5b85836c75d1dacf71227436b2d6102ec84dd91ab12b727c3c4643e27b724ea2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Size

39.4MB
MD5

68d40dbffd9df1989a6ef532d88a9d85
SHA1

2dc45ca131d13be4c74b34ceedf2a21b37fb91f6
SHA256

5b85836c75d1dacf71227436b2d6102ec84dd91ab12b727c3c4643e27b724ea2
SHA512

e98ef299f29a34903e5ae2f041fed3d694084f813e333e5ed61cf50e8f5958474dc39e46afedf6d212566bdba2f06701f74121c342d6b19d1419108de3f93dc1
SSDEEP

786432:Ckxc4BiiqqeuC9H607Yd0FPAwt3f3DXXo1wg+37TLYVzvWVHC:Csdqqez9H7wWPRt3f3bXo1wNw

Score

10^/10

adware discovery evasion persistence stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

mDNSResponder.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Drops startup file 2 IoCs

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\爱奇艺PPS.lnk	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\爱奇艺PPS.lnk	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HCDNClient = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyKernel.exe\" -shell_start"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

QyKernel.exe

description ioc process

File opened (read-only) \??\F: QyKernel.exe

description	ioc	process
File opened (read-only)	\??\F:	QyKernel.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

Qy_plugin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}	Qy_plugin.exe

Modifies Windows Firewall 2 TTPs 6 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

3128 netsh.exe
1912 netsh.exe
4304 netsh.exe
1552 netsh.exe
3628 netsh.exe
220 netsh.exe

pid	process
3128	netsh.exe
1912	netsh.exe
4304	netsh.exe
1552	netsh.exe
3628	netsh.exe
220	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\J-5.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\left_list_video_more_bg.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_18.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\pagedownicon.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\SearchRes\hotWords_1.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\vip.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\suggest\suggest_item_play_hot.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\videosquare\videosquare_itemex_floder_foreground.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\LoginRes\arrow_down.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list\favoriteSelect.gif	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\RecommendedGames_Mov.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ServersListIcon.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\appdata\webcache\27\WebPage.html	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\close_normal.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\SettingWnd.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\common_shadow.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\QYProduct\QYProductMainCtrl.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\videosquare\videosquare.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CutLine_mov.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\Comment\CommentSettingWnd.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\logo\logo_option_bk.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_8.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Top\100.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\register\dot.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\PlayerRes\Ctrl\stop.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\switch_animation\switch.gif	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\ssleay32.dll	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\Sound_mov.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\listCheck.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdInnerPrompt\AdInnerPrompt (58).png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\info\img\close2.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\Upload\UploadUI_Sm.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\Close1.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\right_menu_icon_15_on.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\HCDNClientNet.dll	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\loading.html	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\code_rate_tip_close.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdInnerPrompt\AdInnerPrompt (1).png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\TransferAssistant.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\RightMenu\icon_timing.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\SearchRes\searchBtn32.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\GameRecord_Normal.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\LocalListRes\TipBk.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\Comment\color_selected.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list\downloadpausebtn.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\appdata\webcache\1\movieLib_pstyle.css	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\BatchDownLoad\errorIcon.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\dramaseries.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\5.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_5.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\common\Arrow.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\DeviceIcon.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\ppsboosterset_down.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\LocalListRes\add_file_hover.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_10.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\favord3_1.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\SearchRes\hotWords_2.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\web\blank.html	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdWnd_SkipAdDisable.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Top\top_time.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\download.xml	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\sys_min.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ServersListItem.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File created	C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\Comment\color_selected.png	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exeQyKernel.exe

description	ioc	process
File created	C:\Windows\Fonts\iqiyi_logo.ttf	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\iqiyi_logo.ttf	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
File opened for modification	C:\Windows\psnetwork.ini	QyKernel.exe

Executes dropped EXE 13 IoCs

Processes:

UnityWebPlayer.exeQiyiDACL.exeQy_plugin.exevmpagedown.exeQyMaster.exeQiyiDACL.exeQiyiService.exeQiyiService.exemDNSResponder.exemDNSResponder.exeQiyiDACL.exemkshortcut.exeQyKernel.exe

pid	process
2068	UnityWebPlayer.exe
1836	QiyiDACL.exe
2044	Qy_plugin.exe
1296	vmpagedown.exe
2388	QyMaster.exe
4140	QiyiDACL.exe
400	QiyiService.exe
624	QiyiService.exe
1488	mDNSResponder.exe
1312	mDNSResponder.exe
3364	QiyiDACL.exe
4448	mkshortcut.exe
3632	QyKernel.exe

Loads dropped DLL 48 IoCs

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exeUnityWebPlayer.exeQy_plugin.exeregsvr32.exeregsvr32.exeregsvr32.exeQyKernel.exe

pid	process
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
2068	UnityWebPlayer.exe
2068	UnityWebPlayer.exe
2068	UnityWebPlayer.exe
2068	UnityWebPlayer.exe
2068	UnityWebPlayer.exe
2068	UnityWebPlayer.exe
2044	Qy_plugin.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
4288	regsvr32.exe
5100	regsvr32.exe
4288	regsvr32.exe
4288	regsvr32.exe
4288	regsvr32.exe
4288	regsvr32.exe
4308	regsvr32.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3632	QyKernel.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3632	QyKernel.exe
3632	QyKernel.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeUnityWebPlayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ThreadingModel = "Apartment"	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exeregsvr32.exeQy_plugin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyFragment.exe = "1"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\pps\WarnOnOpen = "0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\magnet2	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\magnet2\WarnOnOpen = "0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppstream	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qygameclient	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AUTOCONFIG_BRANDING\iexplore.exe = "1"	Qy_plugin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyBrowser.exe = "9000"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.pps.tv	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\Policy = "3"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyFragment.exe = "9000"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qisu\WarnOnOpen = "0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qygameclient\WarnOnOpen = "0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppstream\WarnOnOpen = "0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyPlayer.exe = "1"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppName = "QyKernel.exe"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyClient.exe = "1"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyPlayer.exe = "9000"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppsrun\WarnOnOpen = "0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\pps	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qisu	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyBrowser.exe = "1"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppName = "QyClient.exe"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\Policy = "3"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppsrun	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AUTOCONFIG_BRANDING	Qy_plugin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.ppstream.com	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qips	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qips\WarnOnOpen = "0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyClient.exe = "9000"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Modifies registry class 64 IoCs

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exeQy_plugin.exeregsvr32.exeregsvr32.exeUnityWebPlayer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qips\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,-0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\""	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ = "_DQYPluginEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID\ = "QYPlugin.QYPluginCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ = "爱奇艺浏览器插件"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell\open\command	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pfv\OpenWithList\GeePlayer.exe	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qisu\URL Protocol	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}"	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlashHelper\CurVer	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\TypeLib\Version = "1.0"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\""	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell\open	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qisu\shell\open\command	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\1\ = "131473"	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\.pfv	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\ = "QYPlugin ActiveX ¿Ø¼þÄ£¿é"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\UnityWebPlayer.UnityWebPlayer.1\CLSID	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\ = "媒体文件(.pfv)"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}\ = "°®ÆæÒÕÖúÊÖ"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\ProxyStubClsid32	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\ = "PPS运行协议"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\shell	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,-0"	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qips	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\shell\open\command	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Version\ = "1.0"	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\0\win32	Qy_plugin.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\TypeLib\ = "{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qisu\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\""	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\URL Protocol	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader"	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\InprocServer32\ThreadingModel = "Apartment"	Qy_plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\AppID\UnityWebPluginAX.ocx	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	UnityWebPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\0\win32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator\\IEHelper.dll"	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\shell\open\command	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories	UnityWebPlayer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0\win32	UnityWebPlayer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\Version = "1.0"	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\shell\open\command	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\Shell\Open\Command\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe web_startup_tray"	Qy_plugin.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32	UnityWebPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\InprocServer32	Qy_plugin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\TypeLib\Version = "1.0"	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 1900000001000000100000002ee0c890fdcb0441fa180c68348589950f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 5c000000010000000400000000100000040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c1900000001000000100000002ee0c890fdcb0441fa180c683485899520000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

pid	process
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QyKernel.exe

pid process

3632 QyKernel.exe

pid	process
3632	QyKernel.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exeregsvr32.exe

description	pid	process	target process
PID 3112 wrote to memory of 2068	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	UnityWebPlayer.exe
PID 3112 wrote to memory of 2068	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	UnityWebPlayer.exe
PID 3112 wrote to memory of 2068	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	UnityWebPlayer.exe
PID 3112 wrote to memory of 1836	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 1836	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 1836	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 2044	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	Qy_plugin.exe
PID 3112 wrote to memory of 2044	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	Qy_plugin.exe
PID 3112 wrote to memory of 2044	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	Qy_plugin.exe
PID 3112 wrote to memory of 4288	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	regsvr32.exe
PID 3112 wrote to memory of 4288	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	regsvr32.exe
PID 3112 wrote to memory of 4288	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	regsvr32.exe
PID 3112 wrote to memory of 5100	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	Conhost.exe
PID 3112 wrote to memory of 5100	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	Conhost.exe
PID 3112 wrote to memory of 5100	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	Conhost.exe
PID 5100 wrote to memory of 4308	5100	regsvr32.exe	Conhost.exe
PID 5100 wrote to memory of 4308	5100	regsvr32.exe	Conhost.exe
PID 3112 wrote to memory of 1296	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	vmpagedown.exe
PID 3112 wrote to memory of 1296	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	vmpagedown.exe
PID 3112 wrote to memory of 1296	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	vmpagedown.exe
PID 3112 wrote to memory of 2388	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QyMaster.exe
PID 3112 wrote to memory of 2388	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QyMaster.exe
PID 3112 wrote to memory of 2388	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QyMaster.exe
PID 3112 wrote to memory of 4140	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 4140	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 4140	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 400	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiService.exe
PID 3112 wrote to memory of 400	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiService.exe
PID 3112 wrote to memory of 400	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiService.exe
PID 3112 wrote to memory of 1488	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	mDNSResponder.exe
PID 3112 wrote to memory of 1488	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	mDNSResponder.exe
PID 3112 wrote to memory of 1488	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	mDNSResponder.exe
PID 3112 wrote to memory of 3364	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 3364	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 3364	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	QiyiDACL.exe
PID 3112 wrote to memory of 220	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 220	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 220	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 3128	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 3128	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 3128	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 1912	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 1912	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 1912	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 4304	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 4304	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 4304	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 1552	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 1552	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 1552	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 3628	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 3628	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 3628	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	netsh.exe
PID 3112 wrote to memory of 4448	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	mkshortcut.exe
PID 3112 wrote to memory of 4448	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	mkshortcut.exe
PID 3112 wrote to memory of 4448	3112	68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe	mkshortcut.exe

C:\Users\Admin\AppData\Local\Temp\68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68d40dbffd9df1989a6ef532d88a9d85_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Checks computer location settings
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
  "C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies registry class
  PID:2068
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Program Files (x86)\IQIYI Video" true
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe" -install
  2⤵
  - Installs/modifies Browser Helper Object
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2044
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin.dll"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4288
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4308
- C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\vmpagedown.exe
  "C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\vmpagedown.exe" "http://vodguide.ppstream.iqiyi.com/search.php?ver=1.0.6.55" "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\search_top.zip"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
  "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe" "C:\Users\Public\QiYi\QiyiHCDN\Config"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Users\Admin\AppData\Roaming\IQIYI Video" true
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe" -i
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe" -finstall
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" videolibrary=uninstall_setup
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频客户端" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe"
  2⤵
  - Modifies Windows Firewall
  PID:220
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺HCDN网络数据传输组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"
  2⤵
  - Modifies Windows Firewall
  PID:3128
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频播放器" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1912
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺PPS影音播放器组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4304
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4308
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺升级模块" dir=in program="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe" action=allow description="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe"
  2⤵
  - Modifies Windows Firewall
  PID:1552
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频辅助程序" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe"
  2⤵
  - Modifies Windows Firewall
  PID:3628
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5100
- C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe
  "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe" -output "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\爱奇艺PPS.lnk" -target "C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" -parameters "quicklaunchrun" -workingdir "C:\Program Files (x86)\IQIYI Video\LStyle" -appid "IQIYI, Inc.PCClient" -icon "C:\Program Files (x86)\IQIYI Video\LStyle\skin\Logo\LogoBevel.ico" -description "使用爱奇艺PPS收看影视节目，清晰流畅更新快"
  2⤵
  - Executes dropped EXE
  PID:4448

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1312

C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\AoreAudioVolume.dll

Filesize
59KB

MD5
a53ff1a83e51f4915a6a61ee92f408d3

SHA1
15f9bbc83652f057f933ad2dfa02c9713884d328

SHA256
c81aedcb12656accfdbda1d1572311c9a0f9954c0036c0074235f42b6c0567de

SHA512
be5d2b9c05d28c49ad3b8be847f322bbf23b06e9966418f57698e463c9bd112e9ad27081029fee422212013924beedf010074bcce5683308039ccbeee072f436

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\ClientGadgetSDK.exe

Filesize
60KB

MD5
9b4a17d36d4730907fbd6d8969ad4533

SHA1
547f1198f277c267627083ab3a6f083931a88f85

SHA256
7a201389575d3c6f60a638dcd6f8c1c41687b51bc7be541ebc271330e1875be6

SHA512
870012f8ee3b07e5b45abdce7c0bbaaca5d963412332669ba1ceb4c6b9c6077740b6336dcd8ea802c10254e73173de00a3e2f1c6e3e6202b397477cc38e96ce2

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\GdiPlus.dll

Filesize
1.7MB

MD5
385e243fc4314f79c1e3042070586d03

SHA1
bff588a2ac255b4cd1e3a9528529aa0e26f4657b

SHA256
18055410347fe57288aa11917e77f9b5833f59e669e8c65fc589d314eb6b695c

SHA512
5854cd81f2f9d5d01a7c0e3ab1b6801490f455191089a21dbc199cf924f59aadbff85d9b963700961c326a4def2a13ff9ba6d3933ead17262b7b66d0279f2c55

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\LobbyServerList1.xml

Filesize
9KB

MD5
45811f4d5463405dae043f7e9b9ba846

SHA1
886a410881900f0237ed619bfca6583da8ef919a

SHA256
a0635bc8344e41759e0a53f0720435952f57fe68df229ac4831fb9300bdc4593

SHA512
cbaa251953dc1bd3d67c176702a23482472449078344d7d26051589e1b5350f5a85cf120453bc6fa66f6a8c6b8db80bd52c4b2bd67dd53d5a1df02c7dd8d1736

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyGameClient.exe

Filesize
3.0MB

MD5
85d1912c6c543f4cf7b69ebb76372b5c

SHA1
f43303d60f2baf0d17ae6d14b8d98b6b1152d696

SHA256
b9f7db9f09ad85025a61617ea56089ac92a2f1c9feccd9b3273f88abf8e769b3

SHA512
91f568d0a95625da13da7c416e0813b922f30c280a80e04229365fc121ddec0da9afb4a1f64c63405521d463cebe6ace0c5a6dda4da5bf57a39d50729eac176a

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyWebGameClient.exe

Filesize
635KB

MD5
4c3d98b2b8e9e4064e5947d64c4ec613

SHA1
6b8c3f2ee10d8f830f8678e5245cc2a35d18ac28

SHA256
46f0604a4450ef9f828364e21a1441bdd4fa7a229964aa61bf16279150c9ba55

SHA512
10025f9d34b952b09037f5f269583d74c3792cbd386eee2ba3e143f8b04636cf662e1c154f286a86343d0f27a1bece456442daa7eec84670e741c08048aada2a

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe

Filesize
1.0MB

MD5
95bff19e30f8b194eebc8c81b671d6d7

SHA1
be2883ccd72263e162350cdfb7bf9d4bc5090f17

SHA256
4fa1020f67d7beee37c67bb6bd86ed8925e348adbf5748f9555dc96797c651d3

SHA512
762bf013e4d46ca61dceabde986753cf501442e1c72dcf394b628e2f6273ff05f686908bf9ec3be17d28b34602ea0bc18795e296da43dda7de47e81962a559db

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\error_togame.html

Filesize
2KB

MD5
5926b1d339e58bf3ebc876939ea4c2c5

SHA1
64394e162c82bc19812c62881ca1545288e56516

SHA256
5bbaa9feff7fbe44b794df4b493c587303588d74d138cdb50504ed5b6e3c8669

SHA512
a8f7374e80214bc9ba4e493e8706e59f55f07ccc31601ed550f0d1787e1c5dc6695f4fbf75e7e2b66c031fb44e391af6d65ea619c3286aedf3d12c819b3751c8

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow3.png

Filesize
1KB

MD5
4b7ff428e1010f5b4b924a381ecc6a9f

SHA1
c64a6c92c9ce90dc5f51fcb61d1fa7aaf55765bb

SHA256
6da80486fc24fe096983626c22d7ade8e72667205ae9ab88eafb1b5e896f7d47

SHA512
aeb5d028c20c69cc04422c1cbcb0ec9ee72557553cc8230c9129b7baa70c6ad3263d91c9d5c62c69792f321182564d6f52e167e18bbbe4370564790596561d39

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow4.png

Filesize
940B

MD5
55b2b0485d8cb14277abed24471c8ec6

SHA1
121aca27f33646990d96a7b602671a0d01f6a4b5

SHA256
41e8a39560fe7c5d41be57668b697ff6d163794c1fe0d178bd7ff603395e5666

SHA512
d0330c27c501f78cb3dc07df0b2b757851420a88002ee1ccaa5ec3fe29d42fb59bcd26b2fad40bf771e611e2ce7e98fbe7a72c7edd0e58cc5a78075d392cf751

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\bgline.jpg

Filesize
1KB

MD5
e50052189fe327cffc4920d2cbfe7e5a

SHA1
917e438ed6c14579b4c923bed88b0938a5719312

SHA256
49de719c563b90541a46fd3db53057cd6e1c854f69359b09453b7c6233707ecd

SHA512
e98a96a9a3086768ce81e2152a7ad98c8f0c08308521ade743940ecc23170ff6309d722869543593f8fea742d2b0f95602a594ddff9894881043654d69008a58

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\error.jpg

Filesize
81KB

MD5
2cd92fc75bc2be926e4c002598f325c0

SHA1
484461932de9ae91409a67308236f4f35be0a232

SHA256
657728435b2d152106f4acac777bfd82157727e0fdf6364c4f0eb4906a443399

SHA512
d1ab9a455742d502260bbd3279a9da0579f0408b5a7443ec5c28b4a19c8e31f6e622d33c6e886cde289a3f8e6c530c9b94e8c247299a0ed54dd01a41ca8c329d

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\control\mainframe.png

Filesize
1KB

MD5
b702f688b22f0d326be0496338307f0d

SHA1
3a69c7a925bef885ad3491fe552a613dde803aad

SHA256
97aec0db2dcaf6d20a1ed9e8cb2d8bdde456ea0bbee9bb9275bfb284dd059a52

SHA512
bd30e9c6518072b5954d69824d084a99011f24cbc386e4be15a3d55bf5f69cc11f1ff4693699b2291278ea7d19665348e847f6c0ba8737fe46ef837dfca3d102

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ArrowLine.png

Filesize
2KB

MD5
bc5022a5719a200d8cb4df3b5d95337d

SHA1
33b3389c08cb110d2882ce7c87c09f6ac768e91a

SHA256
79c208d9481d9ad70b6375aaa875c1933fa6a5aff1a20ca69ae9e2d28fd16253

SHA512
71d564c909621d9260a257daaee9bdb019a8fe24f81db319ba7bf31b6e81e5db7fafde7b76c181a615bd872fd702ab60d463ee340b8b8124bb524ded20cc9245

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_hov.png

Filesize
1KB

MD5
f3506a23a8eab8def532ec1124fc122b

SHA1
5dab7891775c289e860aa2b144483209e8673b13

SHA256
4d2fe7c86523d8e72de46e925aa1ea473e43b46534088c2372ebd5cd2db6a02f

SHA512
1095e4cce712836bb0f1b45f83a919f44c7becc8c51f950fec2a1e4034f8d6004372e23f100e51e309a7a406c51b4fd0821cc92f8245b720e094ce6b9cbc0856

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_mov.png

Filesize
1KB

MD5
17ded5e0a173363a18f2e998cf05882f

SHA1
121c6c1c92e0538cc4a1964eea2a6de7784a6ff7

SHA256
5a6d97e4f5fd2cd4ff81595bce200b8b9bb0af8c87e0a5a1ad33e2ba8592631b

SHA512
12d6cf34bb4f1c3482421cc986d2776d6724e3b97f257a2cfa17f373b688742c23d8a7ea682b8bc19c5b6162e2bf9627c415e3dc822a7beed2bdc2799bcb6b6c

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Hov.png

Filesize
1KB

MD5
f061cd973c3245b935f8ca0e7fa2df41

SHA1
b843b3013d90a3b54f54796f36d0b3ae64e0684a

SHA256
4047e046f0f25b0f41d3cdc6578e252d35d5b2db9d44f91fbe5400b14073c8d9

SHA512
05047a6b3c235dbf1c086ea97759f888efc88dbd25eef984de53aab304e0091f40f0014b6edea4368f813f4d4dc0cd04d35cd1fe0dbaee3a9ddd31b675cac186

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Mov.png

Filesize
1KB

MD5
62cfbca60f27d4b42253c96e1753bfbe

SHA1
496690bcb841f2c95b1b1d3ad2f8a70c7a3dee76

SHA256
4e2ef52fdf819e5d5825857600bb1ebad672a16873f4f55cc02c4b78c04d01e9

SHA512
ea87b367f8dd7a0670ae3171dd7a6f957682a661528e9f1330921c8273dd6df952e529aed59c21be33f0f733483266468809dcf0a5c38137610849ca2489c4a2

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindingAccountTips.png

Filesize
3KB

MD5
782b458a7a130a168e2348bb6b6d1ec8

SHA1
bf958b123c4c07ffda0d47939747464deba924a5

SHA256
37bea36b1180d7b0a2a2734a46b3ced630c997a461024dbd395e12706ba29599

SHA512
3b765d00dbf554f5b4037b27a6ee5a3cfcbc26d33a6b336f5a37fd085de24ac5bf26edf0e6855ece7184799a1e216bc072fe516356a419e9a9d26846c58ce32f

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseDisable.png

Filesize
1KB

MD5
a7a050294a34df2b6598b06c0f1b46ee

SHA1
ad0a456db2e13852af75b30f8a84495dd8414b1d

SHA256
a37bc8a0d719e97f6bba561f05056c90beafef08dc5cf77ca0604caf833b82ae

SHA512
3d1bbf0957bc2df884b0716ecaeaf616f83f803a006cb0b03f66102520d99e98833d4448c407b75dc5a67505f0c7cc23a919a4b58881bd4c1691c5257299df36

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseHover.png

Filesize
1KB

MD5
77c53a33af5d9060edc64d742581c78d

SHA1
a6ca1ead89f69b55cfa2557a2607e056d7b98ad5

SHA256
b8ee599130d00563db4e4c0cf66b07d626d00e28edc35d9e96734d73c11e56f5

SHA512
16bc887a618d565e5a5a93c98bce80510138a1c6687a027b16aa52233154bdead4224d4fbe76b2c48d13e210e426c6c86c250a27e7b4b7e695a9af59e8a8f506

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseNormal.png

Filesize
1KB

MD5
5c58e41384824810c9233b4e20544bbb

SHA1
19a38a15c08df0c87fc96fb2ff1218cb11397bb7

SHA256
b6f7642aa16976177755b14a93dbdb3245eadc5f31cd28abbd97d31b4939a189

SHA512
1ee8e676ea4702c7196f123c327aa0cbffc4553f389816dc7a8ade555b7f8c07e5b4b80bcc8ef6546e85e9b5255f20cd81cde91faf509f7d4fc0f35421af364c

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinHover.png

Filesize
1KB

MD5
3d5ce2154e2739d8372cd19ef6894d54

SHA1
a50b1d7dce90ace6de2f64420cc501d4ae044ff0

SHA256
bcc19a19510a08c675266e240a2262c92f1bb214f333cdd3c12e50a84f97f881

SHA512
382f29d7c19f22c34a9fea304028535835fe2693fc6c86834d3b2ca915a3e14b88cc84cbb368543312f6080f53479039557418efe65e2909ff5b07e06c593684

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinNormal.png

Filesize
1KB

MD5
0f8c32a24cdd495cf044885babc2a284

SHA1
b554b4ed413de5050d7ba05f5f9135fd9a8bad66

SHA256
ce9610d0d6f603ed290e3eac9813fe6428f85575399f1d2f3b79ec2b80bc5700

SHA512
88f4ca39e9acf4d4e17d003e1bb043a2cb4784d3c06fccb061f4e78033ab814ce301d23ae2a71ff454e8ab8f82557bb5385cb6ac927950aab955ce9ca459b0c3

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_HOV.png

Filesize
4KB

MD5
fa74861595b2d7f8029238da227c9ed1

SHA1
c2103a895f32dcb9e8f1b8a7f647d38821b2df1b

SHA256
f22ecceffd5edb6c5818da84a7753190a2f1a050d7a137676c6baf155955ac02

SHA512
7ec53735e6f498db76f25e742d512a58729dc3889ed6c5aa78844fa9178b8ced9de960d238258f161c3dfa5217bd2c575488b868910ec55bb5d887469ef7989b

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Hover.png

Filesize
1KB

MD5
d94d4858a788fc9c9e4372a9847660f4

SHA1
863d2d93f6909c19ee666e0b73e5a1914343c221

SHA256
6dc00a8eef3d4d1394655073304c749b499e4ebe34ba292b3aa1e81f53a2efdf

SHA512
f734a7c10005bd83e56e4f00139375404524c94c8a906d71bcd67dc590d91a9d9caeaef702a67540c7a627100a371c663a4d2c0cc6610b429e2618e1869f61d3

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_MOV.png

Filesize
4KB

MD5
0373829c3ff82ae9637c770174be1f01

SHA1
b608bca312673a83e435c475c3b6e56cf0ed0f61

SHA256
c5db13edaa19ab6024f12952264a3ec005c4ff87f677e33d0444a9485c113179

SHA512
ed0aa92263b53f6b65820303a08d31c7d54c422425aeae90ea52e08c54e10392acf33fdbb12e9ceea954df9a3cab1b13d4cc39c5a46198c364c6de3017d9dc87

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Normal.png

Filesize
1KB

MD5
e720f8d7d9b1eebf115a3ac3b2e8fa0e

SHA1
39e7f401d756d0f67413f9ff9ac925780b6e5434

SHA256
395035ebf113e3f7d46d5fff75fad4154a674747d86049eb88d0962865cc8328

SHA512
436d15bbdfd0cb4a1bbea0db7be5249ebb5e59268c6768a58424c66d155f4485057de177d9b36959c022b6a3c305af072414a75e829d44eee5cc0a8b6b9f4dcf

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_click.png

Filesize
1KB

MD5
d5c86709860616b2a77328be90005dd7

SHA1
8e3051d9b74eeea2641ca29510e8dd75e8f6dbe4

SHA256
4f3d3d8f8544b6f5d973443d28972712d9f869f745544822a7af63d66cb9806f

SHA512
c2149278520b60989638870a3095b82f85eb7329f67741c99e832c483e2a2a7159e9f5294223d504eb98f0d1b185a57834d43da0681684a7b4152929cbdaa6de

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxCheck.png

Filesize
1KB

MD5
d9cdf06422119816ca6f9c4c72cd09f6

SHA1
64e3bd1921689df2f3ee450c8387f9325d1254e0

SHA256
23f27fa2319a141f10a8be0cce63f11fce499f5943306d9d555c177c74d346cb

SHA512
2763f47b77742585d3562d61afe00033ef7ebb9f3fb1b7cd8b163d62ed5770680b00ac27bf200a47734cf715adaab862b9710268db9b6fc67f3c6625612cd88b

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheck.png

Filesize
1KB

MD5
0992ec4811eb429baf46221fb1bfe4fa

SHA1
c4d95902c17a2c339cfadd366a1735a08dcef39c

SHA256
179ad885c9bd5e378b834f0c192f36d24366dac0af3df1c3a7896150e94a56a0

SHA512
91fedac3aad148511f028fbf25f544590abd7daac05fdcf9f62063911a1b5e39003e9a97d54425d2facfb4446311dc42499e625766b912656dd1fbebf8fc56b1

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheckHover.png

Filesize
1KB

MD5
0e40da2e0b0d35ca116a6ef8cc09ab27

SHA1
c43ff70922be4bfcf7823551be6b2167c341f979

SHA256
b443f84b1dae129f7f7d86f46a1b6afac0569f5537ef79919396a18f15a6c709

SHA512
82042d24bb547bf1aba3b317e611516162a955714df3c44807c65ac5ef449b0e5e0eee8e673de24be9eb89c9cf45068afff74fb710e2eb89e9d4106ffdd645a7

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_hov.png

Filesize
1KB

MD5
5e9c33c45c3997c6bd2a227496d8bbf5

SHA1
61438ac8294a4723abf785604b05f3cfb3f190a5

SHA256
59a3e8272352042ab795032d5dd448b2f9bb3c9bb0e4a119792ef31094e69005

SHA512
de8df25f3294dfa0a01433df94672272c119ab58c58e7af5bab3cb155dca248113d31e5145b1039dcf24bd27725aa385c860e286ffb7c6a85b4b8f25373451e4

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_mov.png

Filesize
1KB

MD5
683aebc33c1a57d4e7193ac11edb718d

SHA1
f880556c87ea97d913003b5d61bfcc46309203fc

SHA256
2a1b1688b001bf57d60a0c47b6b82910c443015711820f6a95a073e540621a40

SHA512
6aa2665a83c7b683658601815d6b0957ee3376645158339657bda2ff765b7db91fb8abc49ef0e50c5a9474965ccc9e34ba8df82e28d8cfa2b05cd49225a3a454

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_HOV.png

Filesize
1KB

MD5
8f88aba447c6b48423a6ab9502060195

SHA1
2d434c1dc6f8523b49dc669abd8f69f50656ffbb

SHA256
78a209e1df0745cffb42aeeba157769ccf016dd3e356719415c11374f0e592df

SHA512
927b79089112c18870b43568c6efa1f8959beb39aaba9356429d7209438f8ad330488f3c49d8b4bd9aff29808b751ee52c82f7322dc72eb8a2d1ac563ba79fbf

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_MOV.png

Filesize
1KB

MD5
e4c70faae3c4fce495e12d24c2854c8b

SHA1
9faf01736350722f60820485bc6fa1eb364e2c5d

SHA256
03f78a2bb0eb5d120d85e7c08a16410921824154186b04ef1027905b07d137a5

SHA512
54567bbe7b75acc0e09a4fde69ff50d295609fdab69478d8c995213d4491f09aeaeaa134b2a63a76d3c5f92a8a3b61c1e56b8593dddf17a12ca28b6c8af4e4c9

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtn.png

Filesize
1KB

MD5
0a2318d4078889584caa4523315bdd70

SHA1
281adb6f789746a5c2e446eea019c1e1047ab8d1

SHA256
5956629dc86c8486d28137f91fcc493183a53a103c1ba5f4a4019f67a132e9ef

SHA512
5c05917259aefc4b675913cb896af105b1e7bf7cf07ac400083303e2952e307fb72eef4786e27381a7eee5d2b17dd4d55a9ed1dac7acded6890db927f4657b5b

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtnHov.png

Filesize
1KB

MD5
6cb194b84853c3d231eead716d49370c

SHA1
f95a681a3dc9318580bb62ef8ce4a678d78f1ec5

SHA256
ee34c098163504705e055812f003d823efe727600ea4b56db73553e2ff9d0219

SHA512
5ba1f927981c8679b49c5fd079ea2bcc662c8e9282ae736783c7d46ddcf7c486ad48856cea0831a223ac8b9600eea541a35fd3b4afd4fa2f132dc554503ba4ec

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_Hover.png

Filesize
1KB

MD5
15ae314b60106f6eda43676eb1d3de6b

SHA1
2897302883ec07add176c4e03f8dc9a4ae6afdde

SHA256
8927bf74e9d960dad95ba796e6f2bc731c5b4e1192cbd7b120cbd2f1898ec3c1

SHA512
479afa994781f6a495d7439ae3d0afc131ad5ad7bb5ff1471f1ffebf61633a74624e41b06b481f17c8a9f723635de871273147659ddf070664c385215bc23a80

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_normal.png

Filesize
1KB

MD5
e189e1d1d43cba9e78c008fa248e02fe

SHA1
b374269f970d337375552f2b771126f11da42f15

SHA256
911eb65979874e946ac0b2da2440084f98c3088758e2f1bd9144d495061d6aaa

SHA512
fd1b83cd8130000670756169910920145c9a1cc1ca35b4efca61311248db07488d32430d5d3d1c45b231b3d5803e011470326f4e3ec694ff5663a16b66e1df67

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkClose_Hover.png

Filesize
2KB

MD5
2855abc8bc2f15113af379b3ced104a2

SHA1
0aebf0295a17c7fd6c722ce10a65c9fc4fd09f03

SHA256
671af83a229fe930a720e5805e079ce2c01334125136011d8adc0ee6c3dd50ab

SHA512
5b5063eacf5fdd0ee1e939090334d5f918c4fe3484a6a0a3ee4c87e8808153002ea8316733a5a8e84c5e019a2c6f4a64b8390ca339cfad7c2135fcdb9024b3c6

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkTips.png

Filesize
3KB

MD5
cb1e1030a8813d00749d308b0da73b9f

SHA1
d97c9823d234fd8650dfcf540796d26f97442776

SHA256
2d0fc3650a7f32216d8545dfd541bf4a1ab9f386521ae8f035ef8f6c069089fd

SHA512
24141197dabf6dd18adedf1920b52dbac7a72eefcf71cf66d02048e08d480c489e3ee72be174c593bd7a4e2882ef62bb0e941e5dc3c98d6abec15db88cbc5051

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLink_Nomal.png

Filesize
2KB

MD5
673f47624b85a4403fdc740fe2721397

SHA1
ab0843b01f6a80a70c2cbaabe67f273094f80b33

SHA256
38bb2806bdc0022541bde8ebdfcc7c4b4724489e870cfa7ec5bc16919057f629

SHA512
eb43372ada55842ec5a7ca52be3a4cc0eebd1bf83323b06f3587632f9ac76ba57cc943cac46c3529bdc269105aef965a2662924815b253044f5b34a77b0d73ca

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CutLine_mov.png

Filesize
931B

MD5
7069d28083d1361384f04c0d0f68904e

SHA1
eb42e13f8ddd37a0a6493d1a8b4fa629c04ee229

SHA256
328ee1b1c993d27c97aeb037e0e755e05a106aa4ee9e3203f350c9a09c4fa8d6

SHA512
316e4539fb1cbb0204bbdf4beeeba9c3f268a006f280c74ae3d2d77caf1d34c571073c0dde726cacd94aa2237d5e03c345d38fe0feb6eeff01803cc634358403

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DelBtnHov.png

Filesize
1KB

MD5
159f343e6d3f9ba1d99da3d187398909

SHA1
5855b18908526953cb8b8a9d281ee144107dfe76

SHA256
1446a20293259c127b7631cb9934265c89810039e8c076cd98f946d55e00da1d

SHA512
70d6c98f6e57036a2e894c102888ea86575ad3e00e30ff386a1d97c6d4f407d29945f3f11c0e633e4f81179fe6f868755c0e82a0b9f1dbcc46e9410e6207ccc9

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DelBtnNor.png

Filesize
1KB

MD5
5ff65cbf00ca0eb38b04df50917ac76e

SHA1
d5c498ddc143f575bc00955bdb38640901b85a85

SHA256
bd20a3bb861109627eef3acfc4cddd6120b6e96d7de94415ed375b43930c78ca

SHA512
01bdfba569dd465a84878cee5f31ba9694953c9804338654a135d8e081639a88dd419cb7b1f3edf843fa98bcfe0be8550f0e0709f3b51f5a051914fe2cbdfb9e

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DlgDownloadBG.png

Filesize
1KB

MD5
aeeb6b445e55574128467d1699a62e16

SHA1
bd554f4c7472ef3aca5b1e831f44d6b7ed768fb2

SHA256
19ec9c459ed3c438a6c1a8630e81265f4ee1414c5ca62c704832cdf01cbfc98d

SHA512
11e1484541aa5d56b42f4222d9ca442fcd2570daa2656fea78c96a51c7949aafb73012b74d853a3cbe70163056d9b1d50b505c7b9f6c15b18b1fe807e95d9156

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\Signin.png

Filesize
1KB

MD5
053bf204ab9961e6843a052348ca8d5a

SHA1
cfd71af85b0cae52a4c54429e925add459287de6

SHA256
1b02340f651f6af1019402f595737b2e71f1e341892e419ae64617aa571db6af

SHA512
3476e12f9ba18a7663b6519ecec7fba8379a974d5962b37fa0d0ae024f9cb554d9ec44a13c2fc739e472b851531259aa3460f89c7683fde9e8de0b5e8a1051b8

Download Submit
C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\defaultgameicon.png

Filesize
6KB

MD5
116824ac4fabdc85d00e1d6e60fa6fff

SHA1
5bc1c4a8c152de3c1ea834a44e247ecb1e1ae865

SHA256
ae9291b1744a13ff45be576d455f268b93068651944e5fc5998b8c85eb1ef462

SHA512
a2397a5730dd9fcf8da86e58e247dac4b3806b5cae62b706cff2f8a87a0e7000c875b745413d6ec05c930fc4d5d89bc9b14389c6100bb437443970c889207a61

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

Filesize
99KB

MD5
b6e9d6c600b793177c69ffc751c7a8f2

SHA1
2d83d7e4a84a5378333250a470ad6577ea858780

SHA256
19aa1945952438cc82e633ff6c90c4f21835fb79d49de8649dd1e18ae4c9a80b

SHA512
069ed99225d5d69817e16f8dfc2c95fe7c667e9e7f7b03897b58ffabe14ced8b4498b5ed117155ef79761f5189f88b54729864623cff1c80d9536f7c08ef4a0b

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\appdata\webcache\2\movieLib_pstyle.css

Filesize
140KB

MD5
04934b72e752e77dd0bf67c9d06a2272

SHA1
9e5d3a5a81089989981cd9a44784e42ac40c638d

SHA256
a18e3ac76891027def955b9f310ac15a51c8b514e7b63aa27cbb96f8d38cf926

SHA512
7df18a0a080715a781df5baa0a7fccef6eaa4818bed11d985c42ee81acb9ce2665a5aacf30b7517d4d30c1aac6557f6d6a8b6623c15a7ce8f10c5d7691ee380f

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\btnPopUpClose.png

Filesize
340B

MD5
7844d223803d5f35c4eb453908d3d3d2

SHA1
f6946969ca172c5735f19cc5215ee170bd963bb6

SHA256
38e371539a017a690e546a161ce82dbb757ccfd46e7bfa46c79f8377a9d6a223

SHA512
4db164312a9813a0288abef93a4ae7d12945a3f290010603e9343b4bafea8883a1bc626ebea2e548eb6fb915ab47786b2a0adf02b1b720f4968f8b15005fd49f

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_17.png

Filesize
3KB

MD5
0893bfeefb776d58da6ef7bd6b8d64c8

SHA1
c9905b5a2edb4f4caf87c76425e7db4e63b699d6

SHA256
e0787ff81f12df511d1b97382c78d58bf28269fac897eae4e0faddffe7be6aeb

SHA512
fe8735b4b0042d1124ccf1dc55edd298fdfadb101bdab735b0bff89068909e61d81cef5b4ba967bc11a683b064cfe7638ea91cc4026a9073e197fc489ec78435

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\normal\loading_17.png

Filesize
3KB

MD5
28853faad82cbc1110fddc0c3a54d85d

SHA1
d11e7cb83ceba8bd8223b59150bbd747222715f4

SHA256
59fe4bb150bb9bbb28bedff5d2aaa87307041420100c2be31c9084f9a92fc342

SHA512
4cd0a50c61f650df55ede29da8e72f5b909cbd6bae3d375176b0952ca8d46ce0ef06e104ab540e500f23e9ae9af9e2fcfb3b6c52ab7ed8cd6e7a11696150eb1e

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\config.ini

Filesize
17B

MD5
534a43f71c3ae9f4860a02b65d1de41d

SHA1
c6929fb5bba5aa8b56a3c891e9fdc1f571ab42c7

SHA256
b7b478999cc6ff9694335c0877d9a0182415a0478eb04d660849c8c98556672f

SHA512
5a048eb691bf368d955c010d30dd122dd27980de7da38a7e0ee1e13b9d98b71e3a5edc5cc1af908d73014bd6a4a2f25aaec5750156598c871d516d6dbcd838c8

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\loading_16.png

Filesize
6KB

MD5
11007ca324dd134924fa2bca5244eb73

SHA1
56fa6e06d7db2e9693d7eb26eb13d52ab9ce8fc3

SHA256
05395237709655d0cb9de583e7c2a3192df91388333d70923798eaf61b1562bb

SHA512
bfa1d34ac7312cc273fbb59748a6e6f0cea6c6db7a498c04dfc8ebc2491806cd9d55fe766f727e3c0a130699a7f20d1a8d2e01ea005ad15cf706b0916a115e63

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\scrollbar.png

Filesize
501B

MD5
8f6b9b86898ce75b5c94034ab1f14381

SHA1
4005fdcd5071fe373db13e301301ed0e2dc74876

SHA256
874664eaa38618437f551ed0492a89b718e44f2a6f64e2b5590b708c6ddb3b97

SHA512
f42d284538b5ca4f8382321dd96dc104b8d7f49a1339dc1e7fdcac4fb22099078d29ccf29a7b9d23c94260295f39126197d082b4983acf7be9a1569ad4e237e3

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big1.png

Filesize
357B

MD5
5fa2adb150f63cba9e5443befe17eaf4

SHA1
b5c2a1cee13211626c061c422961a1d0aa742703

SHA256
02b0a8d8524e604ed201f912fba8ee58c5573f8310145d3e64a3c279726dac40

SHA512
9cbde58a143beabec9cd89ab66bf0f29db6903ece436fdb0c14dfd66803ccc4f951b316216c073be9e8032d20f8e0f93a4c393672884063e3cf8f29f7b404607

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big2.png

Filesize
890B

MD5
51fd1384bab6df779007cee07422e4ac

SHA1
16e89c96196d21f3a85ed6a0f5d97d096c2fbc15

SHA256
9c0ec21d601c6e193caa0a04db9c80318d15e1fec713d3e82e53f709a5620fd9

SHA512
279c7e23a32b639d13d836b1c9744bbbeec4167a95bd3302bae6ff2738877fb2e99e8a2c95934b38c74d74dda4783ab14f81ac96c551084e9cdbe4f9ee24519c

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\downLoad\config_dlg_close.png

Filesize
192B

MD5
754a7d6d7740eead34bb5a9f6940f009

SHA1
18acc6593a114f5616a539101f31504cb511459e

SHA256
154ca004725f7936e20efa1780f3cdef20869de4ac00d1b0079c86e31b0e59f3

SHA512
785ac79cec2f7f3fd813761a53b506ac5b2fede0ba67ea8a5bf495da5dc028c69e88217d1c45ad4e4ad4c34b3d3a1d6df88363c4e8fc1c095af3078357e2abda

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close1.png

Filesize
199B

MD5
1867ed15b4256e9edc952c334a543201

SHA1
386b14cf44c620a55f64c6069409eb0eb5c5e3a3

SHA256
87b01d7e066af46794e584904a4bedb27707da1eb32080b60a286f01b9c27820

SHA512
027e984adcc90553c9c699c6f1a797eea5e7b02f8cb4a807aa62263780485de235c6294b608b8a34c67e9b5024d98768cab6265cc7776884b9ab4e6585e0c0a3

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close2.png

Filesize
199B

MD5
33cced8d3d97f78972a5418ec7e96f29

SHA1
09bb1332bbb1f06eda3bb09f37b3699257162369

SHA256
42803e7485f1507abcfca5f455e76956a0dd92ddf2b9d6341a4f2375a941746f

SHA512
04683521c7dc5e7f4ff701da3fe4291eccbe6b96ba5631676844fe4616a0fcb5e7434a47f245f9b800a47922b25c3d5a2d1063eee61b82db656866c194aca1ce

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\cancel.png

Filesize
579B

MD5
d1a6675f77f74cc5847b0a59c49c3f6b

SHA1
f96c4084818cc5836e4086b665e97c3bd7d99f47

SHA256
29207dd0cbb59bd1e6fe489ab6ada4cb04c74083099127b194402f1f3ea4bf8d

SHA512
3f4a2f4fc645fbbcfb5fda5fd37fe8dffb96329c4e66841ca5bdb8c8ae4836e4eaede44a6e4e5ca17cf6bf02524d304bf83922092fc9b88fa72e94a322617388

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\ok.png

Filesize
3KB

MD5
4d34af20771db466a6439fa56ff5f687

SHA1
5223e4281ff91d0bdedc9af14c4825e56cad01e4

SHA256
b4513c801e7893e2364967da122e5340a69a0c8f28d0318234ee0ca41ac12f60

SHA512
bb770d0649982b3f4d35a5b6628cd0a4168f31ea89e56eaf92f74412cc2ddcf8773dd60f25ff5c0d04d77960570d652f8b7cf7cdd2cbaf07151024c8355871b3

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\QYProduct\blackback.png

Filesize
110B

MD5
60ce4c0275c77aa5572892c81728620d

SHA1
82fc18f800c867547140a7764f38a65eec9a4b96

SHA256
8ea1ba9ad6052fe784d79b9bd3ff879152c1d58738cc1faab0a1304b68ce69db

SHA512
ee1d28e4c4b939a721f42f67505de0fe2084f36244b53838a4704a19f32246919a88ab7936b6cfa07e54f4b5c1a11d36305376a3ef42bb73bfa5fd679f83af91

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\common_scroll.png

Filesize
612B

MD5
93343a6c34066ba4b50a6d455210f538

SHA1
10bdaace70cee2656f3c6eedd2c5aa5182dd6de1

SHA256
d2d9f913aa2646725e0af0d332a10a78b1d7269bf0d774aeb3e6dfc4be40558e

SHA512
06066d93e57cf309c064779a415a34290d52d9312da45acad20b0655f098568cb438d694f46aafe5d0edeb5178a50c6a729e174c683666d97112a1e09741b1aa

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\filmlib2_normal.png

Filesize
541B

MD5
7602910002b9307718bb5a4c221d6be5

SHA1
61004f0ad2d3f55c7549b3c8eecf2108d0efb655

SHA256
9298a0cc560f702a118dec0bf34bf2d609d5a56d1c49e9658b0eeac0bba59a38

SHA512
eac38bff7fbf476bcd003253b737723c46c31cdcc205bde5f6c4bad9f5da75d7f08f061976c1bb724888f2a4ec38a9c0667e56c3a993a4a69cf236c43adcd259

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\soft_txt_icon_2.png

Filesize
814B

MD5
1402aa18efd86eec43a345d936f8ab4d

SHA1
c51a44b65489e041620c8ce9ebb5d04c517d27e5

SHA256
2276b09083e0da61a550d97c12cd814622c853358f26dcaffd423285ed29640f

SHA512
7b4913b6a30410d87a3c1c87d4b6d15510c47f17b38c3c2db11da2fb344b88e5c3d86dba86781eff180eb803222af6a58b6a0a12905139b085d988061c5bfd12

Download Submit
C:\Program Files (x86)\IQIYI Video\LStyle\skin\spaceship.png

Filesize
3KB

MD5
575984f7a1cfe13a9ed1d3800bd7d14a

SHA1
df04fdf4070d29d76aaff8f5b2f68bff6ee0cdc3

SHA256
925b723d434d5528c4dd712102279974e76842b71544fa8153d6108d11ccd7de

SHA512
1d2eca187cfead14798cdc18b4ffed909b483869281bd05fc4b7412fb76a7ee6987efbffa17db218be32d4c2e1ee6e1cb383a4a96983f226baae1f42a330725b

Download Submit
C:\Users\Admin\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx

Filesize
169KB

MD5
fd0cb28279bb47d33605f6a6f90759e3

SHA1
374e2f6beab2520083bf749959dca7e07497a5dc

SHA256
b913b88aa4aac4c0114cf5d0d5e6b3baabd17727e1ec1450452f89bbf91123fc

SHA512
e4e13a61b3c47d2d5ee6bd2b0831f1b8fcf15e0a21dc857c761fd64ee60f06872018582d5b498427961a59a0e5188699658f8d1f60e7d182ae31a10be02527c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\DialogEx.dll

Filesize
28KB

MD5
e0f33283138ef1c169f71cb1708985a3

SHA1
f10f88a272fc7c14f3a37d0f650aa7480bc1efd0

SHA256
a9b34148448d893558dbb91b51bbbdddd535e2c8387a13e930a4b5096b0af03c

SHA512
8094b5096cb0c4ee6572217beab6419b8d9ecdb2b902c9c596ef3cc513e4916b05c2bb54fd6084f274b6919d4871ae31cce4eddadd272cb7516c30dfc7c7db0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\NSISdl.dll

Filesize
18KB

MD5
8ff1b274c581f2e928a418f3b90620eb

SHA1
ad7ad3acd29b882204e74fe36369a6b89a8beed4

SHA256
df10d5b4ca10ea6ddce96d6ddecfc175f1dff4292a8c5c1f8e0adfb6e1e824c3

SHA512
a932f9b77fb801e624069661f9c0a7fab4a1e540d763d51bca91e2570767029261946c4ef522e1e9fecc189cd8090e99ba9b454439a3e3fec2ca318dcb428691

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\StdUtils.dll

Filesize
43KB

MD5
572b16bf94a6492976f777b7d0373971

SHA1
3ae46f117f0d3ea32b28de9a73fca0d912260203

SHA256
fb87ec46457a836060bd3ee33bb37ec4d222d4974816654b32ba9d40efd90c75

SHA512
872347db453458f3bfe6d6bb9dbb66305abcf5773acaaea4d06e8800b3329f536d70e6c96e6dd59a20e963bfce496a0fe014302d2469353bfbcba0fbd2ba6fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\config.ini

Filesize
4KB

MD5
89647dee1e147207f3446ea739c8ab0a

SHA1
2939c1be244aa0fc4101832ee410418c337a4a40

SHA256
09622256300931a8465cb377e4f958239022f4245606e956728a9940321c17c3

SHA512
5c18225bd6c7ba97909a1f2473bbc6fbbde49ba91b5aac01cd4846a39eca886e7f27b1ad54bb143a1831b23b66887b5a4de50f63ba5a70dc44f00db18027d257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\nsExec.dll

Filesize
12KB

MD5
2d1656be5aab3f3e6873cb5d0c046717

SHA1
32facbec7603c0d3a2198c390399711f68a96de7

SHA256
63133db6770f8ae0a5b38ddeafafbdc61cd6bc2ab0b6f3c307c0904f29d8a218

SHA512
d55426322c315a211c4de778eabd676fe2353ebff15f8725eb4e5dce03bb6b92f8a180e5093c2bdb324329bff72b4b1ed37d9d8155ce4c98926e0cbaa1c62ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\nsProcess.dll

Filesize
10KB

MD5
dacc5f5531887a11804bda084e12cee1

SHA1
85e9f509668d9d78120435e5df593d988b16029a

SHA256
18584f582d454c15de69b515dcd8952a446bf18514de532c309b351b30d77066

SHA512
f16dcc34d444490621df50ea70772a692592bb35f078f7e7a7360976da873e8e917663344864b56f5989a65ecdaa70d8eb0df4f8a2495f50aa5d25f6f248ae4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\nsis7z.dll

Filesize
73KB

MD5
cb22c301a35e0d8551578940c018868d

SHA1
1aa3a19c0c5e8cd02feedca50fb1845a99964ee6

SHA256
d77183207b8a3b6bf4d7267aee06c7d0f76a6b42e0c007e596931ec59dfa597d

SHA512
f1997bc05c360c1adad90317e7aeb97af9982b2e40e4aadd88522d640fda44648c733e19c572b01647cfb6b2093f2387b41db37f52cd87b8d02c479be0395f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45B5.tmp\registry.dll

Filesize
30KB

MD5
f81598566d3bebe154d86906e7419653

SHA1
fb2a980abe37a0b724edf932884931f946332b68

SHA256
b13d15f8d3e5498d3014dd0c5acc2b42df4aa08f96e0b3e59dc7c9e8c1e7f4c7

SHA512
95f6d51d11df472808b9e6a765be6f13231901d698b62f0782e2c17a5ddeee43a8484894f11568ae474ffc7a3b27d8cd01785caf8d87eecdc4a3f64a3ece9255

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6A55.tmp\System.dll

Filesize
11KB

MD5
d0d7d2799802f7cddf8db7a2d8ae1e23

SHA1
ae8d8cfd9f1a7104036a9e8658f50f9c35c7a1c6

SHA256
828819614dc0dbfb73f22d4c3712e6369230eab92819c5d4efe75870ee109a5a

SHA512
2b5af0e34720eb2f5b0aa04b589b46fb4b4d344b5c5d23fdd382348b051ac9766ff80f6a2455ef66da78ba880e8ce41b23daf741033de7701ca3f17f1adde408

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6A55.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6A55.tmp\UserInfo.dll

Filesize
4KB

MD5
13a689123cebd31c1d1862e05981beca

SHA1
0430094a1a0f639ba9bf5831c24f1f4330762a6d

SHA256
386933bdaf4774e88670e21abbebdeddf64b1e87b1681f85ac5b3ec1cac8dcdf

SHA512
0663148e80f4703000bbfc8ede2bcc7cad19877585a5cc46aa13a7003377d7315d33f01c1d311d38bcf5e3782e4b361510214f09a9f6537b856c5ad9bc41fdae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz6A55.tmp\UtilsPlugin.dll

Filesize
13KB

MD5
877ba4f17e960ddcf0c2fa2df62b6710

SHA1
c452ce34ed1b5043bb26ec938d170fffb14b53c9

SHA256
7481df00348a7279b044cf12f7188b2c15e6a1862e5ed2ea8e7e2b0dc6c027ae

SHA512
0ae63c05641c234d53573e69eb143582916c4c976fc11d78efe0310b8fc04b0491838abd94b8c7b9ee5f77ddf41bfdeef61227c87a6da427c68b9feae6ada612

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\LogoLIB.ico

Filesize
124KB

MD5
094fad0a9eb6e39e00f6452da2e0a596

SHA1
053e9e4ae140cc3fec5a500c6941e0181e6ad143

SHA256
8429febe04859faa258bb06bfba94eb969ff7e80da207bac6417a22cc83548de

SHA512
b5d41ab5c040b0a001aaf399e9e7fd9646eb5d79268fa5f5258fb22a178b311f46e46c48c75495a003ea15949327700b7011602d726d92cf7e348f83e3ec5867

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PPStream.ini

Filesize
429B

MD5
4b96323053a1228d3e66f782a97e6f32

SHA1
7b13bfc74f8b873c0be120bafee1c92feef87301

SHA256
ed396708b6aed2a0401bbd8be225eb76e25273c0baf57dc30d4ae3288406f6b6

SHA512
fe8efb9f1a7da2b07ec56041c0acfde116bf935495ba682a04d3103eb21ecdfd48dcc17568cedd35b77f8a5367bc0b01d98466f4234805e41f4a226359fddd56

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PSNetwork.ini

Filesize
17B

MD5
3221fa8864ba8b73d2b5fbd437a289a0

SHA1
0b210cd735603be096e676cc0dc9d4c5c1de63f7

SHA256
8ffc6af8e58191176ef82385aa12d25c0379d3b9ccc3a3ce1d041f3c52d61914

SHA512
220a1f69d939f7a67c94a70e88acab7be105a7ed4fece40890c0b8650b4f356d3d7cdd348e380673a4cac25cc16e8c1324aa9fb64efb3b7337401876ad13ef4f

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe

Filesize
55KB

MD5
9e8e028857769d11281f83f1438d8a35

SHA1
a6a23b4e3fc495ba235a5b35c35c8fe05ef2f55d

SHA256
169e700568cb68e2511589aca9be8ad26bcd1ae52d0d109120576934c8af94c0

SHA512
42c9874e7b8eaa50888f4f533bd93c11c8277c8435583f06c764a5858f47c34ff5d8fc982540b5c06cb2ee03fb406931eb4db8170c18d0c1bb3f5bdd52d8b9e4

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

Filesize
69B

MD5
849c0db12448b338a7454ce8fc8c6365

SHA1
1477afec52ba1303cab09b085a7148bcf56b2497

SHA256
9897278fec98e2ad20355747dbcb541f2c87d15616f6f15215fec3351590b3a2

SHA512
cfff784ac25afd5d6b6a4b15b90f41614f3a9299e77921e804b9464504ea472e6da69e2142784a0c6dbd6f2319ef124220da22230dfd260e440939f14b97124b

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

Filesize
101B

MD5
2ead05e1cee75f9ebdd5f9ac04cba9e9

SHA1
5c37cff83b68982eac4e8b6ad8a4a00143890a04

SHA256
0f318d57f8a2101da3b9c6b6c92e072afdf30150d4e628db68d4502a50b5bbfc

SHA512
ef73d57044c0b860839ad2226a4b61da16191e94a11584cb015c85f9ba6bf7202bad73baf2302426b1a1e3981b292b3eb4774643c31af2d7a12312025270e203

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

Filesize
154B

MD5
b2bd447bad8515b618a3cfcea3d119bd

SHA1
8f36800787bcb6933c7c15beb99aacc7490c396d

SHA256
5d60707b27a0da833dfffbc851f63277a9f99b7a55e2b5fbc5a63e287e71095a

SHA512
02e9bdaf3dc22a140e77945ddf43bb0c06a4c0c709fe26036b9a7fcbac5806359597d8ee678840b57a6726cd5b9ae1a4b3e653398a73839bd46c915b3f38b30d

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\skin\btn1.png

Filesize
1KB

MD5
d271a47cd14ebb209b06ea235a91d144

SHA1
df6d11259e8b54247d052a64b2fdeb86908ff751

SHA256
09fda339a9d73d4bd0c728084eda60967139cf45c96e81fdd63ef562597c37ed

SHA512
a074342fcdad77884e7b3c0360dcdf5798e3b1dca4484df23cd85b0283da0920fc867fddd41bd3d8eb4b1200e43c9b34114ba479ae9d4e874f46ba4808705ef0

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\skin\no_up_and_down.png

Filesize
6KB

MD5
de4109c2374280da714e9dcdb3d3ad9e

SHA1
ce6657dd563c51c684277a4213fb2be052a13f38

SHA256
03b3fa0f39cc032f3f0fa0748810bca79d925e64ec5c2df0d3898580b1d7b203

SHA512
99160096e9ef20e984d09d6abd34a0522543e00b582254f337a3f61ead89ec933fa8f2618bc1deb32f7bd44c821ddc1ce9b60392fe65374cd1912262a632a205

Download Submit
C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

Filesize
241B

MD5
06eb5cf663aacffee4bff854d6691967

SHA1
befa1cefc03b00278983400a1fc766382d2265b9

SHA256
686620b48b2bf90b5ce6ea1fc81cd3da1b5d98eb6d09ebc6146e0c84839091d5

SHA512
dcb6e716c7aa352cd1e710c8aee94d055223bfd05badf2b9c15aa8c239fcd6995e1945edbc0cf7fcf12a4b9105f400387fc65869f5ef5313d0787a4107a969fe

Download Submit
C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

Filesize
261B

MD5
a10ab2a9585ac29a32721f34712b5193

SHA1
a205d2526196e4e728d12228fe8cdc28961b6f1f

SHA256
2b81fb15a9c0a2966ae88bfc061f469580ce38c93f371048d0ccb00fd24eeaea

SHA512
10041fba175b7a0ae658f8aaaf4ee6282a43d06f9e3db6cc4108819b3b2503c6b636992ffab05a4e3b59390ab83ea22616b2728f0e25220794f1fe2b15876514

Download Submit
C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

Filesize
461B

MD5
1fa2da58a036beb215549c02d5d46df9

SHA1
2317530b6d17dfec72f008d8812b74231bce81ce

SHA256
ecc332632af945e91efdc4b99fc490d1a923ff602be14e3ee6713fc890c6a6e6

SHA512
7fc0875678be81d6b501e5ddca1e6d3074665a51168424d7aef1907f077b0ce350730cb7c03674f9eaedadec2dd6c64b31f7fc746d27bf380e536d81cb1c3172

Download Submit
C:\Windows\Fonts\iqiyi_logo.ttf

Filesize
3KB

MD5
e1097f713080d07e0c717e0737ef167e

SHA1
f31f1c4570925450c1fd1ac847cf54461b6274d4

SHA256
f2aa97fb51572edf0694ae328bbdcb01a172189aa53549b7ea8caebc66325249

SHA512
786dda62d0423a9733af16035390e99bd47c5cd8c49f2802eb443896230b2dba70eefbb95de3175b2143dbca1f9ab8ccb8cd8e7cd8b8821f0a93d1a5c69923ad

Download Submit
memory/3112-31-0x00000000050B0000-0x00000000050B9000-memory.dmp

Filesize
36KB

Download
memory/3112-5415-0x0000000005E30000-0x0000000005E89000-memory.dmp

Filesize
356KB

Download