPPPPPSkoP*/:16*-w<!<PhmhkPPPPPSknP*/:16*-w<!<PhmloPPPPPSkaP.<46+ y.64)+<**067PhliaPPPPPSk`P*/:16*-w<!<PhlloPPPPPSjiP*/:16*-w<!<PhlaaPPPPPSjhP*/:16*-w<!<PholoPPPPPSjkP*/:16*-w<!<PhoomPPPPPSjjP*/:16*-w<!<PhnjoPPPPPSjmP*/:16*-w<!<PhakmPPPPPSjlP*/:16*-w<!
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):5272
Entropy (8bit):4.948068060623485
Encrypted:false
SSDEEP:96:lcYWrKOCGT7eBw/afu9umTBDYJdUqM6BXpbEYKlWP3jY9zGCfw:Cc+e6/Hkmd0Qqboxl76Cfw
MD5:269369DCF4CA0922638B72F9B0597F05
SHA1:B0BC2EDC5CCABE6B6EC955B4E3D30161C2DB77BA
SHA-256:BB1D46A23446FB891E10E7B1F95C8D9CF84AABBF99258ECE71F127221210A08F
SHA-512:B811D0D4EC137B27C2464C665FC3D5F89554CA3232BE033DC069564102057987842EBD2EC2A4D9182A18A775E2495590D1DA9E7F55A7879EC7291BC81A906920
Malicious:false
Preview:o`kk:mk;cykiklimikhimalmTS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimalm.jw8+3TSi8nhnk=;cylhklTSh?ok:nincym=ha?<j:TSTSiP. *-<4PmPPPPPShP.<>0*-+ P`kPPPPPSkP*4**w<!<PjkaPPPPPSjP:*+**w<!<PmhkPPPPPSmP.07070-w<!<PmaaPPPPPSlP:*+**w<!<Pm`oPPPPPSoP.0756>67w<!<PloiPPPPPSnP*<+/0:<*w<!<PojkPPPPPSaP5*8**w<!<PomiPPPPPS`P*/:16*-w<!<PnoiPPPPPShiP?67-=+/16*-w<!<PnamPPPPPShhP?67-=+/16*-w<!<Pn`kPPPPPShkP*/:16*-w<!<PaaiPPPPPShjP*/:16*-w<!<P`kaPPPPPShmP=.4w<!<P``kPPPPPShlP*/:16*-w<!<PjnkPPPPPShoP*/:16*-w<!<Pj`oPPPPPShnP*/:16*-w<!<PokaPPPPPShaP*/:16*-w<!<PhikaPPPPPSh`P*/:16*-w<!<PhimaPPPPPSkiP*/:16*-w<!<PhhiaPPPPPSkhP*/:16*-w<!<PhhhoPPPPPSkkP*/:16*-w<!<PhhnkPPPPPSkjP*/:16*-w<!<PhknoPPPPPSkmP*/:16*-w<!<PhjmaPPPPPSklP*/:16*-w<!<PhjloPPPPPSkoP*/:16*-w<!<PhmhkPPPPPSknP*/:16*-w<!<PhmloPPPPPSkaP.<46+ y.64)+<**067PhliaPPPPPSk`P*/:16*-w<!<PhlloPPPPPSjiP*/:16*-w<!<PhlaaPPPPPSjhP*/:16*-w<!<PholoPPPPPSjkP*/:16*-w<!<PhoomPPPPPSjjP*/:16*-w<!<PhnjoPPPPPSjmP*/:16*-w<!<PhakmPPPPPSjlP*/:16*-w<!
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):290
Entropy (8bit):5.360050265950672
Encrypted:false
SSDEEP:6:dPrpRYgUohmKpLo3LF0ewNIiR/sGFeJX/OO7cj:djLlyLvwNIaDwX2O7C
MD5:5CDCB059FD1874BA01359AC1648BA97C
SHA1:60F997917FA76BF2957734C69BB6F0C0E295A462
SHA-256:1113E7D11B9EA75D4EAF624B3B08ACE8267E7DDF2227FA0CD02ED3D0F6CE8713
SHA-512:222BBD7819BE34E0C3F4D51DEDD3F1EC95F4251BD96B28DA3004BE876B3943E1FFD28D0BE0043E439254652DB2F5212CB7DCA1BA10D850AB10E57DED30EB9796
Malicious:false
Preview:o`kk:mk;cykiklimikhimal`TS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimal`.mw8+3TSi8nhnk=;cyhmjTSh?ok:nincy`i8ajk=<TSTSiP".j.`k...t.l.ntmn.at.mant.moo.mkijl.h$P..t.mt..t..thltaaPjkjkkjoijoPjkjkkjoijjPiitlitlot.ntkhthlP.7-<5q.pyaklnm.y.0>8;0-y.<-.6+2y.677<:-067ShY
Process:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
File Type:data
Category:dropped
Size (bytes):290
Entropy (8bit):5.360050265950672
Encrypted:false
SSDEEP:6:dPrpRYgUohmKpLo3LF0ewNIiR/sGFeJX/OO7cj:djLlyLvwNIaDwX2O7C
MD5:5CDCB059FD1874BA01359AC1648BA97C
SHA1:60F997917FA76BF2957734C69BB6F0C0E295A462
SHA-256:1113E7D11B9EA75D4EAF624B3B08ACE8267E7DDF2227FA0CD02ED3D0F6CE8713
SHA-512:222BBD7819BE34E0C3F4D51DEDD3F1EC95F4251BD96B28DA3004BE876B3943E1FFD28D0BE0043E439254652DB2F5212CB7DCA1BA10D850AB10E57DED30EB9796
Malicious:false
Preview:o`kk:mk;cykiklimikhimal`TS8jl`ah=jcy.c..*<+*.367<*..)).8-8..6:85..<4).7.7.>.8.7././.?..kiklimikhimal`.mw8+3TSi8nhnk=;cyhmjTSh?ok:nincy`i8ajk=<TSTSiP".j.`k...t.l.ntmn.at.mant.moo.mkijl.h$P..t.mt..t..thltaaPjkjkkjoijoPjkjkkjoijjPiitlitlot.ntkhthlP.7-<5q.pyaklnm.y.0>8;0-y.<-.6+2y.677<:-067ShY
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.244988654030914
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.83%
  • Windows Screen Saver (13104/52) 0.13%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:PPTV(pplive)_forap_1084_9993.exe
File size:282'624 bytes
MD5:edb25d93f8a837aaa38faa49a5f97bca
SHA1:62d11cab837802d66b9bfbf7106c826889d492d0
SHA256:5985eba3003cadb7b5c70985ad9c9d0ecc49b1814cdda3de1010a581c9ff56b2
SHA512:7a0c1f7143d9aba3e1ed393582f4ec3848e3561a87dd0a076f62e400825cb9b3070acc8d51b67f8605299108b45c1f4dd58125fc661319ffa72481adc3622f32
SSDEEP:3072:rMTvoM/aqSxUN7TXjElRiTthKNXUHgOMZaiqii/b8t1Z1W7AdyyD39rhAd8tUVzR:ivhRf+RAg9Z5ryJaSgC5q5G1K4L
TLSH:B3546D02E7CEC4B1FD162EB424AB27B74239AD450D09A7E3BB54DD3A84371A1B93650F
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=...y..Ky..Ky..K...K~..K...Kx..K...K...K...Km..K...K{..K...K|..K...Kr..K...K}..KO..Kz..Ky..KL..KO..KW..K...Kx..KRichy..K.......
Icon Hash:0fbd3da7e367339e
Entrypoint:0x436f8f
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x675D0BBE [Sat Dec 14 04:38:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:04f4557c0e26881e301e90da4e144d69
Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00439CF0h
push 004370F4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [004393ECh]
pop ecx
or dword ptr [00442014h], FFFFFFFFh
or dword ptr [00442018h], FFFFFFFFh
call dword ptr [004393F0h]
mov ecx, dword ptr [00442008h]
mov dword ptr [eax], ecx
call dword ptr [004393F4h]
mov ecx, dword ptr [00442004h]
mov dword ptr [eax], ecx
mov eax, dword ptr [004393F8h]
mov eax, dword ptr [eax]
mov dword ptr [00442010h], eax
call 00007FA860B1C0B8h
cmp dword ptr [0043F180h], ebx
jne 00007FA860B1BF9Eh
push 0043711Eh
call dword ptr [00439400h]
pop ecx
call 00007FA860B1C08Ah
push 0043D064h
push 0043D060h
call 00007FA860B1C075h
mov eax, dword ptr [00442000h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00441FFCh]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004393E0h]
push 0043D05Ch
push 0043D000h
call 00007FA860B1C042h
Programming Language:
  • [C++] VS98 (6.0) SP6 build 8804
  • [EXP] VC++ 6.0 SP5 build 8804
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3b1a00x118.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x430000x47c0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x390000x4f4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x370250x380005c2458a7716636c46bc171e4eb98ae69False0.49240548270089285data6.435083412708649IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x390000x3c7e0x40005a7df9cd88d6aa8fecaefd33b7565123False0.3641357421875data5.2350400462593845IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x3d0000x501c0x3000c210c287a2ef937edbf1885baf8c5920False0.24763997395833334data3.1739799882223942IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x430000x47c00x500057e74659e476458c36bc4e72835cd424False0.425390625data4.4964956826368265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x431300x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.4733703353802551
RT_DIALOG0x473700x102dataEnglishUnited States0.6356589147286822
RT_GROUP_ICON0x473580x14dataEnglishUnited States1.1
RT_VERSION0x474780x348dataEnglishUnited States0.4583333333333333
DLLImport
MFC42.DLL
MSVCRT.dllmemmove, localtime, strftime, strchr, floor, sscanf, _CIpow, _ftol, strncmp, free, exit, _access, fopen, _setmbcp, _wcsicmp, _stat, _itoa, wcsrchr, _mkdir, rename, wcsstr, strncpy, _wcslwr, rand, srand, atol, _snprintf, wcscmp, _stricmp, _memicmp, _strupr, _atoi64, _strlwr, _wstati64, _wstat, _wtoi, __dllonexit, _onexit, _waccess, _wfopen, fseek, ftell, fread, fclose, wcscpy, wcscat, fwrite, malloc, getenv, strrchr, wcsncpy, wcslen, swprintf, memchr, strstr, tolower, isspace, isprint, time, sprintf, __CxxFrameHandler, _except_handler3, ?terminate@@YAXXZ, _exit, _XcptFilter, _acmdln, __getmainargs, _initterm, _controlfp, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, atoi, __setusermatherr
KERNEL32.dllFileTimeToSystemTime, FileTimeToLocalFileTime, GetLogicalDriveStringsA, CreateFileW, FindNextFileW, FindFirstFileW, DeleteFileW, CopyFileW, GlobalLock, GetFileSizeEx, GetFileAttributesExW, GetDriveTypeW, GetLogicalDriveStringsW, FindClose, GetPrivateProfileStringW, GetModuleHandleA, GetStartupInfoA, GlobalUnlock, CloseHandle, GlobalAlloc, GlobalFree, GetSystemDirectoryW, CreatePipe, CreateProcessA, GetProcAddress, InterlockedDecrement, InterlockedExchange, WriteFile, InterlockedIncrement, GetDiskFreeSpaceExA, GetSystemDirectoryA, GetVolumeInformationA, LocalAlloc, LocalFree, GetDriveTypeA, CreateThread, SetFilePointerEx, GetLogicalDrives, Sleep
USER32.dllGetSystemMetrics, IsIconic, KillTimer, SetTimer, SendMessageA, LoadIconA, GetClientRect, DrawIcon, GetProcessWindowStation, GetThreadDesktop, OpenWindowStationA, SetProcessWindowStation, OpenDesktopA, SetThreadDesktop, GetWindowTextA, CloseWindowStation, CloseDesktop, GetWindowThreadProcessId, GetDC, ReleaseDC, EnumDisplaySettingsA, GetForegroundWindow, GetWindowTextW, EnableWindow
GDI32.dllBitBlt, GetDeviceCaps, GetPixel, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteObject, DeleteDC, GetObjectA, GetStockObject, SelectPalette, RealizePalette, GetDIBits, CreateDCA
ADVAPI32.dllRegQueryValueExW, RegCloseKey, RegEnumValueA
SHELL32.dllSHGetMalloc, SHGetSpecialFolderPathW, SHGetDesktopFolder
ole32.dllCLSIDFromProgID, CoCreateInstance, CoInitialize, CoUninitialize, CreateStreamOnHGlobal
OLEAUT32.dllSysFreeString, SysAllocString
gdiplus.dllGdipDisposeImage, GdiplusShutdown, GdipSaveImageToFile, GdiplusStartup, GdipLoadImageFromStream, GdipLoadImageFromStreamICM, GdipGetImageEncoders, GdipCloneImage, GdipGetImageEncodersSize, GdipFree, GdipAlloc
MSVCP60.dll??1Init@ios_base@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z, ?_Xlen@std@@YAXXZ, ?max_size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z, ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z, ?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ??Mstd@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z, ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ, ?_Xran@std@@YAXXZ, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z, ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z, ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ, ?_Grow@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAE_NI_N@Z, ?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB, ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z, ?_Eos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXI@Z, ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z, ?npos@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@2IB, ?_Split@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEXXZ, ??0Init@ios_base@std@@QAE@XZ
SETUPAPI.dllSetupDiGetDeviceRegistryPropertyA, SetupDiGetClassDevsA, SetupDiEnumDeviceInfo, SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailA
PSAPI.DLLGetModuleFileNameExW
DescriptionData
Comments
CompanyName
FileDescriptionKeniu
FileVersion31, 3, 4, 216
InternalNameKeniu
LegalCopyrightCopyright (C) 2020-2024 Keniu LLC....
LegalTrademarks
OriginalFilenameKeniu.exe
PrivateBuild
ProductNameKeniu Application
ProductVersion31, 3, 4, 216
SpecialBuild
Translation0x0409 0x04b0
Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Download Network PCAP: filteredfull

  • Total Packets: 70
  • 6666 undefined
  • 4226 undefined
TimestampSource PortDest PortSource IPDest IP
Apr 2, 2025 16:48:29.792538881 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:29.811577082 CEST502686666192.168.2.447.246.8.183
Apr 2, 2025 16:48:34.882162094 CEST502686666192.168.2.447.246.8.183
Apr 2, 2025 16:48:39.960163116 CEST502686666192.168.2.447.246.8.183
Apr 2, 2025 16:48:45.038302898 CEST502686666192.168.2.447.246.8.183
Apr 2, 2025 16:48:51.163605928 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:52.163279057 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:55.219888926 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:55.245244026 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:55.256968975 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.194871902 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.210879087 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.226258039 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.241504908 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.257220030 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.272593021 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.288503885 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:48:56.304606915 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.335172892 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.350709915 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.366345882 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.367279053 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.368118048 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.368998051 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.369879007 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.370764971 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.371644974 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.372505903 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.373382092 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.374249935 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.375097990 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.375976086 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.376859903 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.377727032 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.378524065 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.379376888 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.380203009 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.381027937 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.382015944 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.382873058 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.585068941 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.586102009 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.587079048 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.588110924 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.588968992 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.589958906 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.590959072 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.591900110 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.592946053 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.593873978 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.594891071 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.595817089 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.596784115 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.597707033 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.598778963 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.599694967 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.600878954 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:01.601535082 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:02.351627111 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:12.511739016 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:22.663705111 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:29.789346933 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:32.835299969 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:42.991799116 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:49:53.148372889 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:50:03.304079056 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:50:13.460550070 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:50:23.617376089 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:50:29.710975885 CEST502674226192.168.2.447.246.8.183
Apr 2, 2025 16:50:32.804070950 CEST502674226192.168.2.447.246.8.183
050100150s020406080100

Click to jump to process

050100150s0.001020MB

Click to jump to process

  • File
  • Registry
  • Network

Click to dive into process behavior distribution

Target ID:0
Start time:10:47:28
Start date:02/04/2025
Path:C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\PPTV(pplive)_forap_1084_9993.exe"
Imagebase:0x400000
File size:282'624 bytes
MD5 hash:EDB25D93F8A837AAA38FAA49A5F97BCA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

No disassembly