Overview
overview
7Static
static
1752b8a6b45...18.exe
windows7-x64
7752b8a6b45...18.exe
windows10-2004-x64
7$PLUGINSDI...ol.dll
windows7-x64
1$PLUGINSDI...ol.dll
windows10-2004-x64
1$PLUGINSDI...rt.dll
windows7-x64
1$PLUGINSDI...rt.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/chkm.dll
windows7-x64
1$PLUGINSDIR/chkm.dll
windows10-2004-x64
1$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...up.dll
windows7-x64
3$PLUGINSDI...up.dll
windows10-2004-x64
3$R0/$R0/Ba...up.exe
windows7-x64
1$R0/$R0/Ba...up.exe
windows10-2004-x64
1$_24_/Pers...x.html
windows7-x64
1$_24_/Pers...x.html
windows10-2004-x64
1$_24_/Pers...ent.js
windows7-x64
3$_24_/Pers...ent.js
windows10-2004-x64
3$_24_/Pers...mon.js
windows7-x64
3$_24_/Pers...mon.js
windows10-2004-x64
3$_24_/Pers...fig.js
windows7-x64
3$_24_/Pers...fig.js
windows10-2004-x64
3$_24_/Pers...ram.js
windows7-x64
3$_24_/Pers...ram.js
windows10-2004-x64
3BDBugReport.exe
windows7-x64
1BDBugReport.exe
windows10-2004-x64
1BDBugReportx64.exe
windows7-x64
1BDBugReportx64.exe
windows10-2004-x64
1BDDownloadExe.exe
windows7-x64
6BDDownloadExe.exe
windows10-2004-x64
6Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Src/Protocol.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Src/Protocol.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Src/Report.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Src/Report.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/chkm.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/chkm.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/insthelper.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/insthelper.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/reportsetup.dll
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/reportsetup.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
$R0/$R0/BaiduPinyinWin10Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
$R0/$R0/BaiduPinyinWin10Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$_24_/PersonalCenter/$_25_/index.html
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$_24_/PersonalCenter/$_25_/index.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
$_24_/PersonalCenter/$_25_/js/achievement.js
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
$_24_/PersonalCenter/$_25_/js/achievement.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
$_24_/PersonalCenter/$_25_/js/common.js
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$_24_/PersonalCenter/$_25_/js/common.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
$_24_/PersonalCenter/$_25_/js/config.js
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
$_24_/PersonalCenter/$_25_/js/config.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
$_24_/PersonalCenter/$_25_/js/tangram.js
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$_24_/PersonalCenter/$_25_/js/tangram.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
BDBugReport.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
BDBugReport.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral29
Sample
BDBugReportx64.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
BDBugReportx64.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
BDDownloadExe.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
BDDownloadExe.exe
Resource
win10v2004-20240226-en
General
-
Target
752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe
-
Size
34.4MB
-
MD5
752b8a6b45ceb452cd4ef28e8f9d3965
-
SHA1
e737a6c2fea43b9a5df2e85f90299fca3416f39e
-
SHA256
0d4e910847a8da89c1a61e75ddd8db232083e735486178457c547e6a3958dcc1
-
SHA512
91b7baaea54ab4feecdae6ba5d8aad7376c3e50eed649f9d8630744b333ccedbdb1cace441bec5fb6942f83b4ca2ee67bf8059eb97012bcfccd7a88502d17676
-
SSDEEP
786432:/XCfiZDJsTvuBLeSqiPGBWnd9X5+MG+jmmXt:/XEiZWVVQP5+MG+jmm9
Malware Config
Signatures
-
Executes dropped EXE 34 IoCs
pid Process 2832 dictbuilder.exe 4540 imeutil.exe 3832 imeutil.exe 2500 imeconfig.exe 4196 imetool.exe 2248 imetoolx64.exe 3256 BDDownloadExe.exe 812 imetoolx64.exe 1640 imetoolx64.exe 3932 imetoolx64.exe 4668 imetoolx64.exe 1372 imetoolx64.exe 4432 imetoolx64.exe 3000 imeutil.exe 2868 IMEBroker.exe 1132 imeconfig.exe 2344 bdupdate.exe 3184 baidupinyin.exe 5032 cellinst.exe 5108 skininst.exe 4724 baidupinyin.exe 2356 imeconfig.exe 4144 imeconfig.exe 2380 imeconfig.exe 2068 imetoolx64.exe 4504 imetoolx64.exe 468 imeconfig.exe 2868 imetoolx64.exe 2164 imetoolx64.exe 2428 imetoolx64.exe 4428 imetoolx64.exe 540 imetoolx64.exe 792 imetoolx64.exe 452 IMEBroker.exe -
Loads dropped DLL 64 IoCs
pid Process 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 4540 imeutil.exe 4540 imeutil.exe 3832 imeutil.exe 3832 imeutil.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 2500 imeconfig.exe 812 imetoolx64.exe 2484 regsvr32.exe 3000 imeutil.exe 3000 imeutil.exe 1132 imeconfig.exe 1132 imeconfig.exe 3172 regsvr32.exe 1132 imeconfig.exe 1132 imeconfig.exe 1132 imeconfig.exe 1132 imeconfig.exe 1132 imeconfig.exe 1132 imeconfig.exe 3172 regsvr32.exe 3172 regsvr32.exe 1132 imeconfig.exe 1132 imeconfig.exe 2344 bdupdate.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 3184 baidupinyin.exe 5032 cellinst.exe 5032 cellinst.exe 5108 skininst.exe 5108 skininst.exe 5108 skininst.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 4724 baidupinyin.exe 4724 baidupinyin.exe 4724 baidupinyin.exe 4724 baidupinyin.exe 4724 baidupinyin.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\system32\\baiducnTSF.dll" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\system32\\baiducnTSF.dll" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 imetoolx64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" imetoolx64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 baidupinyin.exe File opened for modification \??\PhysicalDrive0 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 BDDownloadExe.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\baiducn.ime imetoolx64.exe File created C:\Windows\system32\baiducnTSF.dll imetoolx64.exe File created C:\Windows\SysWOW64\baiducnTSF.dll imetoolx64.exe File created C:\Windows\system32\baiducn.ime imetoolx64.exe File opened for modification C:\Windows\system32\baiducn.ime imetoolx64.exe File created C:\Windows\SysWOW64\baiducn.ime imetoolx64.exe File created C:\Windows\system32\baiducnTSF.dll imetoolx64.exe File opened for modification C:\Windows\system32\baiducn.ime imetoolx64.exe File created C:\Windows\SysWOW64\baiducnTSF.dll imetoolx64.exe File created C:\Windows\system32\baiducn.ime imetoolx64.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ime_skin_thumb_0.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\QuickInput.exe 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5823ad64c517d9214da2b4f5891cb8c0.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_list_down.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ime_skin_thumb_1.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\css\style.css 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\quickhelp.exe 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\4bb89b649344ae236145981a282ac8c9.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_jieping.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\90fdae7bdd452083f27372799c5a31f2.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_white_90_30.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\1\skinpreview.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Baiducnx64.ime 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport_bdfaceimp.ini 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\6ee778accda04860ddcf53f65cd9ca83.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\78dfc796e4a99118f7ef0a8a05cd41be.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SysImg\notify\bdpinyin_new.ico 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\bg_facebox_white.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_10.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ImeConfig\maintab_bkg.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\zmbaidu.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\85daf75ab557a705c9ff3a41ca328c84.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9bbab073de56765c42a031fc6ed4a554.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\ca290b3c6e88957d0c0b24c483f0fbf5.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\cc358560120f0bedee57f8ab748071eb.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\d11447267773853a100806edd06abd7b.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0bc354bed69bc75690ccfea355712e11.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\3dfeff82b394f764dbf5ebc348bbd8af.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\6f1252010438615fe023b8157578e25e.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SysImg\updatebanner.bmp 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\infor.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\js\tangram.js 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\3\horver.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\syncengine.dll 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\qingxinlv.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\btn_min.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_geren.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0e38445364fa27928f416c41860975c0.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\4ef77ad90f85b9d5faa90e2b1d2b8a54.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\b014567339a200eba7d447e263c190b5.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_note.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imezlib.dll 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_settingcenter.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_4.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_shenma.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1a43a493cdaa0cd9084e40d3921f35e4.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\radiobox.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\btn_setting.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0b62d7e3ff7fa859e62baeff6761a301.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1a9f2044a290af7fd8d0086544be2732.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_login_reload.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\icon_logo_panel_avatar.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_calendar.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\default.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\55efa667245a7d1d420d7b8d3ba89833.png dictbuilder.exe File opened for modification C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummydict.dat 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\quicksetting\config_res.rdb 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\089a723c8ada53878f1985f41dc9f044.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\a5bbf9a04af264a8e6802a2e2df1bd42.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\checkbox_uncheck.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_delect.png 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skinbox.exe 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\db6ce587368cff26f4521b0e9643cfe4.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\be5610f727832f3893f544ac951b321d.png dictbuilder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" imetoolx64.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\ = "中文(简体) - 百度输入法" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\SysWow64\\baiducnTSF.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeSkin\Extension = ".bps" skininst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version\ = "1.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bps skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\ = "Open" skininst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bps skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe \"%1\"" skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1\ = "131473" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile cellinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell cellinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\VersionIndependentProgID\ = "BaiducnAx.ScreenShotAx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer\ = "BaiducnAx.ScreenShotAx.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\ = "百度输入法皮肤文件" skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe,0" skininst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile skininst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon cellinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict\Extension = ".bdict" cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\ = "中文(简体) - 百度输入法" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\TypeLib\ = "{BE4A566E-CD2F-412A-B259-1F1965B935C4}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll, 102" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd cellinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\ = "百度输入法分类词库" cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\ = "安装到百度输入法(&I)" cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\cellinst.exe \"%1\"" cellinst.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe Token: SeDebugPrivilege 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe Token: SeRestorePrivilege 812 imetoolx64.exe Token: SeBackupPrivilege 812 imetoolx64.exe Token: SeRestorePrivilege 812 imetoolx64.exe Token: SeBackupPrivilege 812 imetoolx64.exe Token: SeRestorePrivilege 2484 regsvr32.exe Token: SeBackupPrivilege 2484 regsvr32.exe Token: SeRestorePrivilege 2868 imetoolx64.exe Token: SeBackupPrivilege 2868 imetoolx64.exe Token: SeRestorePrivilege 2868 imetoolx64.exe Token: SeBackupPrivilege 2868 imetoolx64.exe Token: SeRestorePrivilege 1420 regsvr32.exe Token: SeBackupPrivilege 1420 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 208 wrote to memory of 2832 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 97 PID 208 wrote to memory of 2832 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 97 PID 208 wrote to memory of 2832 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 97 PID 208 wrote to memory of 4540 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 99 PID 208 wrote to memory of 4540 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 99 PID 208 wrote to memory of 4540 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 99 PID 208 wrote to memory of 3832 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 100 PID 208 wrote to memory of 3832 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 100 PID 208 wrote to memory of 3832 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 100 PID 3832 wrote to memory of 2500 3832 imeutil.exe 101 PID 3832 wrote to memory of 2500 3832 imeutil.exe 101 PID 3832 wrote to memory of 2500 3832 imeutil.exe 101 PID 208 wrote to memory of 4196 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 102 PID 208 wrote to memory of 4196 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 102 PID 208 wrote to memory of 4196 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 102 PID 4196 wrote to memory of 2248 4196 imetool.exe 103 PID 4196 wrote to memory of 2248 4196 imetool.exe 103 PID 208 wrote to memory of 3256 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 104 PID 208 wrote to memory of 3256 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 104 PID 208 wrote to memory of 3256 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 104 PID 208 wrote to memory of 812 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 105 PID 208 wrote to memory of 812 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 105 PID 812 wrote to memory of 404 812 imetoolx64.exe 106 PID 812 wrote to memory of 404 812 imetoolx64.exe 106 PID 404 wrote to memory of 2484 404 RegSvr32.exe 107 PID 404 wrote to memory of 2484 404 RegSvr32.exe 107 PID 404 wrote to memory of 2484 404 RegSvr32.exe 107 PID 812 wrote to memory of 1640 812 imetoolx64.exe 108 PID 812 wrote to memory of 1640 812 imetoolx64.exe 108 PID 812 wrote to memory of 4668 812 imetoolx64.exe 109 PID 812 wrote to memory of 4668 812 imetoolx64.exe 109 PID 812 wrote to memory of 3932 812 imetoolx64.exe 110 PID 812 wrote to memory of 3932 812 imetoolx64.exe 110 PID 812 wrote to memory of 1372 812 imetoolx64.exe 111 PID 812 wrote to memory of 1372 812 imetoolx64.exe 111 PID 812 wrote to memory of 468 812 imetoolx64.exe 112 PID 812 wrote to memory of 468 812 imetoolx64.exe 112 PID 812 wrote to memory of 4432 812 imetoolx64.exe 113 PID 812 wrote to memory of 4432 812 imetoolx64.exe 113 PID 208 wrote to memory of 3000 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 114 PID 208 wrote to memory of 3000 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 114 PID 208 wrote to memory of 3000 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 114 PID 468 wrote to memory of 3172 468 RegSvr32.exe 115 PID 468 wrote to memory of 3172 468 RegSvr32.exe 115 PID 468 wrote to memory of 3172 468 RegSvr32.exe 115 PID 3000 wrote to memory of 1132 3000 imeutil.exe 117 PID 3000 wrote to memory of 1132 3000 imeutil.exe 117 PID 3000 wrote to memory of 1132 3000 imeutil.exe 117 PID 4432 wrote to memory of 2868 4432 imetoolx64.exe 135 PID 4432 wrote to memory of 2868 4432 imetoolx64.exe 135 PID 4432 wrote to memory of 2868 4432 imetoolx64.exe 135 PID 208 wrote to memory of 2344 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 118 PID 208 wrote to memory of 2344 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 118 PID 208 wrote to memory of 2344 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 118 PID 208 wrote to memory of 3184 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 119 PID 208 wrote to memory of 3184 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 119 PID 208 wrote to memory of 3184 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 119 PID 208 wrote to memory of 5032 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 120 PID 208 wrote to memory of 5032 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 120 PID 208 wrote to memory of 5032 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 120 PID 208 wrote to memory of 5108 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 121 PID 208 wrote to memory of 5108 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 121 PID 208 wrote to memory of 5108 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 121 PID 208 wrote to memory of 4724 208 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2832
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --clean_old2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4540
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe" --moveuserdata2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --moveuserdata3⤵
- Executes dropped EXE
PID:2248
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe" 1 /product=2012⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3256
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Windows\SysWOW64\baiducnTSF.dll"4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt3⤵
- Executes dropped EXE
PID:1640
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler3⤵
- Executes dropped EXE
PID:4668
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec3⤵
- Executes dropped EXE
PID:3932
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1372
-
-
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:3172
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit4⤵
- Executes dropped EXE
PID:2868
-
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe" --installgau2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe" /u2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3184
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe" -reg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5032
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe" -reg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5108
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4724 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --location3⤵
- Executes dropped EXE
PID:468
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install3⤵
- Executes dropped EXE
- Registers COM server for autorun
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"4⤵PID:5040
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Windows\SysWOW64\baiducnTSF.dll"5⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt4⤵
- Executes dropped EXE
PID:2164
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler4⤵
- Executes dropped EXE
PID:2428
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec4⤵
- Executes dropped EXE
PID:4428
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:540
-
-
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"4⤵PID:4052
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"5⤵
- Modifies registry class
PID:3232
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell4⤵
- Executes dropped EXE
PID:792 -
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit5⤵
- Executes dropped EXE
PID:452
-
-
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportSogouDict bool:true2⤵
- Executes dropped EXE
PID:2356
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportQQDict bool:true2⤵
- Executes dropped EXE
PID:4144
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/CheckImeSetup str:AD2⤵
- Executes dropped EXE
PID:2380
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --set-first-ime2⤵
- Executes dropped EXE
PID:2068
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --fix2⤵
- Executes dropped EXE
PID:4504
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD52f5aa7abfbbf2b087f9e4dfe423bd6a1
SHA1c54a1c7d55272efc2733eea8c92e4e5d5b88c36d
SHA25668ed1dc5216bc98e95b938643b44160805fb9564966ba3baa515df526ce6cff0
SHA512f296c689b22ccf8d55f385e22f29e5e7e059daa44577eba05a8e42706abae4c9292c16fc9fe44d671ffb816960e69317aa5fbafb7e0702acf4f2608c6c0db719
-
Filesize
2.8MB
MD5080a1318a5e18553f622ee9498e1a99d
SHA18242034ceb4f3333c410478499f02885044373c2
SHA256020f509f0c15d6c123b02e790d4d3d674a781ceeb8d6b304bcfb7d57479c5b36
SHA512c90571a169099ad0973c090de7a1434f52bdef635730fac44029635ca91870269237595f81b6602dbb8f5cd077acafa2d36380776a3707d94fb1e8668070d1c3
-
Filesize
762KB
MD58d82ce7a07be1b62440c0cec4e170a15
SHA13c6d41dc25978907acff8369778b4e352d56ccc1
SHA256c6a521c1f3c2611e063d4929fb4a2c466395d4a54a17b6c1036f9e92a0d3ede2
SHA512033f08cc83b6bc911c5cb136e152b920cb7193b1ce6e4529a84260ed0225d814059a4a47c603070db6191a86ddef4104e3eec712bccb8f0d2d0b85050612651f
-
Filesize
2KB
MD52acb717904708b6b98f41dc5f2dd17d0
SHA14a2460b5904e20339109bd4ef04b0f43ad3bc30b
SHA256d9e8604274f890c75250ff38ddd069f4c8c412c8b3cf8a98e67b2706bfced59c
SHA512e736e4c7e0fa239964546e2d4fa0241e80f82fbef7acc31b9373e6c9c02c99b09ae20fd402fc922bec9288537588e4b91ebe1970651ed87877cb2bdc93b2494c
-
Filesize
1KB
MD53c45a3efd6faca8afd99af299c37b0a2
SHA13f9658399ed8de6292e7cf7c16060248c7114f90
SHA256ca25c996b6d5ebe5348c6baddd2073309539171bcf706e6c6c1d06e7ce421ffc
SHA51221f708eabc7152beb7479a3fa7c19c7b95028f3f78fd34c15fb180a16b03c0b02de290dff611692acf2c80cd5c9885e7818cf312adcf859cd975ca1c79b913d2
-
Filesize
399KB
MD556385cb44bcf0b46d7b27ae70dc304f8
SHA1f488aff961286a852fba6f887ba9369d7dbb8bbe
SHA2561ef970a39e17a0f1188f7ea88a871a833613b0fbc5fbc028f2a29bcddba72159
SHA51237725ad5e9599ce7db125453a4f63ead7d6648dca65ab93bb5ed6888404a04d86dfcea1d0a28ec4a005449d1246a452e03bb4a8bcf5c4bed42071cb1c2afb681
-
Filesize
518KB
MD5047883fa5f336320c303345fd0c2a37c
SHA1d5a647ce1dde1faa4128c1db5c82851ca73716a7
SHA256aca42b70ee70806ff6a298acbfda17051f3514073ba1bffeb64006d56d75a9ea
SHA512b8e8032fd8c4a94fa7841bfa4a9b89c894766cfebb2702da2570acddee1c161c7a12551f51d3dce81fb10d55e56075c226843d811a20ef6cafafa3e58418dd48
-
Filesize
606KB
MD5523d13d373e36022819a8bfd4106afa7
SHA1928fd5209a568333193b4327897fbcd25829a876
SHA2566717422b8a66c295cdc52624794354c642c0f5b3c9fc945e17c700765815a2ff
SHA512d5be101c0a4c7bdf5eddf351311e8a7db74d2fef8f97171e3ea0820fc7384c8505915ecfc774f70c519ed87807173397f6771d515bbc816d113a24460b72fafd
-
Filesize
469KB
MD5385de7eb355e2b67bc8efaf1d28db78b
SHA1f8dcd255c7160347af343bd6824640d1960a3afe
SHA256a00392e1f6c235507cf6077f16052216de8c50ea3c601b32ea8f1e75f447d650
SHA51295461dbb67355cd44ebe0f8ae124bd878a7588e09ef9fc682ac256a1c5c243f5d1ffcf1189f714670f4298ce8e67e6463f98bb83540652edfaddd55e3d173267
-
Filesize
139KB
MD593bfa462ede419250bc876b2884ece05
SHA1233a8a946f119492b8fa2b4b8993e5d3db00acfe
SHA2566a2b893de7fbc1c0c507a35c14882236c326f553baf07409cd358308eefcb5af
SHA5122cae7a79f3adbc23fbd7a84689321b438596bd9cec5b2bca274f0d67ae0bad7b9b984ba352256fe6079338435958e28923915d029bc4b2e52fd04dff61312245
-
Filesize
195KB
MD5d55a908913b1f2bc2e9e0195472882f7
SHA1627509ef0575d389e39a2dbae82e94da50346f2e
SHA2560be32940021bce94782662b3377e2658600e0ada82ad3ce561b00a3abfdc528d
SHA5121a500d47e0785a0467e29a4986f0dc658a9c105855d70d4c17d4a8df7d5354d808fec25f79bb507719eeb93c1a5db49a006e291b1ea4dd18049c1d94696d5eea
-
Filesize
376KB
MD53c11f16a387925e9c088b0d819795bb4
SHA1bf99c57feafd149b93c73fac2211b8be00b3e536
SHA2560b07258015b5e139776c9be53965f4442bfc9d7265db93665f2a10a166fb04ce
SHA5122a5cf1c37d3cc67709a427a5831a46218e15550054896b333c5ec9a7f6b370fb271d06696b842c2dc55947ed9dabaea5fb9bb1c859ca4132106cc02c590ab1be
-
Filesize
16.0MB
MD5df695d1bb876e0aff16e80d37c13a045
SHA1bfa3f935d0259f103213c86b19643c9d0e839d31
SHA2568f34cb39e843f2569e530d13f9583d385d80273c7f0a7bd3227fba11336527fa
SHA5128ad735da6d0cb7050474d53787bbbcf371cdc70ba6bb54e8b649331570f29f99f609ad897178f0c430548da245a31ffdf0db8f4cc1931f7bb1837d273d4d02e7
-
Filesize
385KB
MD55fba35a5c0c99d59803bf9d2590c3f82
SHA18e8e082647997cb688effe79ec12529bd03e9987
SHA256835828871ef9af95f85b8f249f2cacdbbae6c73ef802448f7c59584eb63265f6
SHA5124217349c66ee47d096d2a4c19fa408dd6f08a09a9c47cb9493b5a2faff6f3f4f0d855cf02905f24f0a8d1ce6bb1d4d561c4f69a1378b09ff473f997855ddedf2
-
Filesize
6.3MB
MD5d28c28b7d005a754a60839b4091aa556
SHA190e2b7ef24d2521b66ffa793d19dd7bbe8fe3bbb
SHA2561d753a7609cfe79ec3abc6b2c0c6d552f29caf1251ffae2cb8fb81a71d80ee84
SHA51296a754995b7751cb4a0df624bd8f4975b9fa40ef97329a798abf47197537c62f51f1b47900d82be14f2d2d2785e963897ab6f7cb713e6a76fef0107c4517c089
-
Filesize
15.1MB
MD52e1b6f915bc3efb9bd950099e9a25fa2
SHA1ada21f4380f5c2bbf9a023fb3a97c6abc67d8552
SHA2565f6bd5aa51cf2590579116816e87a26617f1424fdb00f4703dd4ee9429d425e8
SHA512771557c762acab825f5f96bc83cac0612b5551f2c2d85406fe2288aad9aef9a17b16769ba29a7b5ef5087f17b5f2d0538480b3c16f809c5b52fb1afc4420f51c
-
Filesize
264KB
MD578b547129a5af3251cd3a2cab4107d4e
SHA1da5d2da96f238fa327cdea23225b08f813d5504d
SHA2569415b6d6014edb194cb9e428e77900c37b1b9a950e2c97bd013d4af8f5e8455a
SHA512ef9a1edb6272e2eeab04eeb142c5f0a7806f4e96335a1aab6d391746de795f00ea62c06ecdf0df7bc5e6933e1961afa94df11639ff5f16d0bae871a584b3bc48
-
Filesize
3.2MB
MD50ccf4e1bd3bdd1119d96bd92b89e6a76
SHA19b00ad3520a26a9f6e0644c2796c85d8ae54c47d
SHA2565893e51697c153e3ef8b257cba716577b7cc3e82fd0a8fbab51189706dedfc40
SHA512e259835f453a9d7a3ece6e9b79d087ec7d596810ed072964e38b21eca613c2321b3964ec79806269eb6abcda40aafcd9d5e82f360018cbfa1e86266baff8507e
-
Filesize
298KB
MD540e91fcd84dafcc606ccc876f991a7e6
SHA121e2dab15eddb84c631838e1575a72598e9355c2
SHA256bb0258c4b7ea8543f2f5aced98081d7a973f337c57be08f294ab189d13e7c417
SHA512dda11e19996c688090776fd3ba1428af05fb234a51947e4692b83cd11eff3ad39d7a46e481c536f0aea780c827c8169616ff74b2b9b5aadb4abab11b1e852693
-
Filesize
432KB
MD5ab89cdea049ae1fdc3d4ba269b47591d
SHA1860a07b2cb483bfec40ed2fadfb20c7b3f8f43c7
SHA256b3eafdf7094878fd617385db01cd4c06fbf34cc734252cd104d24e418bb84553
SHA51222552f2d815b2e4b9bd19be63b34592412f1eae698fc71c28f6e73d690331c3aa2b8950aed160249317673a9f22f81086c5f2ff376b47b75d980fc90ca80b2fe
-
Filesize
495KB
MD52456be54b003a06e0418a2e40d24d7d7
SHA13b05821418dd7ee9c162bad6efeab51d6ac59b91
SHA2565a3e0a62c53dc9f5dc231a487e70120099b35c61c7a1bb259f478e642a080f1d
SHA51279dcaee135a8ede7d8cd278b5266441ac6728b93245f17b8d305aff36d9980fe88ae9f51b5ca5776633064d47670f751ff0cd8150807030df9ff080c6957e82b
-
Filesize
105KB
MD52ff02072877da8f34f9af9928aa5f5b3
SHA1d9e5bee9e783fecd13e95e2cdea37fcaa9a1cbd7
SHA256756d55a8085e1b07695eb90db9266e98a0f0afc67ae188867eed96badc3d59ea
SHA5129f340860dfce4f20b674d8db7ceb15af5dd618cfb6e75a154c043a16a2fd3e57a97b763cbe84a945d06ef324b11f2b6da4ec798fa536033ccf76de2a62787c1a
-
Filesize
186KB
MD5de63b59c6697079ecc7646589deaafef
SHA1709c2d6058556dd0f9d46ef840153249cd60d94b
SHA256183db759881d0213aa708410c122a7373ba08dbe122343b6acf9292741108d97
SHA5120e8493cc0f1ee0666305c06928d4811563aa07187bdb3146bf21b3446e946e6f582c7e1375f32281b259163de72a0d54b0ade097843bbfdd5ff599d444f54573
-
Filesize
295KB
MD560054f32651599c68fab41b220f476e0
SHA1281a63035340db32bb7d55e009f8097546f4aa9a
SHA2564352c68ffc4308c2e24acc19608318a52dd0a9f362f1cd2c8ff07b55ae37dde9
SHA512daa3431d8d70b0278a13b04dc1d74b44d235296c86686fc233dcd23af963bcd5977dd97ea5546cf548e222fb43f7bba5db350f1de1c2fbefe1379c717d8e2a39
-
Filesize
1.1MB
MD5b8a2583697545aea9baa1383f9796368
SHA1a8d5fa264d96e70e36461d99a44a9a39cb186730
SHA2561f649a43e098fef9be0cbdf6f57b1afd3aa14d06c5c1aa82f5c26b769f04f141
SHA512cbb43e7b2cee7d76ac026ec3deb9626c43d6acbc595cebd41293cc1045808a7f09da19ab64c7b0a44432281e43e4904432906f5c3dec6bb1f3c146c907fc6864
-
Filesize
444KB
MD5fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
Filesize
948KB
MD5034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
Filesize
267KB
MD50f6f9f42e4dd9dcd5715955e3838ec4a
SHA1f93a11370df53d30a84268b003fab1b8eb2a3960
SHA2566f34c5eec35a9f5af26cd163792c53fbd30ff0d04110f6bddeeff413f8dea10a
SHA512ecc9ba94660d2d3ea7a80e2a67e3db129e983d33697fa5da6c000a7b53c3e3a1460bedb12fc82af422f03c9e9c097335e9704dd21ae9d7b4baa78f19826c4920
-
Filesize
161KB
MD559294fde17337c3b141160be336fa7b0
SHA159331a76ec7bdb6ef4cf3566391587229b942378
SHA256044bea17ccaff8d1bd437dd13a0d37798ac1629f7fc6fb1cf6d5c4d0e065e5f4
SHA512f9be627ce0587e89132e013000d88db0b943f6b11e630e78aefd2f347a12f7ddf30b0a71ed5049017f2148083166924bc2c6ae35ed9d635c492dd84312d0e414
-
Filesize
52B
MD578c80d224904b9e4b9499353e2bb570a
SHA1494e5e9f09c81111271c2bbfeea211e4064b9d37
SHA2569dcbcbb31e7f4616fe36dee093ea650ce4311a6b98decc95f8d4fef4914338a3
SHA512fe722dc9e68971e458cd0e3d3f4740d759e88b7e522f7f42f67a8643d65cf0feb06a0c087441802cf852b4695062ac935690e03483193f1de380c5a9456ecf13
-
Filesize
1KB
MD5a65a1485e411592e8e6376afece3402a
SHA1eba0ec02b6a1e46694695364ef00210d960f9439
SHA25608792c5f47c35cd041207194cfe6c241adc60153517a5ce2e681ba285264ac14
SHA5121d10f810357aefdb2e4e230d24239093a5b549765df672746ef60ba3c169e74fe38c9e077f96003528cccd52eb4852c60c28d3f762c81000c22cc7b591066ac0
-
Filesize
1KB
MD5b244d142970f4fe298ad320adad6f739
SHA1c1a1347c63dcc7978c7dff81d4651ff9a2966d9f
SHA2565127c735b441607adfb1dff2a640a574eca4a99b82e140e13ba6fe40d30d5c39
SHA512052536e87ebf1c59d0e4891070846a4433a1cbe81aaa865c7675a65e0a1c5bf8ee7e9d8b44119536fe5284dc42ef3938aa1b3bcc5e10b35bc89543af6e4dfea8
-
Filesize
2KB
MD57b2b2832e759dca63140a12649190551
SHA16c2581ec8289b3f00d2fe883aba4a59a661e7b43
SHA2560e98e065638d841cbbdfa639ad09e68097611aae44cca0fbc164de9202e9732a
SHA512fd91662c1c8625e7d4280fcac1873d5c3223e253b3ce87c496c41d7c11286ad78a7dd744c9ed29ef5f475007c3c2e1b255d1b917547f11df9d9c83dcd5d56532
-
Filesize
2KB
MD5e93ac512626c45264525ccb2fdbc88e4
SHA1588224ed01168ad9355eb4f0ae0dc8ca7af9a590
SHA256379fd56370dd3f14f0a378d46a49412a6858def2b69f97462f49118f2b59dc54
SHA512e6a00e9b772fe7bcd51b829e92ed4cbeb7721a94d0e01c47d89b8c4ab35d5317bb8cf645297b2d2ca632d37ac5388bda6dd1c4bc5019f8061dc8507d51ac73fd
-
Filesize
2KB
MD5f1ede77ce6342d08ffefd923de89f04f
SHA1ea4af90b7a25f46adc1c8051217f98de35af12e4
SHA256cae2055ba0e8fb682e18dd77d00e05c0ad0db4a0845cb599a157dd110509d855
SHA51260bd7836c6dc3e07ffa9b2d36f1cbf06d680a5089e03e3482c9e27908b970b879238ad7743cf671a7a449f21b027478938134b0995d8c6294d5e758880f3c2e0
-
Filesize
298B
MD52ef237975ba195302430d3917ae557b2
SHA10b5aa3003e57fc25a6043224f557a0d22ad33c80
SHA256dbde22027829840767e2043a8ea9ba9b9495477d8926d8ba6b3d9251a379b907
SHA512400186f38d3584a51e42faa4d1e434383e3a1c041c9a4f92272960f236546f2a43835b05688589e77188aa421889aa4bc09775531ac4fe6cc8759a50df3a1e49
-
Filesize
1KB
MD594aace7e8db312e4309a763f7de02615
SHA121fd5f9124559dbc731793ab199f38058012b251
SHA25655495404ee79e3d57ce0bbb0b1ef608b81bcc5edd408a00a51c04b3496325508
SHA5122575240d741acbb596a30497fb5031858fae005013ae287716b8149e69308a180db634d5b2654bf91de4bd94e28554c0e8f743267721a2afc84f9bd86dc69a2d
-
Filesize
3KB
MD5e0a095730f835e0e7478370494d7b83f
SHA1cbf10f25be12f519b4153921b3968994221e34fd
SHA256087ff9cbed1cae73d82b55f54ead208d9e62e3db8c1064b1f68d4be751525a05
SHA5122ee95ed6b2fa2537dd84a634eb46c412d45710d52e804a1ec4aa2e2aa0dffa1bfd95c9ecef89229225fd580479c4b1d055992593b408c6773d14185d04d26788
-
Filesize
5KB
MD581907ca28ac98ab419d426e01aa3d48b
SHA17a7120e6193e241e38dc70d79666d24024be8093
SHA256038ed6a7239f237f9e58fa75f0f43c47730c6ca46b266b9c4f21fea059f62bcf
SHA51254dacb61d7f6f3aafdf6c31e6ee480426404e5cd710f0ae3ba0bfc9cf069f267b04cee37950ea81d0613ff9e5905c35fcd67924fab8ea51de3de8bd3e8bb2908
-
Filesize
5KB
MD501e6a2a43777aa803d1099cf977ccfb7
SHA11c964afd6d1ff42cce318aecdde70f8af4f3ce06
SHA256a2358aceb9641e189ac150226e39d428959d35b320b636da6523c04ed6c40cdb
SHA512e408f868e74388b32af330e94afcf9c640e696059507b2e8d255e124dbf8c2daf863357b9d2152b0690c8ea290aa78d2fb7663b043148500ae1230ccf838c033
-
Filesize
5KB
MD54d7f729eaf4361a6461ec5c2cdb206a2
SHA1d65d9f3350b9d5ad199a993605a2dcfa8bd47e37
SHA256b66d80f8a2b4ecd28b2d01e73b435b111e4752efce459ed1d27fb96b763b6fb7
SHA51237dc62770a5d9760ca85b1c95b23f92b0501da2b3ad82141d94167cafa68dc680b77a3e058ed7715ffcf3de7275f70daf6e48997a1a5591693d952e7cf860dcd
-
Filesize
878B
MD5f352b2482a325a6871ae74859bb9f04b
SHA1235b5744155abee234b46bc14eadd93581514b81
SHA256ccbd4e577790e5433261f8e44fc25186b6037e34f8ce1300d5b73d82d25e4880
SHA51231e83118f3b39ee2b079132ee714ff0d27e697ef76cdd6381831345c7cbbaaca54b0c8eab5a8710d26e75e5f06b39036d6ca7874b1bfa1e82b2f514f3564c7dc
-
Filesize
3KB
MD597db575c53470e2812c998ce9211cbd8
SHA1dcb5a92ce1539937d11ca5d75a352e7ff2b9e7c2
SHA256697d27f7fcd1648bcac9880fe20b59c5390a84cc52f3669fca6220fa034dab2b
SHA512b9ba012412b64d01f285c12cc581c82f39071451548451b4c4f08bbed99ef97874674b84901fdf59784b4f79cd1919c72d997afed40820aa1736d690f979004a
-
Filesize
751B
MD59d5cefafbc538ec83c31969ece92b375
SHA16169822e24ac7c84f188c298b77b28b3661cdd4b
SHA25630f0b84a2a46c2448fafb371936ebdb0779a739aeecc40ecadf9005a60196a39
SHA51206201d8e71f2eb6b6f6b0c92daa83939b6987b5c60d8306e44b204ca582433737a01b78d037b04430de9eef562d02957936f4aa0000ed84af2943efbb7726e40
-
Filesize
568B
MD50fcd28ed0e69ca531809e8e2058eb246
SHA15d7a1862ee5c8a708c91a9866b503d87cbfacc84
SHA2562c6c16ec784410c022bfe6dd4618fb2f4cff421c0cbc151707afbf9db0ad3a3c
SHA512276995e090a70844cbc912d9660d39c33dc5f8eed0985dd5d9c8b56a360c933f2ca63cbf32eb548031b4557260f0b720487242b2fcbc63e7e4e6937c2ac887c4
-
Filesize
668KB
MD5a438e303cf31126c5d6b882aeded21a8
SHA1eebe92a2e07ec209e6c366899938d2f7677e9977
SHA2567c301b9c44cae3a53a4f939a391ae36e79e29f9216fc903665b4551426cecd90
SHA512ddc47c35d7b662e939d471e07f5f45e979abd4df14b334c5c12f229f7d185bb9925693d9dd71e36c97eef02c92f961775f5d7cd605b36af9e6a5c9d83af3964b
-
Filesize
316KB
MD598a2b4d094fa825e601b1f68752d4ac5
SHA10197c18e2443b53add35870df81a0123acbaa0cd
SHA2563347ab083d69d9d4bf6c8e6816c56a1eb694b581721965ebd44d240fe956e164
SHA51247ef8d5ee9273a41169ec522245869f6d9d90b840d56d88e68bd693b4d1b4243b005cede1a5f9420ff1a5240f7de8ba7a5b915b846af9e1c57a0d4eaa584d53d
-
Filesize
19KB
MD535d7b29c3ed690a8b0cd323917677b42
SHA1ad74d2babe09f94838e408c8f9f77b6b56c644f5
SHA256714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c
SHA512abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d
-
Filesize
74KB
MD53b8308f1dba641b49a642fa6d92f3451
SHA1a11164e08bd9c594b6d608c51a2428a4c6b555a2
SHA2562061a94b4d34a77f935f95a3741f917c91b27d0e1585c2ee2f8e00806b671db7
SHA512dc089fc2bb43ccfcca8748013636e8d249cd91e1b08b30358d00df0decaec5782d2af85274e7b70784d4e58c934dfe5112fdcb4006de2a5dbe9c76dae9ed1f81
-
Filesize
774KB
MD58bcd300c69b67e78b09cf07aecfa14fb
SHA1d92bdb71d8b8477a3f0838360191aecc459a3c09
SHA256d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d
SHA512393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4
-
Filesize
309KB
MD552c3b9ac0484ece3b524a9526272f88e
SHA1c07268de6a13290acbf58ec5ef75e2468533d791
SHA256210876c0ff70ffaa88a05f9ef794a96136549f4168e940e256fb4ac85b0fff71
SHA512da7710404e5630509eeaf9e318e2a4a2d9c4f269aee6cdce5d2a8f128094e7c92940312fda9913f5c44dce5159b59159f40137ddb2e7975e450f30c6a7b24f47