1b87db84350a6a4dee34efef63537c3d02b7d61a52862cc4ac498bee3687b3db

Windows Service

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\HCDNClient = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyKernel.exe\" -shell_start"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	QyKernel.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}	Qy_plugin.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
940	netsh.exe
1584	netsh.exe
2628	netsh.exe
2956	netsh.exe
1040	netsh.exe
2032	netsh.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\SmallAccountManage.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\PSkin\player\player_logo_hover.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdInnerPrompt\AdInnerPrompt (68).png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\RouterUI\DownloadLocation.xml	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\suggest\suggest_bk.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\Upload\upload_item_dot_line.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list\ondesktopmenuicon.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkClose_Hover.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\Menu\systemset_nor.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\homepageRes\magic.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\listUI_filter.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\image\feedback.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\third_player\close.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\defaultdriod4xicon.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\DownloadSet.xml	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\bottom.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\searchUI\SearchBkUI.xml	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\Ctrl\stop.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdInnerPrompt\AdInnerPrompt (61).png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_25.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\SearchRes\hotWords_5.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list\menudelete.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\URLBar\url_bk.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\RouterUI\Static.gif	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\spaceship.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\URLBar\URLBar_WebPage_Simple.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Normal.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\messagebox\btn_cancel.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\PlayerRes\pstyle\feedback.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\SearchRes\searchBtn32.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DownContinue_Hover.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\PSkin\player\buffering.gif	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\download\download_icon.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\GoodsCorner\goods_corner_bk (16).png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\download_float_layer_right.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\homepageRes\hp_focus_ctrl_bk.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\titleRes\swtich_model.xml	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\MaskWindow.xml	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\Shareloading.gif	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\PlayerRes\popup_player\restore.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\Sort_button_Filter.xml	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\list\delfile.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\TipAcceleDlg.xml	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\LoginRes\back.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\dropdownbox.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\titleRes\min_btn.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\popup_player\maximize.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\download\shadow.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdInnerPrompt\AdInnerPrompt (68).png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\favord3_2.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\PlayerRes\popup_player\restore.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list\pause.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\sys_min.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\sys_max.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\BtnHoverbg.jpg	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CutLine_mov.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\FULLSCREEN_TOOLBAR_BKG.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\loading.html	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\sliderlr.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\SearchRes\hotWords_4.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\FreeMemory_mov.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\MidRes\player_right_butten.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\btnfavorite.png	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\iqiyi_logo.ttf	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
File opened for modification	C:\Windows\psnetwork.ini	QyKernel.exe

Executes dropped EXE 13 IoCs

pid	Process
2576	UnityWebPlayer.exe
2840	QiyiDACL.exe
380	Qy_plugin.exe
2868	vmpagedown.exe
1712	QyMaster.exe
2036	QiyiDACL.exe
1940	QiyiService.exe
2744	QiyiService.exe
2756	mDNSResponder.exe
2740	mDNSResponder.exe
268	QiyiDACL.exe
2292	mkshortcut.exe
636	QyKernel.exe

Loads dropped DLL 64 IoCs

pid	Process
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2576	UnityWebPlayer.exe
2576	UnityWebPlayer.exe
2576	UnityWebPlayer.exe
2576	UnityWebPlayer.exe
2576	UnityWebPlayer.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
380	Qy_plugin.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
1272	regsvr32.exe
1492	regsvr32.exe
1764	regsvr32.exe
1272	regsvr32.exe
1272	regsvr32.exe
1272	regsvr32.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2292	mkshortcut.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
636	QyKernel.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
636	QyKernel.exe
636	QyKernel.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ThreadingModel = "Apartment"	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AUTOCONFIG_BRANDING\iexplore.exe = "1"	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.ppstream.com	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppName = "QyClient.exe"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppsrun\WarnOnOpen = "0"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AUTOCONFIG_BRANDING	Qy_plugin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\pps\WarnOnOpen = "0"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qips	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.pps.tv	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\pps	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qisu\WarnOnOpen = "0"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyBrowser.exe = "1"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qygameclient	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyFragment.exe = "9000"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyPlayer.exe = "1"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyClient.exe = "9000"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppstream\WarnOnOpen = "0"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppsrun	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyFragment.exe = "1"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\Policy = "3"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\magnet2	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppName = "QyKernel.exe"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qisu	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qygameclient\WarnOnOpen = "0"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyPlayer.exe = "9000"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyClient.exe = "1"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\Policy = "3"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qips\WarnOnOpen = "0"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyBrowser.exe = "9000"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppstream	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\magnet2\WarnOnOpen = "0"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\ProxyStubClsid32	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\Programmable	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps_qsv\ = "媒体文件(.qsv)"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\AppID	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1\ = "爱奇艺浏览器插件"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator"	Qy_plugin.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\TypeLib\ = "{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}"	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\TypeLib\ = "{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\TypeLib\Version = "1.0"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\ = "媒体文件(.pfv)"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\ProgID\ = "IEHelper.FlvFilter.1"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\VersionIndependentProgID	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\FLAGS\ = "0"	Qy_plugin.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\AppID\{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\shell\open\command	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\UnityWebPlayer.UnityWebPlayer\CurVer\ = "UnityWebPlayer.UnityWebPlayer.1"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlvFilter\ = "FlvFilter Class"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\ProxyStubClsid32	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps\ = "PPS播放协议"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ = "_DQYPluginEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pps\DefaultIcon	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IEHelper.DLL	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator\\IEHelper.dll"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\1	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,-107"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\0\win32	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pmv	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\""	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\DefaultIcon	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlvFilter.1\CLSID\ = "{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\TypeLib	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\Shell\Open\Command\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe web_startup_tray"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pgf\DefaultIcon	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps\URL Protocol	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ProgID	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\TypeLib\ = "{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID\ = "QYPlugin.QYPluginCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\shell\open	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pgf\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,-317"	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0\win32	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pfv	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\0	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
636	QyKernel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2576	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2576	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2576	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2576	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2576	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2576	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2576	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	28
PID 2428 wrote to memory of 2840	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	29
PID 2428 wrote to memory of 2840	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	29
PID 2428 wrote to memory of 2840	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	29
PID 2428 wrote to memory of 2840	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	29
PID 2428 wrote to memory of 380	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	30
PID 2428 wrote to memory of 380	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	30
PID 2428 wrote to memory of 380	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	30
PID 2428 wrote to memory of 380	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	30
PID 2428 wrote to memory of 1272	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1272	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1272	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1272	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1272	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1272	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1272	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	31
PID 2428 wrote to memory of 1492	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1492	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1492	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1492	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1492	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1492	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	32
PID 2428 wrote to memory of 1492	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	32
PID 1492 wrote to memory of 1764	1492	regsvr32.exe	33
PID 1492 wrote to memory of 1764	1492	regsvr32.exe	33
PID 1492 wrote to memory of 1764	1492	regsvr32.exe	33
PID 1492 wrote to memory of 1764	1492	regsvr32.exe	33
PID 1492 wrote to memory of 1764	1492	regsvr32.exe	33
PID 1492 wrote to memory of 1764	1492	regsvr32.exe	33
PID 1492 wrote to memory of 1764	1492	regsvr32.exe	33
PID 2428 wrote to memory of 2868	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	34
PID 2428 wrote to memory of 2868	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	34
PID 2428 wrote to memory of 2868	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	34
PID 2428 wrote to memory of 2868	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	34
PID 2428 wrote to memory of 1712	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	35
PID 2428 wrote to memory of 1712	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	35
PID 2428 wrote to memory of 1712	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	35
PID 2428 wrote to memory of 1712	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	35
PID 2428 wrote to memory of 2036	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	36
PID 2428 wrote to memory of 2036	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	36
PID 2428 wrote to memory of 2036	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	36
PID 2428 wrote to memory of 2036	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	36
PID 2428 wrote to memory of 1940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	38
PID 2428 wrote to memory of 1940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	38
PID 2428 wrote to memory of 1940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	38
PID 2428 wrote to memory of 1940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	38
PID 2428 wrote to memory of 2756	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	40
PID 2428 wrote to memory of 2756	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	40
PID 2428 wrote to memory of 2756	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	40
PID 2428 wrote to memory of 2756	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	40
PID 2428 wrote to memory of 268	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	43
PID 2428 wrote to memory of 268	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	43
PID 2428 wrote to memory of 268	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	43
PID 2428 wrote to memory of 268	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	43
PID 2428 wrote to memory of 940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	44
PID 2428 wrote to memory of 940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	44
PID 2428 wrote to memory of 940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	44
PID 2428 wrote to memory of 940	2428	09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe	44

C:\Users\Admin\AppData\Local\Temp\09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09c0ee808d67fd0cecfc23e1e6349192_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
  "C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:2576
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Program Files (x86)\IQIYI Video" true
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe" -install
  2⤵
  - Installs/modifies Browser Helper Object
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:380
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin.dll"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1272
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\vmpagedown.exe
  "C:\Users\Admin\AppData\Local\Temp\nst1B6E.tmp\vmpagedown.exe" "http://vodguide.ppstream.iqiyi.com/search.php?ver=1.0.6.55" "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\search_top.zip"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
  "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe" "C:\Users\Public\QiYi\QiyiHCDN\Config"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Users\Admin\AppData\Roaming\IQIYI Video" true
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe" -finstall
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" videolibrary=uninstall_setup
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频客户端" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe"
  2⤵
  - Modifies Windows Firewall
  PID:940
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺HCDN网络数据传输组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1584
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频播放器" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe"
  2⤵
  - Modifies Windows Firewall
  PID:2628
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺PPS影音播放器组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe"
  2⤵
  - Modifies Windows Firewall
  PID:2956
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺升级模块" dir=in program="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe" action=allow description="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1040
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频辅助程序" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe"
  2⤵
  - Modifies Windows Firewall
  PID:2032
- C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe
  "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe" -output "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\爱奇艺PPS.lnk" -target "C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" -parameters "quicklaunchrun" -workingdir "C:\Program Files (x86)\IQIYI Video\LStyle" -appid "IQIYI, Inc.PCClient" -icon "C:\Program Files (x86)\IQIYI Video\LStyle\skin\Logo\LogoBevel.ico" -description "使用爱奇艺PPS收看影视节目，清晰流畅更新快"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2292

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe"
1⤵
- Executes dropped EXE
PID:2744

C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:2740

C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry