Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 03:59
Static task
static1
Behavioral task
behavioral1
Sample
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe
-
Size
39.4MB
-
MD5
04537b6981c182ae0b58fd9fa179ec77
-
SHA1
3c6d69e3eb12e89a082a418d05af12401f2a9695
-
SHA256
2829fa5e97c1299eefd754650ade0c52ea6781ae87e2a2d22d7823d7e86abb24
-
SHA512
268d0f6cedd6795adbfb41638539e40accb752c4858e622b292e0bdee370f6d4ac595e8c6701bba852d097fb0f74ae8f0a1de37f0a4fc27d6e318946b9df4fda
-
SSDEEP
786432:akxc4BiiqqeuC9H607Yd0FPAwt3f3DXXo1wg+37TLYVzvWVH9:asdqqez9H7wWPRt3f3bXo1wNT
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
Processes:
mDNSResponder.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules mDNSResponder.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HCDNClient = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyKernel.exe\" -shell_start" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
QyKernel.exedescription ioc process File opened (read-only) \??\F: QyKernel.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
Qy_plugin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C} Qy_plugin.exe -
Modifies Windows Firewall 2 TTPs 6 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 5460 netsh.exe 3956 netsh.exe 5544 netsh.exe 5132 netsh.exe 828 netsh.exe 4080 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\appdata\webcache\2\movieLib_pstyle.css 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\Comment\switch_on.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\PlayerRes\Ctrl\volume_now.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\SearchRes\searchBtn32.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\BtnHoverbg.jpg 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\module_retract.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\Comment\comment_normal.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_18.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\billboard\right_normal.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\kids.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\separator.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\SearchRes\hotWords_5.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\NewDlgDefaultIcon.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ProgressBack.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\ChargesPrompt.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\downLoad\triangledown.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\download\downloadDeleteAllWarring.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\Upload_shutdown.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\acclient.dll 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\defaultdriod4xicon.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DlgGameHistoryBG.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\BatchDownLoad\buttonbk.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\Mobile.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\Ctrl\album_state.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\third_player\browser.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\shadow.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\PowerList_item_2_tw.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\download_delete_type_normal.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\mfilm.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\pthreadGC2.dll 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\config.mgr 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\history\phone.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\icon_upload_status.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\Comment\line_ver.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_14.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\popup_player\minimize.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\leftright.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\FULLSCREEN_LABLE_HOV.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\PSkin\AdvertiseWnd\AdvertiseWnd_PromptBackground.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\PSkin\common\common_firstPage_CheckChannelWnd.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\config.ini 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\common_firstPage_pic_wall_bk.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\btn_cancel.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\internal_message\system_message_item.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdWnd_PromptPauseBackground.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\tramsparent.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\Series_subitem.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list\favoriteSelect.gif 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\download\viplinkbtnbk.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\InsetControls\ic_varietymixture_commonctrl.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\xml\t40.xml 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\filmlib_up.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\titleRes\mobileassistant.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\dbghelp.dll 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\favorite\mask.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\lift_tab_icon_bg.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdInnerPrompt\AdInnerPrompt (23).png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\homepageRes\common_firstpage_magicButton.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\register\sns1.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\TitleIcon_new2.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\convert.ini 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_39.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\homepageRes\yyss.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\SearchRes\searchBtn102.png 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exeQyKernel.exedescription ioc process File opened for modification C:\Windows\Fonts\iqiyi_logo.ttf 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe File opened for modification C:\Windows\psnetwork.ini QyKernel.exe File created C:\Windows\Fonts\iqiyi_logo.ttf 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Executes dropped EXE 12 IoCs
Processes:
UnityWebPlayer.exeQiyiDACL.exeQy_plugin.exeQyMaster.exeQiyiDACL.exeQiyiService.exeQiyiService.exemDNSResponder.exemDNSResponder.exeQiyiDACL.exemkshortcut.exeQyKernel.exepid process 4640 UnityWebPlayer.exe 636 QiyiDACL.exe 2956 Qy_plugin.exe 2676 QyMaster.exe 4456 QiyiDACL.exe 4864 QiyiService.exe 5540 QiyiService.exe 1412 mDNSResponder.exe 1128 mDNSResponder.exe 5352 QiyiDACL.exe 2288 mkshortcut.exe 1996 QyKernel.exe -
Loads dropped DLL 54 IoCs
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exeUnityWebPlayer.exeQy_plugin.exeregsvr32.exeregsvr32.exeregsvr32.exeQyKernel.exepid process 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 4640 UnityWebPlayer.exe 4640 UnityWebPlayer.exe 4640 UnityWebPlayer.exe 4640 UnityWebPlayer.exe 4640 UnityWebPlayer.exe 4640 UnityWebPlayer.exe 2956 Qy_plugin.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3200 regsvr32.exe 3200 regsvr32.exe 3248 regsvr32.exe 3200 regsvr32.exe 3200 regsvr32.exe 3200 regsvr32.exe 6108 regsvr32.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 1996 QyKernel.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 1996 QyKernel.exe 1996 QyKernel.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Registers COM server for autorun 1 TTPs 8 IoCs
Processes:
regsvr32.exeUnityWebPlayer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 UnityWebPlayer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx" UnityWebPlayer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ThreadingModel = "Apartment" UnityWebPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exeQy_plugin.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\Policy = "3" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppstream\WarnOnOpen = "0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\magnet2\WarnOnOpen = "0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AUTOCONFIG_BRANDING Qy_plugin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AUTOCONFIG_BRANDING\iexplore.exe = "1" Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" regsvr32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyClient.exe = "9000" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.ppstream.com 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyClient.exe = "1" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppsrun 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppsrun\WarnOnOpen = "0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\Policy = "3" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyFragment.exe = "9000" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyFragment.exe = "1" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qygameclient 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppName = "QyClient.exe" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qisu 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\New Windows\Allow 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.pps.tv 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qips 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F} 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppName = "QyKernel.exe" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\magnet2 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyBrowser.exe = "9000" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\pps\WarnOnOpen = "0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\pps 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qisu\WarnOnOpen = "0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qygameclient\WarnOnOpen = "0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyPlayer.exe = "9000" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyBrowser.exe = "1" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E} 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qips\WarnOnOpen = "0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" Qy_plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyPlayer.exe = "1" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppstream 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exe04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exeQy_plugin.exeregsvr32.exeUnityWebPlayer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\ = "magnet2播放协议" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlashHelper.1\ = "°®ÆæÒÕÖúÊÖ" Qy_plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\TypeLib Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ = "_DQYPlugin" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\0\win64\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qisu\ = "qisu播放协议" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ = "UnityWebPlayer Control" UnityWebPlayer.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories UnityWebPlayer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ = "_DUnityWebPlayerAXEvents" UnityWebPlayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_qsv\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -runfrom openfile \"%1\"" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\ = "QYPlugin ActiveX ¿Ø¼þÄ£¿é" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qisu\DefaultIcon 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\DefaultIcon 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlashHelper\CLSID\ = "{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}" Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\ = "IEHelper 1.0 Type Library" Qy_plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\0\win32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator\\IEHelper.dll" Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\TypeLib\ = "{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}" Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\Shell\Open\Command\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe web_startup_tray" Qy_plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,-0" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\shell\open\command 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\shell\open 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader" UnityWebPlayer.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\.pfv 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlashHelper\CLSID Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\ = "IFlashHelper" Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\PPS Inc. = "YES" Qy_plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\TypeLib Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1\ = "爱奇艺浏览器插件" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\0\win64 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\shell 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}\InprocServer32 Qy_plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qsv\OpenWithList\GeePlayer.exe 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID\ = "QYPlugin.QYPluginCtrl.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\"" 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" UnityWebPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\Shell\Open Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}" UnityWebPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\ProxyStubClsid32 Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\TypeLib\Version = "1.0" Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control\ regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Programmable UnityWebPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675} UnityWebPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pgf\DefaultIcon 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\magnet2 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\InProcServer32 Qy_plugin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\InProcServer32\ Qy_plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\DefaultIcon 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\shell\open 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\UnityWebPlayer.UnityWebPlayer\ = "UnityWebPlayer Control" UnityWebPlayer.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} UnityWebPlayer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\FLAGS\ = "0" UnityWebPlayer.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675} UnityWebPlayer.exe -
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 1900000001000000100000002ee0c890fdcb0441fa180c68348589950f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 5c000000010000000400000000100000040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c1900000001000000100000002ee0c890fdcb0441fa180c683485899520000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exepid process 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
QyKernel.exepid process 1996 QyKernel.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exeregsvr32.exedescription pid process target process PID 3344 wrote to memory of 4640 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe UnityWebPlayer.exe PID 3344 wrote to memory of 4640 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe UnityWebPlayer.exe PID 3344 wrote to memory of 4640 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe UnityWebPlayer.exe PID 3344 wrote to memory of 636 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 636 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 636 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 2956 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Qy_plugin.exe PID 3344 wrote to memory of 2956 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Qy_plugin.exe PID 3344 wrote to memory of 2956 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe Qy_plugin.exe PID 3344 wrote to memory of 3200 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe regsvr32.exe PID 3344 wrote to memory of 3200 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe regsvr32.exe PID 3344 wrote to memory of 3200 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe regsvr32.exe PID 3344 wrote to memory of 3248 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe regsvr32.exe PID 3344 wrote to memory of 3248 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe regsvr32.exe PID 3344 wrote to memory of 3248 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe regsvr32.exe PID 3248 wrote to memory of 6108 3248 regsvr32.exe regsvr32.exe PID 3248 wrote to memory of 6108 3248 regsvr32.exe regsvr32.exe PID 3344 wrote to memory of 2676 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QyMaster.exe PID 3344 wrote to memory of 2676 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QyMaster.exe PID 3344 wrote to memory of 2676 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QyMaster.exe PID 3344 wrote to memory of 4456 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 4456 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 4456 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 4864 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiService.exe PID 3344 wrote to memory of 4864 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiService.exe PID 3344 wrote to memory of 4864 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiService.exe PID 3344 wrote to memory of 1412 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe mDNSResponder.exe PID 3344 wrote to memory of 1412 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe mDNSResponder.exe PID 3344 wrote to memory of 1412 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe mDNSResponder.exe PID 3344 wrote to memory of 5352 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 5352 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 5352 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe QiyiDACL.exe PID 3344 wrote to memory of 5132 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5132 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5132 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 828 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 828 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 828 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 4080 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 4080 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 4080 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5460 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5460 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5460 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 3956 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 3956 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 3956 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5544 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5544 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 5544 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe netsh.exe PID 3344 wrote to memory of 2288 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe mkshortcut.exe PID 3344 wrote to memory of 2288 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe mkshortcut.exe PID 3344 wrote to memory of 2288 3344 04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe mkshortcut.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04537b6981c182ae0b58fd9fa179ec77_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Checks computer location settings
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe"C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe" /S2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4640 -
C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Program Files (x86)\IQIYI Video" true2⤵
- Executes dropped EXE
PID:636 -
C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe"C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe" -install2⤵
- Installs/modifies Browser Helper Object
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:3200 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
PID:6108 -
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe"C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe" "C:\Users\Public\QiYi\QiyiHCDN\Config"2⤵
- Executes dropped EXE
PID:2676 -
C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Users\Admin\AppData\Roaming\IQIYI Video" true2⤵
- Executes dropped EXE
PID:4456 -
C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe" -i2⤵
- Executes dropped EXE
PID:4864 -
C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe" -finstall2⤵
- Executes dropped EXE
PID:1412 -
C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" videolibrary=uninstall_setup2⤵
- Executes dropped EXE
PID:5352 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频客户端" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe"2⤵
- Modifies Windows Firewall
PID:5132 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺HCDN网络数据传输组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"2⤵
- Modifies Windows Firewall
PID:828 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频播放器" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe"2⤵
- Modifies Windows Firewall
PID:4080 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺PPS影音 播放器组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe"2⤵
- Modifies Windows Firewall
PID:5460 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺升级模块" dir=in program="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe" action=allow description="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe"2⤵
- Modifies Windows Firewall
PID:3956 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频辅助程序" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe"2⤵
- Modifies Windows Firewall
PID:5544 -
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe"C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe" -output "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\爱奇艺PPS.lnk" -target "C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" -parameters "quicklaunchrun" -workingdir "C:\Program Files (x86)\IQIYI Video\LStyle" -appid "IQIYI, Inc.PCClient" -icon "C:\Program Files (x86)\IQIYI Video\LStyle\skin\Logo\LogoBevel.ico" -description "使用爱奇艺PPS收看影视节目,清晰流畅更新快"2⤵
- Executes dropped EXE
PID:2288
-
C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe"1⤵
- Executes dropped EXE
PID:5540
-
C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe"1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1128
-
C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\AoreAudioVolume.dllFilesize
59KB
MD5a53ff1a83e51f4915a6a61ee92f408d3
SHA115f9bbc83652f057f933ad2dfa02c9713884d328
SHA256c81aedcb12656accfdbda1d1572311c9a0f9954c0036c0074235f42b6c0567de
SHA512be5d2b9c05d28c49ad3b8be847f322bbf23b06e9966418f57698e463c9bd112e9ad27081029fee422212013924beedf010074bcce5683308039ccbeee072f436
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\ClientGadgetSDK.exeFilesize
60KB
MD59b4a17d36d4730907fbd6d8969ad4533
SHA1547f1198f277c267627083ab3a6f083931a88f85
SHA2567a201389575d3c6f60a638dcd6f8c1c41687b51bc7be541ebc271330e1875be6
SHA512870012f8ee3b07e5b45abdce7c0bbaaca5d963412332669ba1ceb4c6b9c6077740b6336dcd8ea802c10254e73173de00a3e2f1c6e3e6202b397477cc38e96ce2
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\LobbyServerList1.xmlFilesize
9KB
MD545811f4d5463405dae043f7e9b9ba846
SHA1886a410881900f0237ed619bfca6583da8ef919a
SHA256a0635bc8344e41759e0a53f0720435952f57fe68df229ac4831fb9300bdc4593
SHA512cbaa251953dc1bd3d67c176702a23482472449078344d7d26051589e1b5350f5a85cf120453bc6fa66f6a8c6b8db80bd52c4b2bd67dd53d5a1df02c7dd8d1736
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyGameClient.exeFilesize
3.0MB
MD585d1912c6c543f4cf7b69ebb76372b5c
SHA1f43303d60f2baf0d17ae6d14b8d98b6b1152d696
SHA256b9f7db9f09ad85025a61617ea56089ac92a2f1c9feccd9b3273f88abf8e769b3
SHA51291f568d0a95625da13da7c416e0813b922f30c280a80e04229365fc121ddec0da9afb4a1f64c63405521d463cebe6ace0c5a6dda4da5bf57a39d50729eac176a
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyWebGameClient.exeFilesize
635KB
MD54c3d98b2b8e9e4064e5947d64c4ec613
SHA16b8c3f2ee10d8f830f8678e5245cc2a35d18ac28
SHA25646f0604a4450ef9f828364e21a1441bdd4fa7a229964aa61bf16279150c9ba55
SHA51210025f9d34b952b09037f5f269583d74c3792cbd386eee2ba3e143f8b04636cf662e1c154f286a86343d0f27a1bece456442daa7eec84670e741c08048aada2a
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exeFilesize
1.0MB
MD595bff19e30f8b194eebc8c81b671d6d7
SHA1be2883ccd72263e162350cdfb7bf9d4bc5090f17
SHA2564fa1020f67d7beee37c67bb6bd86ed8925e348adbf5748f9555dc96797c651d3
SHA512762bf013e4d46ca61dceabde986753cf501442e1c72dcf394b628e2f6273ff05f686908bf9ec3be17d28b34602ea0bc18795e296da43dda7de47e81962a559db
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\error_togame.htmlFilesize
2KB
MD55926b1d339e58bf3ebc876939ea4c2c5
SHA164394e162c82bc19812c62881ca1545288e56516
SHA2565bbaa9feff7fbe44b794df4b493c587303588d74d138cdb50504ed5b6e3c8669
SHA512a8f7374e80214bc9ba4e493e8706e59f55f07ccc31601ed550f0d1787e1c5dc6695f4fbf75e7e2b66c031fb44e391af6d65ea619c3286aedf3d12c819b3751c8
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow3.pngFilesize
1KB
MD54b7ff428e1010f5b4b924a381ecc6a9f
SHA1c64a6c92c9ce90dc5f51fcb61d1fa7aaf55765bb
SHA2566da80486fc24fe096983626c22d7ade8e72667205ae9ab88eafb1b5e896f7d47
SHA512aeb5d028c20c69cc04422c1cbcb0ec9ee72557553cc8230c9129b7baa70c6ad3263d91c9d5c62c69792f321182564d6f52e167e18bbbe4370564790596561d39
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow4.pngFilesize
940B
MD555b2b0485d8cb14277abed24471c8ec6
SHA1121aca27f33646990d96a7b602671a0d01f6a4b5
SHA25641e8a39560fe7c5d41be57668b697ff6d163794c1fe0d178bd7ff603395e5666
SHA512d0330c27c501f78cb3dc07df0b2b757851420a88002ee1ccaa5ec3fe29d42fb59bcd26b2fad40bf771e611e2ce7e98fbe7a72c7edd0e58cc5a78075d392cf751
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\bgline.jpgFilesize
1KB
MD5e50052189fe327cffc4920d2cbfe7e5a
SHA1917e438ed6c14579b4c923bed88b0938a5719312
SHA25649de719c563b90541a46fd3db53057cd6e1c854f69359b09453b7c6233707ecd
SHA512e98a96a9a3086768ce81e2152a7ad98c8f0c08308521ade743940ecc23170ff6309d722869543593f8fea742d2b0f95602a594ddff9894881043654d69008a58
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\error.jpgFilesize
81KB
MD52cd92fc75bc2be926e4c002598f325c0
SHA1484461932de9ae91409a67308236f4f35be0a232
SHA256657728435b2d152106f4acac777bfd82157727e0fdf6364c4f0eb4906a443399
SHA512d1ab9a455742d502260bbd3279a9da0579f0408b5a7443ec5c28b4a19c8e31f6e622d33c6e886cde289a3f8e6c530c9b94e8c247299a0ed54dd01a41ca8c329d
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\control\mainframe.pngFilesize
1KB
MD5b702f688b22f0d326be0496338307f0d
SHA13a69c7a925bef885ad3491fe552a613dde803aad
SHA25697aec0db2dcaf6d20a1ed9e8cb2d8bdde456ea0bbee9bb9275bfb284dd059a52
SHA512bd30e9c6518072b5954d69824d084a99011f24cbc386e4be15a3d55bf5f69cc11f1ff4693699b2291278ea7d19665348e847f6c0ba8737fe46ef837dfca3d102
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ArrowLine.pngFilesize
2KB
MD5bc5022a5719a200d8cb4df3b5d95337d
SHA133b3389c08cb110d2882ce7c87c09f6ac768e91a
SHA25679c208d9481d9ad70b6375aaa875c1933fa6a5aff1a20ca69ae9e2d28fd16253
SHA51271d564c909621d9260a257daaee9bdb019a8fe24f81db319ba7bf31b6e81e5db7fafde7b76c181a615bd872fd702ab60d463ee340b8b8124bb524ded20cc9245
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_hov.pngFilesize
1KB
MD5f3506a23a8eab8def532ec1124fc122b
SHA15dab7891775c289e860aa2b144483209e8673b13
SHA2564d2fe7c86523d8e72de46e925aa1ea473e43b46534088c2372ebd5cd2db6a02f
SHA5121095e4cce712836bb0f1b45f83a919f44c7becc8c51f950fec2a1e4034f8d6004372e23f100e51e309a7a406c51b4fd0821cc92f8245b720e094ce6b9cbc0856
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_mov.pngFilesize
1KB
MD517ded5e0a173363a18f2e998cf05882f
SHA1121c6c1c92e0538cc4a1964eea2a6de7784a6ff7
SHA2565a6d97e4f5fd2cd4ff81595bce200b8b9bb0af8c87e0a5a1ad33e2ba8592631b
SHA51212d6cf34bb4f1c3482421cc986d2776d6724e3b97f257a2cfa17f373b688742c23d8a7ea682b8bc19c5b6162e2bf9627c415e3dc822a7beed2bdc2799bcb6b6c
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Hov.pngFilesize
1KB
MD5f061cd973c3245b935f8ca0e7fa2df41
SHA1b843b3013d90a3b54f54796f36d0b3ae64e0684a
SHA2564047e046f0f25b0f41d3cdc6578e252d35d5b2db9d44f91fbe5400b14073c8d9
SHA51205047a6b3c235dbf1c086ea97759f888efc88dbd25eef984de53aab304e0091f40f0014b6edea4368f813f4d4dc0cd04d35cd1fe0dbaee3a9ddd31b675cac186
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Mov.pngFilesize
1KB
MD562cfbca60f27d4b42253c96e1753bfbe
SHA1496690bcb841f2c95b1b1d3ad2f8a70c7a3dee76
SHA2564e2ef52fdf819e5d5825857600bb1ebad672a16873f4f55cc02c4b78c04d01e9
SHA512ea87b367f8dd7a0670ae3171dd7a6f957682a661528e9f1330921c8273dd6df952e529aed59c21be33f0f733483266468809dcf0a5c38137610849ca2489c4a2
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindingAccountTips.pngFilesize
3KB
MD5782b458a7a130a168e2348bb6b6d1ec8
SHA1bf958b123c4c07ffda0d47939747464deba924a5
SHA25637bea36b1180d7b0a2a2734a46b3ced630c997a461024dbd395e12706ba29599
SHA5123b765d00dbf554f5b4037b27a6ee5a3cfcbc26d33a6b336f5a37fd085de24ac5bf26edf0e6855ece7184799a1e216bc072fe516356a419e9a9d26846c58ce32f
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseDisable.pngFilesize
1KB
MD5a7a050294a34df2b6598b06c0f1b46ee
SHA1ad0a456db2e13852af75b30f8a84495dd8414b1d
SHA256a37bc8a0d719e97f6bba561f05056c90beafef08dc5cf77ca0604caf833b82ae
SHA5123d1bbf0957bc2df884b0716ecaeaf616f83f803a006cb0b03f66102520d99e98833d4448c407b75dc5a67505f0c7cc23a919a4b58881bd4c1691c5257299df36
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseHover.pngFilesize
1KB
MD577c53a33af5d9060edc64d742581c78d
SHA1a6ca1ead89f69b55cfa2557a2607e056d7b98ad5
SHA256b8ee599130d00563db4e4c0cf66b07d626d00e28edc35d9e96734d73c11e56f5
SHA51216bc887a618d565e5a5a93c98bce80510138a1c6687a027b16aa52233154bdead4224d4fbe76b2c48d13e210e426c6c86c250a27e7b4b7e695a9af59e8a8f506
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseNormal.pngFilesize
1KB
MD55c58e41384824810c9233b4e20544bbb
SHA119a38a15c08df0c87fc96fb2ff1218cb11397bb7
SHA256b6f7642aa16976177755b14a93dbdb3245eadc5f31cd28abbd97d31b4939a189
SHA5121ee8e676ea4702c7196f123c327aa0cbffc4553f389816dc7a8ade555b7f8c07e5b4b80bcc8ef6546e85e9b5255f20cd81cde91faf509f7d4fc0f35421af364c
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinHover.pngFilesize
1KB
MD53d5ce2154e2739d8372cd19ef6894d54
SHA1a50b1d7dce90ace6de2f64420cc501d4ae044ff0
SHA256bcc19a19510a08c675266e240a2262c92f1bb214f333cdd3c12e50a84f97f881
SHA512382f29d7c19f22c34a9fea304028535835fe2693fc6c86834d3b2ca915a3e14b88cc84cbb368543312f6080f53479039557418efe65e2909ff5b07e06c593684
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinNormal.pngFilesize
1KB
MD50f8c32a24cdd495cf044885babc2a284
SHA1b554b4ed413de5050d7ba05f5f9135fd9a8bad66
SHA256ce9610d0d6f603ed290e3eac9813fe6428f85575399f1d2f3b79ec2b80bc5700
SHA51288f4ca39e9acf4d4e17d003e1bb043a2cb4784d3c06fccb061f4e78033ab814ce301d23ae2a71ff454e8ab8f82557bb5385cb6ac927950aab955ce9ca459b0c3
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_HOV.pngFilesize
4KB
MD5fa74861595b2d7f8029238da227c9ed1
SHA1c2103a895f32dcb9e8f1b8a7f647d38821b2df1b
SHA256f22ecceffd5edb6c5818da84a7753190a2f1a050d7a137676c6baf155955ac02
SHA5127ec53735e6f498db76f25e742d512a58729dc3889ed6c5aa78844fa9178b8ced9de960d238258f161c3dfa5217bd2c575488b868910ec55bb5d887469ef7989b
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Hover.pngFilesize
1KB
MD5d94d4858a788fc9c9e4372a9847660f4
SHA1863d2d93f6909c19ee666e0b73e5a1914343c221
SHA2566dc00a8eef3d4d1394655073304c749b499e4ebe34ba292b3aa1e81f53a2efdf
SHA512f734a7c10005bd83e56e4f00139375404524c94c8a906d71bcd67dc590d91a9d9caeaef702a67540c7a627100a371c663a4d2c0cc6610b429e2618e1869f61d3
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_MOV.pngFilesize
4KB
MD50373829c3ff82ae9637c770174be1f01
SHA1b608bca312673a83e435c475c3b6e56cf0ed0f61
SHA256c5db13edaa19ab6024f12952264a3ec005c4ff87f677e33d0444a9485c113179
SHA512ed0aa92263b53f6b65820303a08d31c7d54c422425aeae90ea52e08c54e10392acf33fdbb12e9ceea954df9a3cab1b13d4cc39c5a46198c364c6de3017d9dc87
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Normal.pngFilesize
1KB
MD5e720f8d7d9b1eebf115a3ac3b2e8fa0e
SHA139e7f401d756d0f67413f9ff9ac925780b6e5434
SHA256395035ebf113e3f7d46d5fff75fad4154a674747d86049eb88d0962865cc8328
SHA512436d15bbdfd0cb4a1bbea0db7be5249ebb5e59268c6768a58424c66d155f4485057de177d9b36959c022b6a3c305af072414a75e829d44eee5cc0a8b6b9f4dcf
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_click.pngFilesize
1KB
MD5d5c86709860616b2a77328be90005dd7
SHA18e3051d9b74eeea2641ca29510e8dd75e8f6dbe4
SHA2564f3d3d8f8544b6f5d973443d28972712d9f869f745544822a7af63d66cb9806f
SHA512c2149278520b60989638870a3095b82f85eb7329f67741c99e832c483e2a2a7159e9f5294223d504eb98f0d1b185a57834d43da0681684a7b4152929cbdaa6de
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxCheck.pngFilesize
1KB
MD5d9cdf06422119816ca6f9c4c72cd09f6
SHA164e3bd1921689df2f3ee450c8387f9325d1254e0
SHA25623f27fa2319a141f10a8be0cce63f11fce499f5943306d9d555c177c74d346cb
SHA5122763f47b77742585d3562d61afe00033ef7ebb9f3fb1b7cd8b163d62ed5770680b00ac27bf200a47734cf715adaab862b9710268db9b6fc67f3c6625612cd88b
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheck.pngFilesize
1KB
MD50992ec4811eb429baf46221fb1bfe4fa
SHA1c4d95902c17a2c339cfadd366a1735a08dcef39c
SHA256179ad885c9bd5e378b834f0c192f36d24366dac0af3df1c3a7896150e94a56a0
SHA51291fedac3aad148511f028fbf25f544590abd7daac05fdcf9f62063911a1b5e39003e9a97d54425d2facfb4446311dc42499e625766b912656dd1fbebf8fc56b1
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheckHover.pngFilesize
1KB
MD50e40da2e0b0d35ca116a6ef8cc09ab27
SHA1c43ff70922be4bfcf7823551be6b2167c341f979
SHA256b443f84b1dae129f7f7d86f46a1b6afac0569f5537ef79919396a18f15a6c709
SHA51282042d24bb547bf1aba3b317e611516162a955714df3c44807c65ac5ef449b0e5e0eee8e673de24be9eb89c9cf45068afff74fb710e2eb89e9d4106ffdd645a7
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_hov.pngFilesize
1KB
MD55e9c33c45c3997c6bd2a227496d8bbf5
SHA161438ac8294a4723abf785604b05f3cfb3f190a5
SHA25659a3e8272352042ab795032d5dd448b2f9bb3c9bb0e4a119792ef31094e69005
SHA512de8df25f3294dfa0a01433df94672272c119ab58c58e7af5bab3cb155dca248113d31e5145b1039dcf24bd27725aa385c860e286ffb7c6a85b4b8f25373451e4
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_mov.pngFilesize
1KB
MD5683aebc33c1a57d4e7193ac11edb718d
SHA1f880556c87ea97d913003b5d61bfcc46309203fc
SHA2562a1b1688b001bf57d60a0c47b6b82910c443015711820f6a95a073e540621a40
SHA5126aa2665a83c7b683658601815d6b0957ee3376645158339657bda2ff765b7db91fb8abc49ef0e50c5a9474965ccc9e34ba8df82e28d8cfa2b05cd49225a3a454
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_HOV.pngFilesize
1KB
MD58f88aba447c6b48423a6ab9502060195
SHA12d434c1dc6f8523b49dc669abd8f69f50656ffbb
SHA25678a209e1df0745cffb42aeeba157769ccf016dd3e356719415c11374f0e592df
SHA512927b79089112c18870b43568c6efa1f8959beb39aaba9356429d7209438f8ad330488f3c49d8b4bd9aff29808b751ee52c82f7322dc72eb8a2d1ac563ba79fbf
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_MOV.pngFilesize
1KB
MD5e4c70faae3c4fce495e12d24c2854c8b
SHA19faf01736350722f60820485bc6fa1eb364e2c5d
SHA25603f78a2bb0eb5d120d85e7c08a16410921824154186b04ef1027905b07d137a5
SHA51254567bbe7b75acc0e09a4fde69ff50d295609fdab69478d8c995213d4491f09aeaeaa134b2a63a76d3c5f92a8a3b61c1e56b8593dddf17a12ca28b6c8af4e4c9
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtn.pngFilesize
1KB
MD50a2318d4078889584caa4523315bdd70
SHA1281adb6f789746a5c2e446eea019c1e1047ab8d1
SHA2565956629dc86c8486d28137f91fcc493183a53a103c1ba5f4a4019f67a132e9ef
SHA5125c05917259aefc4b675913cb896af105b1e7bf7cf07ac400083303e2952e307fb72eef4786e27381a7eee5d2b17dd4d55a9ed1dac7acded6890db927f4657b5b
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtnHov.pngFilesize
1KB
MD56cb194b84853c3d231eead716d49370c
SHA1f95a681a3dc9318580bb62ef8ce4a678d78f1ec5
SHA256ee34c098163504705e055812f003d823efe727600ea4b56db73553e2ff9d0219
SHA5125ba1f927981c8679b49c5fd079ea2bcc662c8e9282ae736783c7d46ddcf7c486ad48856cea0831a223ac8b9600eea541a35fd3b4afd4fa2f132dc554503ba4ec
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_Hover.pngFilesize
1KB
MD515ae314b60106f6eda43676eb1d3de6b
SHA12897302883ec07add176c4e03f8dc9a4ae6afdde
SHA2568927bf74e9d960dad95ba796e6f2bc731c5b4e1192cbd7b120cbd2f1898ec3c1
SHA512479afa994781f6a495d7439ae3d0afc131ad5ad7bb5ff1471f1ffebf61633a74624e41b06b481f17c8a9f723635de871273147659ddf070664c385215bc23a80
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_normal.pngFilesize
1KB
MD5e189e1d1d43cba9e78c008fa248e02fe
SHA1b374269f970d337375552f2b771126f11da42f15
SHA256911eb65979874e946ac0b2da2440084f98c3088758e2f1bd9144d495061d6aaa
SHA512fd1b83cd8130000670756169910920145c9a1cc1ca35b4efca61311248db07488d32430d5d3d1c45b231b3d5803e011470326f4e3ec694ff5663a16b66e1df67
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkClose_Hover.pngFilesize
2KB
MD52855abc8bc2f15113af379b3ced104a2
SHA10aebf0295a17c7fd6c722ce10a65c9fc4fd09f03
SHA256671af83a229fe930a720e5805e079ce2c01334125136011d8adc0ee6c3dd50ab
SHA5125b5063eacf5fdd0ee1e939090334d5f918c4fe3484a6a0a3ee4c87e8808153002ea8316733a5a8e84c5e019a2c6f4a64b8390ca339cfad7c2135fcdb9024b3c6
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkTips.pngFilesize
3KB
MD5cb1e1030a8813d00749d308b0da73b9f
SHA1d97c9823d234fd8650dfcf540796d26f97442776
SHA2562d0fc3650a7f32216d8545dfd541bf4a1ab9f386521ae8f035ef8f6c069089fd
SHA51224141197dabf6dd18adedf1920b52dbac7a72eefcf71cf66d02048e08d480c489e3ee72be174c593bd7a4e2882ef62bb0e941e5dc3c98d6abec15db88cbc5051
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLink_Nomal.pngFilesize
2KB
MD5673f47624b85a4403fdc740fe2721397
SHA1ab0843b01f6a80a70c2cbaabe67f273094f80b33
SHA25638bb2806bdc0022541bde8ebdfcc7c4b4724489e870cfa7ec5bc16919057f629
SHA512eb43372ada55842ec5a7ca52be3a4cc0eebd1bf83323b06f3587632f9ac76ba57cc943cac46c3529bdc269105aef965a2662924815b253044f5b34a77b0d73ca
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CutLine_mov.pngFilesize
931B
MD57069d28083d1361384f04c0d0f68904e
SHA1eb42e13f8ddd37a0a6493d1a8b4fa629c04ee229
SHA256328ee1b1c993d27c97aeb037e0e755e05a106aa4ee9e3203f350c9a09c4fa8d6
SHA512316e4539fb1cbb0204bbdf4beeeba9c3f268a006f280c74ae3d2d77caf1d34c571073c0dde726cacd94aa2237d5e03c345d38fe0feb6eeff01803cc634358403
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\Signin.pngFilesize
1KB
MD5053bf204ab9961e6843a052348ca8d5a
SHA1cfd71af85b0cae52a4c54429e925add459287de6
SHA2561b02340f651f6af1019402f595737b2e71f1e341892e419ae64617aa571db6af
SHA5123476e12f9ba18a7663b6519ecec7fba8379a974d5962b37fa0d0ae024f9cb554d9ec44a13c2fc739e472b851531259aa3460f89c7683fde9e8de0b5e8a1051b8
-
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\defaultdriod4xicon.pngFilesize
6KB
MD5116824ac4fabdc85d00e1d6e60fa6fff
SHA15bc1c4a8c152de3c1ea834a44e247ecb1e1ae865
SHA256ae9291b1744a13ff45be576d455f268b93068651944e5fc5998b8c85eb1ef462
SHA512a2397a5730dd9fcf8da86e58e247dac4b3806b5cae62b706cff2f8a87a0e7000c875b745413d6ec05c930fc4d5d89bc9b14389c6100bb437443970c889207a61
-
C:\Program Files (x86)\IQIYI Video\LStyle\GdiPlus.dllFilesize
1.7MB
MD5385e243fc4314f79c1e3042070586d03
SHA1bff588a2ac255b4cd1e3a9528529aa0e26f4657b
SHA25618055410347fe57288aa11917e77f9b5833f59e669e8c65fc589d314eb6b695c
SHA5125854cd81f2f9d5d01a7c0e3ab1b6801490f455191089a21dbc199cf924f59aadbff85d9b963700961c326a4def2a13ff9ba6d3933ead17262b7b66d0279f2c55
-
C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exeFilesize
99KB
MD5b6e9d6c600b793177c69ffc751c7a8f2
SHA12d83d7e4a84a5378333250a470ad6577ea858780
SHA25619aa1945952438cc82e633ff6c90c4f21835fb79d49de8649dd1e18ae4c9a80b
SHA512069ed99225d5d69817e16f8dfc2c95fe7c667e9e7f7b03897b58ffabe14ced8b4498b5ed117155ef79761f5189f88b54729864623cff1c80d9536f7c08ef4a0b
-
C:\Program Files (x86)\IQIYI Video\LStyle\appdata\webcache\2\movieLib_pstyle.cssFilesize
140KB
MD504934b72e752e77dd0bf67c9d06a2272
SHA19e5d3a5a81089989981cd9a44784e42ac40c638d
SHA256a18e3ac76891027def955b9f310ac15a51c8b514e7b63aa27cbb96f8d38cf926
SHA5127df18a0a080715a781df5baa0a7fccef6eaa4818bed11d985c42ee81acb9ce2665a5aacf30b7517d4d30c1aac6557f6d6a8b6623c15a7ce8f10c5d7691ee380f
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\btnPopUpClose.pngFilesize
340B
MD57844d223803d5f35c4eb453908d3d3d2
SHA1f6946969ca172c5735f19cc5215ee170bd963bb6
SHA25638e371539a017a690e546a161ce82dbb757ccfd46e7bfa46c79f8377a9d6a223
SHA5124db164312a9813a0288abef93a4ae7d12945a3f290010603e9343b4bafea8883a1bc626ebea2e548eb6fb915ab47786b2a0adf02b1b720f4968f8b15005fd49f
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_17.pngFilesize
3KB
MD50893bfeefb776d58da6ef7bd6b8d64c8
SHA1c9905b5a2edb4f4caf87c76425e7db4e63b699d6
SHA256e0787ff81f12df511d1b97382c78d58bf28269fac897eae4e0faddffe7be6aeb
SHA512fe8735b4b0042d1124ccf1dc55edd298fdfadb101bdab735b0bff89068909e61d81cef5b4ba967bc11a683b064cfe7638ea91cc4026a9073e197fc489ec78435
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\normal\loading_17.pngFilesize
3KB
MD528853faad82cbc1110fddc0c3a54d85d
SHA1d11e7cb83ceba8bd8223b59150bbd747222715f4
SHA25659fe4bb150bb9bbb28bedff5d2aaa87307041420100c2be31c9084f9a92fc342
SHA5124cd0a50c61f650df55ede29da8e72f5b909cbd6bae3d375176b0952ca8d46ce0ef06e104ab540e500f23e9ae9af9e2fcfb3b6c52ab7ed8cd6e7a11696150eb1e
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\config.iniFilesize
17B
MD5534a43f71c3ae9f4860a02b65d1de41d
SHA1c6929fb5bba5aa8b56a3c891e9fdc1f571ab42c7
SHA256b7b478999cc6ff9694335c0877d9a0182415a0478eb04d660849c8c98556672f
SHA5125a048eb691bf368d955c010d30dd122dd27980de7da38a7e0ee1e13b9d98b71e3a5edc5cc1af908d73014bd6a4a2f25aaec5750156598c871d516d6dbcd838c8
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\loading_16.pngFilesize
6KB
MD511007ca324dd134924fa2bca5244eb73
SHA156fa6e06d7db2e9693d7eb26eb13d52ab9ce8fc3
SHA25605395237709655d0cb9de583e7c2a3192df91388333d70923798eaf61b1562bb
SHA512bfa1d34ac7312cc273fbb59748a6e6f0cea6c6db7a498c04dfc8ebc2491806cd9d55fe766f727e3c0a130699a7f20d1a8d2e01ea005ad15cf706b0916a115e63
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\scrollbar.pngFilesize
501B
MD58f6b9b86898ce75b5c94034ab1f14381
SHA14005fdcd5071fe373db13e301301ed0e2dc74876
SHA256874664eaa38618437f551ed0492a89b718e44f2a6f64e2b5590b708c6ddb3b97
SHA512f42d284538b5ca4f8382321dd96dc104b8d7f49a1339dc1e7fdcac4fb22099078d29ccf29a7b9d23c94260295f39126197d082b4983acf7be9a1569ad4e237e3
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big1.pngFilesize
357B
MD55fa2adb150f63cba9e5443befe17eaf4
SHA1b5c2a1cee13211626c061c422961a1d0aa742703
SHA25602b0a8d8524e604ed201f912fba8ee58c5573f8310145d3e64a3c279726dac40
SHA5129cbde58a143beabec9cd89ab66bf0f29db6903ece436fdb0c14dfd66803ccc4f951b316216c073be9e8032d20f8e0f93a4c393672884063e3cf8f29f7b404607
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big2.pngFilesize
890B
MD551fd1384bab6df779007cee07422e4ac
SHA116e89c96196d21f3a85ed6a0f5d97d096c2fbc15
SHA2569c0ec21d601c6e193caa0a04db9c80318d15e1fec713d3e82e53f709a5620fd9
SHA512279c7e23a32b639d13d836b1c9744bbbeec4167a95bd3302bae6ff2738877fb2e99e8a2c95934b38c74d74dda4783ab14f81ac96c551084e9cdbe4f9ee24519c
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\downLoad\config_dlg_close.pngFilesize
192B
MD5754a7d6d7740eead34bb5a9f6940f009
SHA118acc6593a114f5616a539101f31504cb511459e
SHA256154ca004725f7936e20efa1780f3cdef20869de4ac00d1b0079c86e31b0e59f3
SHA512785ac79cec2f7f3fd813761a53b506ac5b2fede0ba67ea8a5bf495da5dc028c69e88217d1c45ad4e4ad4c34b3d3a1d6df88363c4e8fc1c095af3078357e2abda
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close1.pngFilesize
199B
MD51867ed15b4256e9edc952c334a543201
SHA1386b14cf44c620a55f64c6069409eb0eb5c5e3a3
SHA25687b01d7e066af46794e584904a4bedb27707da1eb32080b60a286f01b9c27820
SHA512027e984adcc90553c9c699c6f1a797eea5e7b02f8cb4a807aa62263780485de235c6294b608b8a34c67e9b5024d98768cab6265cc7776884b9ab4e6585e0c0a3
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close2.pngFilesize
199B
MD533cced8d3d97f78972a5418ec7e96f29
SHA109bb1332bbb1f06eda3bb09f37b3699257162369
SHA25642803e7485f1507abcfca5f455e76956a0dd92ddf2b9d6341a4f2375a941746f
SHA51204683521c7dc5e7f4ff701da3fe4291eccbe6b96ba5631676844fe4616a0fcb5e7434a47f245f9b800a47922b25c3d5a2d1063eee61b82db656866c194aca1ce
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\cancel.pngFilesize
579B
MD5d1a6675f77f74cc5847b0a59c49c3f6b
SHA1f96c4084818cc5836e4086b665e97c3bd7d99f47
SHA25629207dd0cbb59bd1e6fe489ab6ada4cb04c74083099127b194402f1f3ea4bf8d
SHA5123f4a2f4fc645fbbcfb5fda5fd37fe8dffb96329c4e66841ca5bdb8c8ae4836e4eaede44a6e4e5ca17cf6bf02524d304bf83922092fc9b88fa72e94a322617388
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\ok.pngFilesize
3KB
MD54d34af20771db466a6439fa56ff5f687
SHA15223e4281ff91d0bdedc9af14c4825e56cad01e4
SHA256b4513c801e7893e2364967da122e5340a69a0c8f28d0318234ee0ca41ac12f60
SHA512bb770d0649982b3f4d35a5b6628cd0a4168f31ea89e56eaf92f74412cc2ddcf8773dd60f25ff5c0d04d77960570d652f8b7cf7cdd2cbaf07151024c8355871b3
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\QYProduct\blackback.pngFilesize
110B
MD560ce4c0275c77aa5572892c81728620d
SHA182fc18f800c867547140a7764f38a65eec9a4b96
SHA2568ea1ba9ad6052fe784d79b9bd3ff879152c1d58738cc1faab0a1304b68ce69db
SHA512ee1d28e4c4b939a721f42f67505de0fe2084f36244b53838a4704a19f32246919a88ab7936b6cfa07e54f4b5c1a11d36305376a3ef42bb73bfa5fd679f83af91
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\common_scroll.pngFilesize
612B
MD593343a6c34066ba4b50a6d455210f538
SHA110bdaace70cee2656f3c6eedd2c5aa5182dd6de1
SHA256d2d9f913aa2646725e0af0d332a10a78b1d7269bf0d774aeb3e6dfc4be40558e
SHA51206066d93e57cf309c064779a415a34290d52d9312da45acad20b0655f098568cb438d694f46aafe5d0edeb5178a50c6a729e174c683666d97112a1e09741b1aa
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\filmlib2_normal.pngFilesize
541B
MD57602910002b9307718bb5a4c221d6be5
SHA161004f0ad2d3f55c7549b3c8eecf2108d0efb655
SHA2569298a0cc560f702a118dec0bf34bf2d609d5a56d1c49e9658b0eeac0bba59a38
SHA512eac38bff7fbf476bcd003253b737723c46c31cdcc205bde5f6c4bad9f5da75d7f08f061976c1bb724888f2a4ec38a9c0667e56c3a993a4a69cf236c43adcd259
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\soft_txt_icon_2.pngFilesize
814B
MD51402aa18efd86eec43a345d936f8ab4d
SHA1c51a44b65489e041620c8ce9ebb5d04c517d27e5
SHA2562276b09083e0da61a550d97c12cd814622c853358f26dcaffd423285ed29640f
SHA5127b4913b6a30410d87a3c1c87d4b6d15510c47f17b38c3c2db11da2fb344b88e5c3d86dba86781eff180eb803222af6a58b6a0a12905139b085d988061c5bfd12
-
C:\Program Files (x86)\IQIYI Video\LStyle\skin\spaceship.pngFilesize
3KB
MD5575984f7a1cfe13a9ed1d3800bd7d14a
SHA1df04fdf4070d29d76aaff8f5b2f68bff6ee0cdc3
SHA256925b723d434d5528c4dd712102279974e76842b71544fa8153d6108d11ccd7de
SHA5121d2eca187cfead14798cdc18b4ffed909b483869281bd05fc4b7412fb76a7ee6987efbffa17db218be32d4c2e1ee6e1cb383a4a96983f226baae1f42a330725b
-
C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\vmPage.iniFilesize
168B
MD53e8a5d1adafbf32b88bccd9e04866c1f
SHA11e8f652bdbadfdb76ae3783f2b13e782eed2a755
SHA2565639ce40cff3ee7cc012f13a8d3d259c29c3f7711111336e4ac1b2cea6932d38
SHA51291a07ca3130e33c5e142727bbaf0973b99d75b36c4ae074f6374a6b81b2bc0d8b88d0e253b40b916322f47e15e49a2784dc55ac6d93cd6b2915bd6a6aa2406d9
-
C:\Users\Admin\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocxFilesize
169KB
MD5fd0cb28279bb47d33605f6a6f90759e3
SHA1374e2f6beab2520083bf749959dca7e07497a5dc
SHA256b913b88aa4aac4c0114cf5d0d5e6b3baabd17727e1ec1450452f89bbf91123fc
SHA512e4e13a61b3c47d2d5ee6bd2b0831f1b8fcf15e0a21dc857c761fd64ee60f06872018582d5b498427961a59a0e5188699658f8d1f60e7d182ae31a10be02527c6
-
C:\Users\Admin\AppData\Local\Temp\nsh3F9A.tmp\DialogEx.dllFilesize
28KB
MD5e0f33283138ef1c169f71cb1708985a3
SHA1f10f88a272fc7c14f3a37d0f650aa7480bc1efd0
SHA256a9b34148448d893558dbb91b51bbbdddd535e2c8387a13e930a4b5096b0af03c
SHA5128094b5096cb0c4ee6572217beab6419b8d9ecdb2b902c9c596ef3cc513e4916b05c2bb54fd6084f274b6919d4871ae31cce4eddadd272cb7516c30dfc7c7db0a
-
C:\Users\Admin\AppData\Local\Temp\nsh3F9A.tmp\NSISdl.dllFilesize
18KB
MD58ff1b274c581f2e928a418f3b90620eb
SHA1ad7ad3acd29b882204e74fe36369a6b89a8beed4
SHA256df10d5b4ca10ea6ddce96d6ddecfc175f1dff4292a8c5c1f8e0adfb6e1e824c3
SHA512a932f9b77fb801e624069661f9c0a7fab4a1e540d763d51bca91e2570767029261946c4ef522e1e9fecc189cd8090e99ba9b454439a3e3fec2ca318dcb428691
-
C:\Users\Admin\AppData\Local\Temp\nsh3F9A.tmp\StdUtils.dllFilesize
43KB
MD5572b16bf94a6492976f777b7d0373971
SHA13ae46f117f0d3ea32b28de9a73fca0d912260203
SHA256fb87ec46457a836060bd3ee33bb37ec4d222d4974816654b32ba9d40efd90c75
SHA512872347db453458f3bfe6d6bb9dbb66305abcf5773acaaea4d06e8800b3329f536d70e6c96e6dd59a20e963bfce496a0fe014302d2469353bfbcba0fbd2ba6fd6
-
C:\Users\Admin\AppData\Local\Temp\nsh3F9A.tmp\nsExec.dllFilesize
12KB
MD52d1656be5aab3f3e6873cb5d0c046717
SHA132facbec7603c0d3a2198c390399711f68a96de7
SHA25663133db6770f8ae0a5b38ddeafafbdc61cd6bc2ab0b6f3c307c0904f29d8a218
SHA512d55426322c315a211c4de778eabd676fe2353ebff15f8725eb4e5dce03bb6b92f8a180e5093c2bdb324329bff72b4b1ed37d9d8155ce4c98926e0cbaa1c62ea1
-
C:\Users\Admin\AppData\Local\Temp\nsh3F9A.tmp\nsProcess.dllFilesize
10KB
MD5dacc5f5531887a11804bda084e12cee1
SHA185e9f509668d9d78120435e5df593d988b16029a
SHA25618584f582d454c15de69b515dcd8952a446bf18514de532c309b351b30d77066
SHA512f16dcc34d444490621df50ea70772a692592bb35f078f7e7a7360976da873e8e917663344864b56f5989a65ecdaa70d8eb0df4f8a2495f50aa5d25f6f248ae4a
-
C:\Users\Admin\AppData\Local\Temp\nsh3F9A.tmp\nsis7z.dllFilesize
73KB
MD5cb22c301a35e0d8551578940c018868d
SHA11aa3a19c0c5e8cd02feedca50fb1845a99964ee6
SHA256d77183207b8a3b6bf4d7267aee06c7d0f76a6b42e0c007e596931ec59dfa597d
SHA512f1997bc05c360c1adad90317e7aeb97af9982b2e40e4aadd88522d640fda44648c733e19c572b01647cfb6b2093f2387b41db37f52cd87b8d02c479be0395f5c
-
C:\Users\Admin\AppData\Local\Temp\nsh3F9A.tmp\registry.dllFilesize
30KB
MD5f81598566d3bebe154d86906e7419653
SHA1fb2a980abe37a0b724edf932884931f946332b68
SHA256b13d15f8d3e5498d3014dd0c5acc2b42df4aa08f96e0b3e59dc7c9e8c1e7f4c7
SHA51295f6d51d11df472808b9e6a765be6f13231901d698b62f0782e2c17a5ddeee43a8484894f11568ae474ffc7a3b27d8cd01785caf8d87eecdc4a3f64a3ece9255
-
C:\Users\Admin\AppData\Local\Temp\nshBEDD.tmp\System.dllFilesize
11KB
MD5d0d7d2799802f7cddf8db7a2d8ae1e23
SHA1ae8d8cfd9f1a7104036a9e8658f50f9c35c7a1c6
SHA256828819614dc0dbfb73f22d4c3712e6369230eab92819c5d4efe75870ee109a5a
SHA5122b5af0e34720eb2f5b0aa04b589b46fb4b4d344b5c5d23fdd382348b051ac9766ff80f6a2455ef66da78ba880e8ce41b23daf741033de7701ca3f17f1adde408
-
C:\Users\Admin\AppData\Local\Temp\nshBEDD.tmp\UAC.dllFilesize
18KB
MD5113c5f02686d865bc9e8332350274fd1
SHA14fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA2560d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284
-
C:\Users\Admin\AppData\Local\Temp\nshBEDD.tmp\UserInfo.dllFilesize
4KB
MD513a689123cebd31c1d1862e05981beca
SHA10430094a1a0f639ba9bf5831c24f1f4330762a6d
SHA256386933bdaf4774e88670e21abbebdeddf64b1e87b1681f85ac5b3ec1cac8dcdf
SHA5120663148e80f4703000bbfc8ede2bcc7cad19877585a5cc46aa13a7003377d7315d33f01c1d311d38bcf5e3782e4b361510214f09a9f6537b856c5ad9bc41fdae
-
C:\Users\Admin\AppData\Local\Temp\nshBEDD.tmp\UtilsPlugin.dllFilesize
13KB
MD5877ba4f17e960ddcf0c2fa2df62b6710
SHA1c452ce34ed1b5043bb26ec938d170fffb14b53c9
SHA2567481df00348a7279b044cf12f7188b2c15e6a1862e5ed2ea8e7e2b0dc6c027ae
SHA5120ae63c05641c234d53573e69eb143582916c4c976fc11d78efe0310b8fc04b0491838abd94b8c7b9ee5f77ddf41bfdeef61227c87a6da427c68b9feae6ada612
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\LogoLIB.icoFilesize
124KB
MD5094fad0a9eb6e39e00f6452da2e0a596
SHA1053e9e4ae140cc3fec5a500c6941e0181e6ad143
SHA2568429febe04859faa258bb06bfba94eb969ff7e80da207bac6417a22cc83548de
SHA512b5d41ab5c040b0a001aaf399e9e7fd9646eb5d79268fa5f5258fb22a178b311f46e46c48c75495a003ea15949327700b7011602d726d92cf7e348f83e3ec5867
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PPStream.iniFilesize
450B
MD5a3a75f1b9fda27338c874d6bddc650b8
SHA1d13014593411f4ba048543fc68f298b109e595df
SHA256a33abefe00f004c6d54602c5645f6e8bf4c00f9d937ba5d1deb7fcd071a3c264
SHA5125e50eb678f7fdaaecdd193c410aff8db039a2c98ac44d2ecdbc806068dac653dfe8f63f609c92b4886a65726c851d12e0aae1bba30858ec23c9721a76e8e7b84
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PSNetwork.iniFilesize
17B
MD53221fa8864ba8b73d2b5fbd437a289a0
SHA10b210cd735603be096e676cc0dc9d4c5c1de63f7
SHA2568ffc6af8e58191176ef82385aa12d25c0379d3b9ccc3a3ce1d041f3c52d61914
SHA512220a1f69d939f7a67c94a70e88acab7be105a7ed4fece40890c0b8650b4f356d3d7cdd348e380673a4cac25cc16e8c1324aa9fb64efb3b7337401876ad13ef4f
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exeFilesize
55KB
MD59e8e028857769d11281f83f1438d8a35
SHA1a6a23b4e3fc495ba235a5b35c35c8fe05ef2f55d
SHA256169e700568cb68e2511589aca9be8ad26bcd1ae52d0d109120576934c8af94c0
SHA51242c9874e7b8eaa50888f4f533bd93c11c8277c8435583f06c764a5858f47c34ff5d8fc982540b5c06cb2ee03fb406931eb4db8170c18d0c1bb3f5bdd52d8b9e4
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
69B
MD5849c0db12448b338a7454ce8fc8c6365
SHA11477afec52ba1303cab09b085a7148bcf56b2497
SHA2569897278fec98e2ad20355747dbcb541f2c87d15616f6f15215fec3351590b3a2
SHA512cfff784ac25afd5d6b6a4b15b90f41614f3a9299e77921e804b9464504ea472e6da69e2142784a0c6dbd6f2319ef124220da22230dfd260e440939f14b97124b
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
101B
MD52ead05e1cee75f9ebdd5f9ac04cba9e9
SHA15c37cff83b68982eac4e8b6ad8a4a00143890a04
SHA2560f318d57f8a2101da3b9c6b6c92e072afdf30150d4e628db68d4502a50b5bbfc
SHA512ef73d57044c0b860839ad2226a4b61da16191e94a11584cb015c85f9ba6bf7202bad73baf2302426b1a1e3981b292b3eb4774643c31af2d7a12312025270e203
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
154B
MD508248f8f51d8fd4a2ca4384a7a22a0e4
SHA183812320f8f713f61d1b936cb7a94d2426485ce2
SHA25665476a6b9da298e47f4bc0f2b5a3576c666cba78794c945b04a3f9aac38dcc78
SHA512b1d26de7af77ab3fd71c0a5feffdfd249e86fe466d0069fcc72bfef6999fe3dc00c85153e8a16f6cdea35d5b3daa07bc1641ff433713fff24e3c13e4cad02118
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
154B
MD5443d4ed34f9e888d2db78aab950b0d62
SHA11a9dda7329938ad6fb9d2cf55ba0eba8bf8b4807
SHA256f1e02d45591cb05982b1f5e24fc492e2c1959b84c65664054b194ef260aab027
SHA512f4223fc088b12d80f1a443c7320b8eb38080d3358500ec97a6dea3f6e609be2e0b48a34578160e1378abecbf8f23a88d5980efa2c60c2ccb8abfbd39733baf9f
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
154B
MD55863e7cb3e9d5435af63aa1b09687b68
SHA1cd903cf838540073d51e550c657b197aa4d32bc7
SHA256cdb2112af0f250d8c97e88120764dd7c61dadee6e5c7b09b6f405b3e1912404d
SHA51279d92d2ae3f4963da8537009a236a65f6da4939dc3b78a940b1f6998ab32b4a1fb6b9e60c1ff5a4106516034341cf9b5ae35bf5867dc4953b3a3697e14441101
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
154B
MD570ce0aa8219d43c117b682e01b99abd1
SHA1689630684300c997eb7ac5c7b35da8c89d5f5bf9
SHA256305c888057722a6fb4ebfdc4101ad8e0f3c3b97247ef793e18637a500c2cb7ee
SHA512f05d245950e9d48aa0b26eaf37477787ca1f5119393722a91944662789c6c206273a27e7b8d932323a2e50e4bdee111634f5fb86c0a6f77510464ce9f9215ffa
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
154B
MD50d7bdefe7b8327492145ab0e23f5d843
SHA1ed605b6fd09da379c57d389eca4e786ef4c5d417
SHA2563f916f74a118503ddf5b29ec485b4b5314549d65fc2b0440e6d81100a80c4f23
SHA512864c89962b045fa1502b766c923f188662eab5fa1e97bf2a18bb940374177ddd3805fdfee0f835f8a370a53dc5b6f876d067150995bc828e2b1aae53d8b936c9
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
154B
MD5a396c51f3e8715a8b15d570b829c6552
SHA17468878035d1c853a82cec0cfac5a538af3abe66
SHA2562746cec09a8e10f6a5b6a89b031cc076e05bc098d95e3fc9154ecb963bc28591
SHA512a8f774b7e9608663aabe0ce5f36f5736726ead1108ab9c2153d8134e984bc14fc9ecbe5a23829362768744f577e45f9455978151079d5bcb246faeec81c890da
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.iniFilesize
154B
MD5efe0040b96cd638ef1ce93c259cac7c5
SHA1ec644fb224bf8da0c91674871519975017b0c603
SHA256237daba793ca9cbeac355bf1fc278dcfbda6005c3306168746e94ac546766eb2
SHA5125fca9eeaba8f421c7bf6a534561e05e9d09d8e0c7e39a5fe1ffd55fe830193b6bd4ed928e6f4592035c456bfd774689de82686343f939850e93a37b2fc58de31
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\skin\btn1.pngFilesize
1KB
MD5d271a47cd14ebb209b06ea235a91d144
SHA1df6d11259e8b54247d052a64b2fdeb86908ff751
SHA25609fda339a9d73d4bd0c728084eda60967139cf45c96e81fdd63ef562597c37ed
SHA512a074342fcdad77884e7b3c0360dcdf5798e3b1dca4484df23cd85b0283da0920fc867fddd41bd3d8eb4b1200e43c9b34114ba479ae9d4e874f46ba4808705ef0
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\skin\no_up_and_down.pngFilesize
6KB
MD5de4109c2374280da714e9dcdb3d3ad9e
SHA1ce6657dd563c51c684277a4213fb2be052a13f38
SHA25603b3fa0f39cc032f3f0fa0748810bca79d925e64ec5c2df0d3898580b1d7b203
SHA51299160096e9ef20e984d09d6abd34a0522543e00b582254f337a3f61ead89ec933fa8f2618bc1deb32f7bd44c821ddc1ce9b60392fe65374cd1912262a632a205
-
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\vmPage.dllFilesize
2.3MB
MD593d53ff1b299ffec787c73c0c87ec223
SHA191e674bc48d7f9a18668e13d3889ea4cfdbcf7c4
SHA256b50fd866fe75a6654ca15ac2ebbde98dc7c5e6b23df6ea658d1fb4f55825a388
SHA51292e2c5c1eb85f3bf18e17ebb04563b1f6e85efa27d9ccdfd2b6959a1fc43ceb9c70fe129994ae22e8b9320fce7f5b06973f45a3da23aac00da75de9a1edb6b0d
-
C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.iniFilesize
241B
MD5b1856514120631a770feecf071645a88
SHA188acd29eb3087416df5ba5da0b773d22ccab46b5
SHA2569a7bb4cab9a833eb921b207b5b2d1c15afd2e47df373e64762c7a19d24e4b91f
SHA512c4e7bd792a564384bb9f4cf902c18501c1bc094232e13518e0e23f8e6d788c6c9e5df98a6d1c6d8cf127f8dac8b06e8b44c9074957b1a637651c0ad4f2380ecc
-
C:\Windows\Fonts\iqiyi_logo.ttfFilesize
3KB
MD5e1097f713080d07e0c717e0737ef167e
SHA1f31f1c4570925450c1fd1ac847cf54461b6274d4
SHA256f2aa97fb51572edf0694ae328bbdcb01a172189aa53549b7ea8caebc66325249
SHA512786dda62d0423a9733af16035390e99bd47c5cd8c49f2802eb443896230b2dba70eefbb95de3175b2143dbca1f9ab8ccb8cd8e7cd8b8821f0a93d1a5c69923ad
-
memory/3344-36-0x0000000005740000-0x0000000005749000-memory.dmpFilesize
36KB
-
memory/3344-5416-0x0000000005D00000-0x0000000005D59000-memory.dmpFilesize
356KB