Malware Analysis Report

2025-06-16 03:39

Sample ID 240526-md41aaff62
Target 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118
SHA256 0d4e910847a8da89c1a61e75ddd8db232083e735486178457c547e6a3958dcc1
Tags
bootkit discovery persistence execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0d4e910847a8da89c1a61e75ddd8db232083e735486178457c547e6a3958dcc1

Threat Level: Shows suspicious behavior

The file 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence execution

Registers COM server for autorun

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Modifies data under HKEY_USERS

Modifies Control Panel

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 10:22

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:31

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 3900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4896 wrote to memory of 3900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4896 wrote to memory of 3900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:28

Platform

win7-20240508-en

Max time kernel

122s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3068 wrote to memory of 2196 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:31

Platform

win7-20231129-en

Max time kernel

118s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:30

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3432 wrote to memory of 924 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 924 -ip 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:31

Platform

win7-20240220-en

Max time kernel

120s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:33

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe

"C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:35

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe

"C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:30

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\system32\\baiducnTSF.dll" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\system32\\baiducnTSF.dll" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\system32\baiducnTSF.dll C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\SysWOW64\baiducnTSF.dll C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\system32\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File opened for modification C:\Windows\system32\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\SysWOW64\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\system32\baiducnTSF.dll C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File opened for modification C:\Windows\system32\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\SysWOW64\baiducnTSF.dll C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\system32\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ime_skin_thumb_0.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\QuickInput.exe C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5823ad64c517d9214da2b4f5891cb8c0.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_list_down.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ime_skin_thumb_1.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\css\style.css C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\quickhelp.exe C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\4bb89b649344ae236145981a282ac8c9.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_jieping.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\90fdae7bdd452083f27372799c5a31f2.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_white_90_30.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\1\skinpreview.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Baiducnx64.ime C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport_bdfaceimp.ini C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\6ee778accda04860ddcf53f65cd9ca83.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\78dfc796e4a99118f7ef0a8a05cd41be.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SysImg\notify\bdpinyin_new.ico C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\bg_facebox_white.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_10.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ImeConfig\maintab_bkg.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\zmbaidu.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\85daf75ab557a705c9ff3a41ca328c84.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9bbab073de56765c42a031fc6ed4a554.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\ca290b3c6e88957d0c0b24c483f0fbf5.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\cc358560120f0bedee57f8ab748071eb.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\d11447267773853a100806edd06abd7b.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0bc354bed69bc75690ccfea355712e11.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\3dfeff82b394f764dbf5ebc348bbd8af.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\6f1252010438615fe023b8157578e25e.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SysImg\updatebanner.bmp C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\infor.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\js\tangram.js C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\3\horver.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\syncengine.dll C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\qingxinlv.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\btn_min.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_geren.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0e38445364fa27928f416c41860975c0.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\4ef77ad90f85b9d5faa90e2b1d2b8a54.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\b014567339a200eba7d447e263c190b5.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_note.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imezlib.dll C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_settingcenter.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_4.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_shenma.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1a43a493cdaa0cd9084e40d3921f35e4.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\radiobox.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\btn_setting.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0b62d7e3ff7fa859e62baeff6761a301.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1a9f2044a290af7fd8d0086544be2732.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_login_reload.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\icon_logo_panel_avatar.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_calendar.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\default.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\55efa667245a7d1d420d7b8d3ba89833.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File opened for modification C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummydict.dat C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\quicksetting\config_res.rdb C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\089a723c8ada53878f1985f41dc9f044.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\a5bbf9a04af264a8e6802a2e2df1bd42.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\checkbox_uncheck.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_delect.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skinbox.exe C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\db6ce587368cff26f4521b0e9643cfe4.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\be5610f727832f3893f544ac951b321d.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\ = "中文(简体) - 百度输入法" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\SysWow64\\baiducnTSF.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeSkin\Extension = ".bps" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bps C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\ = "Open" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bps C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe \"%1\"" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\VersionIndependentProgID\ = "BaiducnAx.ScreenShotAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer\ = "BaiducnAx.ScreenShotAx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\ = "百度输入法皮肤文件" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe,0" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict\Extension = ".bdict" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\ = "中文(简体) - 百度输入法" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\TypeLib\ = "{BE4A566E-CD2F-412A-B259-1F1965B935C4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll, 102" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\ = "百度输入法分类词库" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\ = "安装到百度输入法(&I)" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\cellinst.exe \"%1\"" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
PID 208 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
PID 208 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
PID 208 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 208 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 208 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 208 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 208 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 208 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 3832 wrote to memory of 2500 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 3832 wrote to memory of 2500 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 3832 wrote to memory of 2500 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 208 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
PID 208 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
PID 208 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
PID 4196 wrote to memory of 2248 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 4196 wrote to memory of 2248 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 208 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
PID 208 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
PID 208 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
PID 208 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 208 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 404 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\SYSTEM32\RegSvr32.exe
PID 812 wrote to memory of 404 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\SYSTEM32\RegSvr32.exe
PID 404 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 404 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 404 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 812 wrote to memory of 1640 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 1640 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 4668 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 4668 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 3932 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 3932 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 1372 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 1372 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 468 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\SYSTEM32\RegSvr32.exe
PID 812 wrote to memory of 468 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\SYSTEM32\RegSvr32.exe
PID 812 wrote to memory of 4432 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 812 wrote to memory of 4432 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 208 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 208 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 208 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 468 wrote to memory of 3172 N/A C:\Windows\SYSTEM32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 468 wrote to memory of 3172 N/A C:\Windows\SYSTEM32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 468 wrote to memory of 3172 N/A C:\Windows\SYSTEM32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 1132 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 3000 wrote to memory of 1132 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 3000 wrote to memory of 1132 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 4432 wrote to memory of 2868 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 4432 wrote to memory of 2868 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 4432 wrote to memory of 2868 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 208 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe
PID 208 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe
PID 208 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe
PID 208 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe
PID 208 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe
PID 208 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe
PID 208 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe
PID 208 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe
PID 208 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe
PID 208 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe
PID 208 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe
PID 208 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe
PID 208 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --clean_old

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe" --moveuserdata

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --moveuserdata

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe" 1 /product=201

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install

C:\Windows\SYSTEM32\RegSvr32.exe

RegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\SysWOW64\baiducnTSF.dll"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist

C:\Windows\SYSTEM32\RegSvr32.exe

RegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"

C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe" --installgau

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe" /u

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe" -reg

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe" -reg

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportSogouDict bool:true

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportQQDict bool:true

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/CheckImeSetup str:AD

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --set-first-ime

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --fix

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --location

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install

C:\Windows\SYSTEM32\RegSvr32.exe

RegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\SysWOW64\baiducnTSF.dll"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist

C:\Windows\SYSTEM32\RegSvr32.exe

RegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell

C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 d.s.baidu.com udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 stat.client.baidu.com udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 szcloud.baidu.com udp
CN 111.206.209.92:80 szcloud.baidu.com tcp
US 8.8.8.8:53 d.s.baidu.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 stat.client.baidu.com udp
US 8.8.8.8:53 tips.ime.baidu.com udp
CN 103.211.221.165:80 tips.ime.baidu.com tcp
US 8.8.8.8:53 listupdate.ime.baidu.com udp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 111.206.209.92:80 szcloud.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
US 8.8.8.8:53 d.s.baidu.com udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
US 8.8.8.8:53 shurufa.baidu.com udp
US 8.8.8.8:53 a.galileo.baidu.com udp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
US 8.8.8.8:53 stat.client.baidu.com udp
US 8.8.8.8:53 api.ime.baidu.com udp
US 8.8.8.8:53 iploc.client.baidu.com udp
CN 1.71.157.48:80 a.galileo.baidu.com tcp
CN 1.71.157.48:80 a.galileo.baidu.com tcp
CN 111.206.209.92:80 api.ime.baidu.com tcp
CN 103.211.221.165:80 api.ime.baidu.com tcp
CN 103.211.221.165:80 api.ime.baidu.com tcp
CN 220.181.107.232:80 iploc.client.baidu.com tcp
US 8.8.8.8:53 d.s.baidu.com udp
CN 111.206.209.92:80 api.ime.baidu.com tcp
CN 111.206.209.92:80 api.ime.baidu.com tcp
CN 1.71.157.48:80 a.galileo.baidu.com tcp
CN 103.211.221.165:80 api.ime.baidu.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 103.211.221.165:80 api.ime.baidu.com tcp
US 8.8.8.8:53 d.s.baidu.com udp
US 8.8.8.8:53 d.s.baidu.com udp
US 8.8.8.8:53 d.s.baidu.com udp

Files

C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\reportsetup.dll

MD5 52c3b9ac0484ece3b524a9526272f88e
SHA1 c07268de6a13290acbf58ec5ef75e2468533d791
SHA256 210876c0ff70ffaa88a05f9ef794a96136549f4168e940e256fb4ac85b0fff71
SHA512 da7710404e5630509eeaf9e318e2a4a2d9c4f269aee6cdce5d2a8f128094e7c92940312fda9913f5c44dce5159b59159f40137ddb2e7975e450f30c6a7b24f47

C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\System.dll

MD5 35d7b29c3ed690a8b0cd323917677b42
SHA1 ad74d2babe09f94838e408c8f9f77b6b56c644f5
SHA256 714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c
SHA512 abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d

C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\insthelper.dll

MD5 8bcd300c69b67e78b09cf07aecfa14fb
SHA1 d92bdb71d8b8477a3f0838360191aecc459a3c09
SHA256 d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d
SHA512 393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4

C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\chkm.dll

MD5 3b8308f1dba641b49a642fa6d92f3451
SHA1 a11164e08bd9c594b6d608c51a2428a4c6b555a2
SHA256 2061a94b4d34a77f935f95a3741f917c91b27d0e1585c2ee2f8e00806b671db7
SHA512 dc089fc2bb43ccfcca8748013636e8d249cd91e1b08b30358d00df0decaec5782d2af85274e7b70784d4e58c934dfe5112fdcb4006de2a5dbe9c76dae9ed1f81

C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\Src\Report.dll

MD5 98a2b4d094fa825e601b1f68752d4ac5
SHA1 0197c18e2443b53add35870df81a0123acbaa0cd
SHA256 3347ab083d69d9d4bf6c8e6816c56a1eb694b581721965ebd44d240fe956e164
SHA512 47ef8d5ee9273a41169ec522245869f6d9d90b840d56d88e68bd693b4d1b4243b005cede1a5f9420ff1a5240f7de8ba7a5b915b846af9e1c57a0d4eaa584d53d

C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\Src\Protocol.dll

MD5 a438e303cf31126c5d6b882aeded21a8
SHA1 eebe92a2e07ec209e6c366899938d2f7677e9977
SHA256 7c301b9c44cae3a53a4f939a391ae36e79e29f9216fc903665b4551426cecd90
SHA512 ddc47c35d7b662e939d471e07f5f45e979abd4df14b334c5c12f229f7d185bb9925693d9dd71e36c97eef02c92f961775f5d7cd605b36af9e6a5c9d83af3964b

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummygram.dat

MD5 df695d1bb876e0aff16e80d37c13a045
SHA1 bfa3f935d0259f103213c86b19643c9d0e839d31
SHA256 8f34cb39e843f2569e530d13f9583d385d80273c7f0a7bd3227fba11336527fa
SHA512 8ad735da6d0cb7050474d53787bbbcf371cdc70ba6bb54e8b649331570f29f99f609ad897178f0c430548da245a31ffdf0db8f4cc1931f7bb1837d273d4d02e7

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe

MD5 78b547129a5af3251cd3a2cab4107d4e
SHA1 da5d2da96f238fa327cdea23225b08f813d5504d
SHA256 9415b6d6014edb194cb9e428e77900c37b1b9a950e2c97bd013d4af8f5e8455a
SHA512 ef9a1edb6272e2eeab04eeb142c5f0a7806f4e96335a1aab6d391746de795f00ea62c06ecdf0df7bc5e6933e1961afa94df11639ff5f16d0bae871a584b3bc48

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawdict.dat

MD5 d28c28b7d005a754a60839b4091aa556
SHA1 90e2b7ef24d2521b66ffa793d19dd7bbe8fe3bbb
SHA256 1d753a7609cfe79ec3abc6b2c0c6d552f29caf1251ffae2cb8fb81a71d80ee84
SHA512 96a754995b7751cb4a0df624bd8f4975b9fa40ef97329a798abf47197537c62f51f1b47900d82be14f2d2d2785e963897ab6f7cb713e6a76fef0107c4517c089

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawgram.dat

MD5 2e1b6f915bc3efb9bd950099e9a25fa2
SHA1 ada21f4380f5c2bbf9a023fb3a97c6abc67d8552
SHA256 5f6bd5aa51cf2590579116816e87a26617f1424fdb00f4703dd4ee9429d425e8
SHA512 771557c762acab825f5f96bc83cac0612b5551f2c2d85406fe2288aad9aef9a17b16769ba29a7b5ef5087f17b5f2d0538480b3c16f809c5b52fb1afc4420f51c

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\engraw.dat

MD5 5fba35a5c0c99d59803bf9d2590c3f82
SHA1 8e8e082647997cb688effe79ec12529bd03e9987
SHA256 835828871ef9af95f85b8f249f2cacdbbae6c73ef802448f7c59584eb63265f6
SHA512 4217349c66ee47d096d2a4c19fa408dd6f08a09a9c47cb9493b5a2faff6f3f4f0d855cf02905f24f0a8d1ce6bb1d4d561c4f69a1378b09ff473f997855ddedf2

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\thumbnail.dat

MD5 3c11f16a387925e9c088b0d819795bb4
SHA1 bf99c57feafd149b93c73fac2211b8be00b3e536
SHA256 0b07258015b5e139776c9be53965f4442bfc9d7265db93665f2a10a166fb04ce
SHA512 2a5cf1c37d3cc67709a427a5831a46218e15550054896b333c5ec9a7f6b370fb271d06696b842c2dc55947ed9dabaea5fb9bb1c859ca4132106cc02c590ab1be

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

MD5 2ff02072877da8f34f9af9928aa5f5b3
SHA1 d9e5bee9e783fecd13e95e2cdea37fcaa9a1cbd7
SHA256 756d55a8085e1b07695eb90db9266e98a0f0afc67ae188867eed96badc3d59ea
SHA512 9f340860dfce4f20b674d8db7ceb15af5dd618cfb6e75a154c043a16a2fd3e57a97b763cbe84a945d06ef324b11f2b6da4ec798fa536033ccf76de2a62787c1a

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libcurl.dll

MD5 60054f32651599c68fab41b220f476e0
SHA1 281a63035340db32bb7d55e009f8097546f4aa9a
SHA256 4352c68ffc4308c2e24acc19608318a52dd0a9f362f1cd2c8ff07b55ae37dde9
SHA512 daa3431d8d70b0278a13b04dc1d74b44d235296c86686fc233dcd23af963bcd5977dd97ea5546cf548e222fb43f7bba5db350f1de1c2fbefe1379c717d8e2a39

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\ssleay32.dll

MD5 0f6f9f42e4dd9dcd5715955e3838ec4a
SHA1 f93a11370df53d30a84268b003fab1b8eb2a3960
SHA256 6f34c5eec35a9f5af26cd163792c53fbd30ff0d04110f6bddeeff413f8dea10a
SHA512 ecc9ba94660d2d3ea7a80e2a67e3db129e983d33697fa5da6c000a7b53c3e3a1460bedb12fc82af422f03c9e9c097335e9704dd21ae9d7b4baa78f19826c4920

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libeay32.dll

MD5 b8a2583697545aea9baa1383f9796368
SHA1 a8d5fa264d96e70e36461d99a44a9a39cb186730
SHA256 1f649a43e098fef9be0cbdf6f57b1afd3aa14d06c5c1aa82f5c26b769f04f141
SHA512 cbb43e7b2cee7d76ac026ec3deb9626c43d6acbc595cebd41293cc1045808a7f09da19ab64c7b0a44432281e43e4904432906f5c3dec6bb1f3c146c907fc6864

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imepng.dll

MD5 40e91fcd84dafcc606ccc876f991a7e6
SHA1 21e2dab15eddb84c631838e1575a72598e9355c2
SHA256 bb0258c4b7ea8543f2f5aced98081d7a973f337c57be08f294ab189d13e7c417
SHA512 dda11e19996c688090776fd3ba1428af05fb234a51947e4692b83cd11eff3ad39d7a46e481c536f0aea780c827c8169616ff74b2b9b5aadb4abab11b1e852693

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiduPinyin.exe

MD5 080a1318a5e18553f622ee9498e1a99d
SHA1 8242034ceb4f3333c410478499f02885044373c2
SHA256 020f509f0c15d6c123b02e790d4d3d674a781ceeb8d6b304bcfb7d57479c5b36
SHA512 c90571a169099ad0973c090de7a1434f52bdef635730fac44029635ca91870269237595f81b6602dbb8f5cd077acafa2d36380776a3707d94fb1e8668070d1c3

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe

MD5 ab89cdea049ae1fdc3d4ba269b47591d
SHA1 860a07b2cb483bfec40ed2fadfb20c7b3f8f43c7
SHA256 b3eafdf7094878fd617385db01cd4c06fbf34cc734252cd104d24e418bb84553
SHA512 22552f2d815b2e4b9bd19be63b34592412f1eae698fc71c28f6e73d690331c3aa2b8950aed160249317673a9f22f81086c5f2ff376b47b75d980fc90ca80b2fe

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\IMEFREETYPE.dll

MD5 8d82ce7a07be1b62440c0cec4e170a15
SHA1 3c6d41dc25978907acff8369778b4e352d56ccc1
SHA256 c6a521c1f3c2611e063d4929fb4a2c466395d4a54a17b6c1036f9e92a0d3ede2
SHA512 033f08cc83b6bc911c5cb136e152b920cb7193b1ce6e4529a84260ed0225d814059a4a47c603070db6191a86ddef4104e3eec712bccb8f0d2d0b85050612651f

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imezlib.dll

MD5 de63b59c6697079ecc7646589deaafef
SHA1 709c2d6058556dd0f9d46ef840153249cd60d94b
SHA256 183db759881d0213aa708410c122a7373ba08dbe122343b6acf9292741108d97
SHA512 0e8493cc0f1ee0666305c06928d4811563aa07187bdb3146bf21b3446e946e6f582c7e1375f32281b259163de72a0d54b0ade097843bbfdd5ff599d444f54573

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdnetdll.dll

MD5 d55a908913b1f2bc2e9e0195472882f7
SHA1 627509ef0575d389e39a2dbae82e94da50346f2e
SHA256 0be32940021bce94782662b3377e2658600e0ada82ad3ce561b00a3abfdc528d
SHA512 1a500d47e0785a0467e29a4986f0dc658a9c105855d70d4c17d4a8df7d5354d808fec25f79bb507719eeb93c1a5db49a006e291b1ea4dd18049c1d94696d5eea

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdaucommon.dll

MD5 93bfa462ede419250bc876b2884ece05
SHA1 233a8a946f119492b8fa2b4b8993e5d3db00acfe
SHA256 6a2b893de7fbc1c0c507a35c14882236c326f553baf07409cd358308eefcb5af
SHA512 2cae7a79f3adbc23fbd7a84689321b438596bd9cec5b2bca274f0d67ae0bad7b9b984ba352256fe6079338435958e28923915d029bc4b2e52fd04dff61312245

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

MD5 0ccf4e1bd3bdd1119d96bd92b89e6a76
SHA1 9b00ad3520a26a9f6e0644c2796c85d8ae54c47d
SHA256 5893e51697c153e3ef8b257cba716577b7cc3e82fd0a8fbab51189706dedfc40
SHA512 e259835f453a9d7a3ece6e9b79d087ec7d596810ed072964e38b21eca613c2321b3964ec79806269eb6abcda40aafcd9d5e82f360018cbfa1e86266baff8507e

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

MD5 2456be54b003a06e0418a2e40d24d7d7
SHA1 3b05821418dd7ee9c162bad6efeab51d6ac59b91
SHA256 5a3e0a62c53dc9f5dc231a487e70120099b35c61c7a1bb259f478e642a080f1d
SHA512 79dcaee135a8ede7d8cd278b5266441ac6728b93245f17b8d305aff36d9980fe88ae9f51b5ca5776633064d47670f751ff0cd8150807030df9ff080c6957e82b

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe

MD5 2f5aa7abfbbf2b087f9e4dfe423bd6a1
SHA1 c54a1c7d55272efc2733eea8c92e4e5d5b88c36d
SHA256 68ed1dc5216bc98e95b938643b44160805fb9564966ba3baa515df526ce6cff0
SHA512 f296c689b22ccf8d55f385e22f29e5e7e059daa44577eba05a8e42706abae4c9292c16fc9fe44d671ffb816960e69317aa5fbafb7e0702acf4f2608c6c0db719

C:\ProgramData\Baidu\Common\Global.db

MD5 78c80d224904b9e4b9499353e2bb570a
SHA1 494e5e9f09c81111271c2bbfeea211e4064b9d37
SHA256 9dcbcbb31e7f4616fe36dee093ea650ce4311a6b98decc95f8d4fef4914338a3
SHA512 fe722dc9e68971e458cd0e3d3f4740d759e88b7e522f7f42f67a8643d65cf0feb06a0c087441802cf852b4695062ac935690e03483193f1de380c5a9456ecf13

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducn.ime

MD5 56385cb44bcf0b46d7b27ae70dc304f8
SHA1 f488aff961286a852fba6f887ba9369d7dbb8bbe
SHA256 1ef970a39e17a0f1188f7ea88a871a833613b0fbc5fbc028f2a29bcddba72159
SHA512 37725ad5e9599ce7db125453a4f63ead7d6648dca65ab93bb5ed6888404a04d86dfcea1d0a28ec4a005449d1246a452e03bb4a8bcf5c4bed42071cb1c2afb681

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnx64.ime

MD5 385de7eb355e2b67bc8efaf1d28db78b
SHA1 f8dcd255c7160347af343bd6824640d1960a3afe
SHA256 a00392e1f6c235507cf6077f16052216de8c50ea3c601b32ea8f1e75f447d650
SHA512 95461dbb67355cd44ebe0f8ae124bd878a7588e09ef9fc682ac256a1c5c243f5d1ffcf1189f714670f4298ce8e67e6463f98bb83540652edfaddd55e3d173267

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnTSFx64.dll

MD5 523d13d373e36022819a8bfd4106afa7
SHA1 928fd5209a568333193b4327897fbcd25829a876
SHA256 6717422b8a66c295cdc52624794354c642c0f5b3c9fc945e17c700765815a2ff
SHA512 d5be101c0a4c7bdf5eddf351311e8a7db74d2fef8f97171e3ea0820fc7384c8505915ecfc774f70c519ed87807173397f6771d515bbc816d113a24460b72fafd

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnTSF.dll

MD5 047883fa5f336320c303345fd0c2a37c
SHA1 d5a647ce1dde1faa4128c1db5c82851ca73716a7
SHA256 aca42b70ee70806ff6a298acbfda17051f3514073ba1bffeb64006d56d75a9ea
SHA512 b8e8032fd8c4a94fa7841bfa4a9b89c894766cfebb2702da2570acddee1c161c7a12551f51d3dce81fb10d55e56075c226843d811a20ef6cafafa3e58418dd48

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\autoupdate.ini

MD5 3c45a3efd6faca8afd99af299c37b0a2
SHA1 3f9658399ed8de6292e7cf7c16060248c7114f90
SHA256 ca25c996b6d5ebe5348c6baddd2073309539171bcf706e6c6c1d06e7ce421ffc
SHA512 21f708eabc7152beb7479a3fa7c19c7b95028f3f78fd34c15fb180a16b03c0b02de290dff611692acf2c80cd5c9885e7818cf312adcf859cd975ca1c79b913d2

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\app.ini

MD5 2acb717904708b6b98f41dc5f2dd17d0
SHA1 4a2460b5904e20339109bd4ef04b0f43ad3bc30b
SHA256 d9e8604274f890c75250ff38ddd069f4c8c412c8b3cf8a98e67b2706bfced59c
SHA512 e736e4c7e0fa239964546e2d4fa0241e80f82fbef7acc31b9373e6c9c02c99b09ae20fd402fc922bec9288537588e4b91ebe1970651ed87877cb2bdc93b2494c

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\common.ini

MD5 0fcd28ed0e69ca531809e8e2058eb246
SHA1 5d7a1862ee5c8a708c91a9866b503d87cbfacc84
SHA256 2c6c16ec784410c022bfe6dd4618fb2f4cff421c0cbc151707afbf9db0ad3a3c
SHA512 276995e090a70844cbc912d9660d39c33dc5f8eed0985dd5d9c8b56a360c933f2ca63cbf32eb548031b4557260f0b720487242b2fcbc63e7e4e6937c2ac887c4

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 2ef237975ba195302430d3917ae557b2
SHA1 0b5aa3003e57fc25a6043224f557a0d22ad33c80
SHA256 dbde22027829840767e2043a8ea9ba9b9495477d8926d8ba6b3d9251a379b907
SHA512 400186f38d3584a51e42faa4d1e434383e3a1c041c9a4f92272960f236546f2a43835b05688589e77188aa421889aa4bc09775531ac4fe6cc8759a50df3a1e49

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 94aace7e8db312e4309a763f7de02615
SHA1 21fd5f9124559dbc731793ab199f38058012b251
SHA256 55495404ee79e3d57ce0bbb0b1ef608b81bcc5edd408a00a51c04b3496325508
SHA512 2575240d741acbb596a30497fb5031858fae005013ae287716b8149e69308a180db634d5b2654bf91de4bd94e28554c0e8f743267721a2afc84f9bd86dc69a2d

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 f352b2482a325a6871ae74859bb9f04b
SHA1 235b5744155abee234b46bc14eadd93581514b81
SHA256 ccbd4e577790e5433261f8e44fc25186b6037e34f8ce1300d5b73d82d25e4880
SHA512 31e83118f3b39ee2b079132ee714ff0d27e697ef76cdd6381831345c7cbbaaca54b0c8eab5a8710d26e75e5f06b39036d6ca7874b1bfa1e82b2f514f3564c7dc

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 e0a095730f835e0e7478370494d7b83f
SHA1 cbf10f25be12f519b4153921b3968994221e34fd
SHA256 087ff9cbed1cae73d82b55f54ead208d9e62e3db8c1064b1f68d4be751525a05
SHA512 2ee95ed6b2fa2537dd84a634eb46c412d45710d52e804a1ec4aa2e2aa0dffa1bfd95c9ecef89229225fd580479c4b1d055992593b408c6773d14185d04d26788

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 81907ca28ac98ab419d426e01aa3d48b
SHA1 7a7120e6193e241e38dc70d79666d24024be8093
SHA256 038ed6a7239f237f9e58fa75f0f43c47730c6ca46b266b9c4f21fea059f62bcf
SHA512 54dacb61d7f6f3aafdf6c31e6ee480426404e5cd710f0ae3ba0bfc9cf069f267b04cee37950ea81d0613ff9e5905c35fcd67924fab8ea51de3de8bd3e8bb2908

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 7b2b2832e759dca63140a12649190551
SHA1 6c2581ec8289b3f00d2fe883aba4a59a661e7b43
SHA256 0e98e065638d841cbbdfa639ad09e68097611aae44cca0fbc164de9202e9732a
SHA512 fd91662c1c8625e7d4280fcac1873d5c3223e253b3ce87c496c41d7c11286ad78a7dd744c9ed29ef5f475007c3c2e1b255d1b917547f11df9d9c83dcd5d56532

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 b244d142970f4fe298ad320adad6f739
SHA1 c1a1347c63dcc7978c7dff81d4651ff9a2966d9f
SHA256 5127c735b441607adfb1dff2a640a574eca4a99b82e140e13ba6fe40d30d5c39
SHA512 052536e87ebf1c59d0e4891070846a4433a1cbe81aaa865c7675a65e0a1c5bf8ee7e9d8b44119536fe5284dc42ef3938aa1b3bcc5e10b35bc89543af6e4dfea8

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 e93ac512626c45264525ccb2fdbc88e4
SHA1 588224ed01168ad9355eb4f0ae0dc8ca7af9a590
SHA256 379fd56370dd3f14f0a378d46a49412a6858def2b69f97462f49118f2b59dc54
SHA512 e6a00e9b772fe7bcd51b829e92ed4cbeb7721a94d0e01c47d89b8c4ab35d5317bb8cf645297b2d2ca632d37ac5388bda6dd1c4bc5019f8061dc8507d51ac73fd

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 01e6a2a43777aa803d1099cf977ccfb7
SHA1 1c964afd6d1ff42cce318aecdde70f8af4f3ce06
SHA256 a2358aceb9641e189ac150226e39d428959d35b320b636da6523c04ed6c40cdb
SHA512 e408f868e74388b32af330e94afcf9c640e696059507b2e8d255e124dbf8c2daf863357b9d2152b0690c8ea290aa78d2fb7663b043148500ae1230ccf838c033

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 a65a1485e411592e8e6376afece3402a
SHA1 eba0ec02b6a1e46694695364ef00210d960f9439
SHA256 08792c5f47c35cd041207194cfe6c241adc60153517a5ce2e681ba285264ac14
SHA512 1d10f810357aefdb2e4e230d24239093a5b549765df672746ef60ba3c169e74fe38c9e077f96003528cccd52eb4852c60c28d3f762c81000c22cc7b591066ac0

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 97db575c53470e2812c998ce9211cbd8
SHA1 dcb5a92ce1539937d11ca5d75a352e7ff2b9e7c2
SHA256 697d27f7fcd1648bcac9880fe20b59c5390a84cc52f3669fca6220fa034dab2b
SHA512 b9ba012412b64d01f285c12cc581c82f39071451548451b4c4f08bbed99ef97874674b84901fdf59784b4f79cd1919c72d997afed40820aa1736d690f979004a

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 4d7f729eaf4361a6461ec5c2cdb206a2
SHA1 d65d9f3350b9d5ad199a993605a2dcfa8bd47e37
SHA256 b66d80f8a2b4ecd28b2d01e73b435b111e4752efce459ed1d27fb96b763b6fb7
SHA512 37dc62770a5d9760ca85b1c95b23f92b0501da2b3ad82141d94167cafa68dc680b77a3e058ed7715ffcf3de7275f70daf6e48997a1a5591693d952e7cf860dcd

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 f1ede77ce6342d08ffefd923de89f04f
SHA1 ea4af90b7a25f46adc1c8051217f98de35af12e4
SHA256 cae2055ba0e8fb682e18dd77d00e05c0ad0db4a0845cb599a157dd110509d855
SHA512 60bd7836c6dc3e07ffa9b2d36f1cbf06d680a5089e03e3482c9e27908b970b879238ad7743cf671a7a449f21b027478938134b0995d8c6294d5e758880f3c2e0

C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe

MD5 59294fde17337c3b141160be336fa7b0
SHA1 59331a76ec7bdb6ef4cf3566391587229b942378
SHA256 044bea17ccaff8d1bd437dd13a0d37798ac1629f7fc6fb1cf6d5c4d0e065e5f4
SHA512 f9be627ce0587e89132e013000d88db0b943f6b11e630e78aefd2f347a12f7ddf30b0a71ed5049017f2148083166924bc2c6ae35ed9d635c492dd84312d0e414

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 9d5cefafbc538ec83c31969ece92b375
SHA1 6169822e24ac7c84f188c298b77b28b3661cdd4b
SHA256 30f0b84a2a46c2448fafb371936ebdb0779a739aeecc40ecadf9005a60196a39
SHA512 06201d8e71f2eb6b6f6b0c92daa83939b6987b5c60d8306e44b204ca582433737a01b78d037b04430de9eef562d02957936f4aa0000ed84af2943efbb7726e40

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:31

Platform

win7-20240220-en

Max time kernel

123s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 2188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

139s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\index.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000006a7c11827b36b1ef2a2827ac46e888aa7cacd5e0a26a77178cdd85e849874410000000000e8000000002000020000000a4df88c3328eefa0f59c6b57591062ea6eabcabaa367873f4e1e314a4334104b90000000ddfbf5d709894a33c618b984cffff618f18b1dbe86775c4f6925b677f4368ca7d262d79500120b401386b70c5555d532f02914c35e8065a49137bbad303c033dcbbb9d03b53579d01bcb419eb44e7070b240c35f66e5d6d5abdebea690d7ecad13ce0f54406b852bc7db514ff3f6d68ba60f4f0c50054a157778952b8e72af2e2541f9a2705eaef527d6d8c5f7247784400000001da9558591c1b45c3fb65c3b6f36c6bfa1b48d371f3e0ae7e7b40f3b58b4f8825e48f713cc8d6c416f8db0b5d76d01e84d5acaee1c2d2581c17b9876f9855fcf C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422881054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ba705129dad0ddb39220aa48f3b64c31d9355fe52dddb6a34084a9e03d937e63000000000e8000000002000020000000ba9b94d9b7cf2930880687ebed746a3a26db01e42b0aa6dd2ce7171438096433200000000f8aee2430148584b6fa1f56083da4deaf72710ceb45b76684f534aba0c4c59a400000007d50726c84251943993d75f4ca5680b6930c38483fd8870ef2f031394d66b04f3e89f8e8237378653fe26197a86f274184a9b7bcfb7c7f50cbba3c290a726b67 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e3543d57afda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68298C91-1B4A-11EF-86BF-CE57F181EBEB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\index.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5D21.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5DB0.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddda27b48c23ce6d56c0f0182df75f41
SHA1 517a7fa49d4be7bcd1fa8fba7d96ad98ee40e8c8
SHA256 e8a481db8f2446402b0fa1c71eb391961e16d91f27939214ca72e6414cbd8666
SHA512 5fb14a2f46621808d707057e770be012d71501993d84b4ca46e6cb2698a1c9276070ed237b80e5b0a7eb63b07d792744ca9b1c481a18a2d5ad6e4adf25c24912

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 785ea53793af9887c15fa4cff17c5cce
SHA1 475cb234cf27c4cb42c786611ebe01098be84b8d
SHA256 aafcd7331de2aafbcfe0e86a16f43527c1f1af5328547189f89a9dff1f7c6a58
SHA512 3130d9f4de51b24516936179ad14cc2e14df38ab59a416c6f5a02dea6caa9ecab8d9776059d96106bf3624911651b86e018ede5968302434ff81d1fc1b5a3ada

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77673cc71bbae6e0b942f363dcaa3e7f
SHA1 5b143ac6a4b51ab9822a4346703d73e8fef1f37c
SHA256 a087781c7b9d7e7c826fbae6a6159cc8c19e0ce79ba643f16252f9e146c09e12
SHA512 703740f4b4a4a60bfea12d61c6b65bd6039b57323041e7f6404543be6419238bc5e0aeec0dba21ea47ad22d99b20b2e83e22371d3f9f29edf09a0aaf6ae0e212

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 959d6e882446ba8dc4a6afee3ba3f0a7
SHA1 a45d4700877e0cf6ac1c0be8d6bd0ee69caa76ba
SHA256 9c85f262b3fcfd9e72644aa25a1d2bc8110aaa0948f3dba3c5f816eb6f979deb
SHA512 6b2a3fea45514ac247bde9f1a695a50899f71e31616ee5f6f7455f536763d1809a40688b95bb1d8c936b39577ba69d35aaffd3c1d59b8fae2779a37ff7db1f32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6351e4e58a0388b1599b23ccebc86277
SHA1 9f83dff8b4befecc5c1fbce7f3720db5735e00c9
SHA256 7260be357f5bd957c38a37fcee823cb5aee895c814fe0d445917c5d3e8418462
SHA512 2cb696140446280354eae5e57966716f2359c08cc796023698e550d8d97e7eaccfa36837f788f60deddb1e59c6cc3734822632fe9e12de75d85914684597c4a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f80a154120aa95119b696a82cbeee1ff
SHA1 4de61ac4625aec625d2f927682c064af703b7165
SHA256 5fb2c94e7fa67e82c2be9499f1bf0b23852a705daff63c700573642f082bb932
SHA512 b0b419099776e972d94694716f2863e98c13816d4de27225870b6003518780b671f8341dc875ba93a119cac92a0b5df28d654e0b0a1920a20145100dc3391f21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0763b865e691b6fb105093cbb848c715
SHA1 dc0f56d96306fc3510d645623f62d94820f48a5f
SHA256 d34aa2af2904018c10718059338f1e078de9622716e7f1690b946968db9589c3
SHA512 ceca95a5ba033a2f5001469d25c08fbb20052e086ab35d9fa28b9b138465a8ba0dd7913bc83ceea173bdc08d4ad652d692dd708637cdac1f32784425d4c47d57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b558faf48269f082154b96cec6a74f4
SHA1 bc2a4f73e791175a7e43ad0258076c6efb3464a2
SHA256 994579d9a2f80fc1aad3e97592dda8ef87066589f19211a84ca9d8571853298e
SHA512 04fbf1c08f4ac728366e1a5fc4aa732949ee2633614bc4899f7836c11b8a10088226a96b10df479479d5961c80a8730804058570f081f11bac04e25b679787d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1040911b85b452aa6305405e5ce0f994
SHA1 b9f271611db09cbf743a263ecaedb5e49a2aabe6
SHA256 609cb8e0ae346d042308597e1cf0a35ecf44fc5957cce8c91f6b23e44f5f1d2c
SHA512 d08c280a4417acd72d15c4a5fa14e6e374e613f82af3fcc387c3c3e24440d9beae1ff057eff9a67cb4134e3af53c9787d12b8be3718679a3442f819d28cc0d7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fe7bf377c36c86671a0e1cc0b687c01
SHA1 46ac58bca2f4c4a7747b859800c9afecad2c485c
SHA256 1195ccb466d794ce3bb92473627ab307461d211107a445fe646770064f95d04a
SHA512 2aea44ecd49c0c88a81ec01fea5ac9f0f0f175884449945b5d0fc6f1673293ef9e589fb8684e0dfe7c1ad87fa0dbc95aa1f78797174bd9d1aa86476c2e21233b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 481cbd260feebde769fe1c26c14d7c7a
SHA1 8749860b58db16e609787f66bbff773eb5bd8082
SHA256 95f35d071da41b6015d077f8b5df5c51f4bc3d0fd62793d8566ebf011cc6d698
SHA512 cf44bfbe7981991c8c6a331051e6698404c2782835ff298d04e07afaf5b4a4ea810badef98faa2076ebfb983f236c7992689236839be3d1042135a4260b1b28f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b868c18c33c4202c796a2a2b4cadb748
SHA1 5651d18acf495605b82d69beb7be05381c83a491
SHA256 13ede31e99d2d97ba04ce9241d9ad6880e6463e7db929e53ca79059f960de547
SHA512 56e0ea47c96825b04a6d5771e4d5dc65b4e8c2c7ec9644431dd8b31a99fccdd64e491edbb6dc34938037584a288088329d466715c0133f7bf2de3caf8a26662c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60a1d0ff9b43162b2bedfb6ea3fa88dc
SHA1 0188bffe2639ea2576f28e77416c463f0fcda808
SHA256 38bb93df05f7a852fc90f22f326838e764d246dd9fa2ad75218f7c042991c2c3
SHA512 168291189fe4653de314d64e45290b14bd764f7f8ab44ef0de7a92fddc50b6f41c7dc9293c7ba82f8ef861585766592bba180fa5e6e32c2e7a34a7931bcb3f3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2fd7b3e7727556e4895e606ef5aa10ac
SHA1 58cd054978e072685ae4aad89122feecc4d57187
SHA256 b5c04a4a77c971847698ab6a0b7e0c18b8607d34f27ec8184e6915633e3db8b9
SHA512 4ced68a58b7380261f7dd367188fa96cf8fb8d9a00eabb9baeaaff9f39c546c14afdb1e327fc43e3c3cf2378f2ca701d46b61eac8fc44b811adb670487d8ab37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2904d5fa3474ab9234b5d745dbea211b
SHA1 2edb6e1ee490552a5a525a3880b2dce44a8afb16
SHA256 7292fd35695c3aacaaf6e5eeb701a618d593adf4f84112048b092f583e8d8d7c
SHA512 9ab4eb77072cecb3c8b16f8d983066928875b0bace0aaf55cba9cddc9ff7bbf08f4ac09713467ce2b29e8c8ce405caa236e1c72e007972ca8161400d3a8152c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a9fb73f64309f931f33c7c8519d1b4e
SHA1 f9e77e28f3b02eff0201f474f79991b62bfd938e
SHA256 1e0e177ecec483eed76fdcda8a82bb3b1aabba44604e9570027192890c0ea3b6
SHA512 bf6f091c18a765a8b55f53e69a1352dc69514b6132697e2ceca04087c140aeabf6594a01df3a27a2bfabf4ce9f816d9ec9a069087d4e4bac3b612bc5375920e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f5e49376083f658caee4f5071feb566
SHA1 e5becf94069071ab191dc26d0fb135ac7ba8252c
SHA256 ecfaa2a625389647e166d5fc10ea32be3a7fba0cd05648465f7fcd74503a4a50
SHA512 b3e9a505efd3db05972eaca7dc1520c71271e62def6553105274e100928d508dc76ad22934b3249725cc1819a128dfce1ca9585825d0c882b91f83c361eceecc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1f97cd35ccf5d0ec877559ffd28e3f4
SHA1 d9023795af191a8a9fc0571e5f7c902f7cc363f9
SHA256 533dd457315083cf1cd66ca3622fb4d9a66f97c124daea082ed64f44ce243f0a
SHA512 1232f9b2d10345f6ebabd8ce73447d17cca90792dc19dd216a9af697ea3c8934b9271034d1e02f999304473ce5ccaef65d4bff4cb7ff31c8753395444ecc4855

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7d7b05fbce5178ee7348d950f403cf4
SHA1 9cc882e71dcee0b6161b07ba5e256e9258d54ab8
SHA256 2b908b7da994f2dfa28b23c21eaa65ee451ad6b63e72865d81fdd1623aa692e1
SHA512 1ea8e7111bd1b6c8f331a2ab9603b17110773f13d4e7ae8c630aa63238494e3885903e129dbfd37625ef5269d06aca4f10b14d90698257131b71af160518d2d4

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:33

Platform

win7-20240221-en

Max time kernel

128s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File opened for modification C:\Windows\system32\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Windows\SysWOW64\baiducn.ime C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\2984addf7b4844a4d26130ca9104d1bd.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File opened for modification C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_19.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\24a0df386b3f6816fee7cd57df89e9e4.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\773d8f8ed47cd9c1e8075ef2fec0b1b5.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\be5610f727832f3893f544ac951b321d.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\aa9901ff1020deeafec27e4eb6bd64af.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport.ini C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\moren.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\bubbleRemind.html C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\medals.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\quicksetting\about_res.rdb C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5dd2cc858b6e0b1d95cec227eb4fee3a.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\85daf75ab557a705c9ff3a41ca328c84.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_90_24_disable.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ImeConfig\maintab_bkg.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\emotion\images\common.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\939495d82b45ae98b2fe9680e7a261d4.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\ZhiNengABC.ini C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\images\closeBg.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\41b866646d71194d311ee0fe608cba63.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\947c14ab6897eba55722fe71c661e4e0.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_white_60_24.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\htmlnotify.xml C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\syncengine.dll C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport_uiplite.ini C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5513da1d3026b0da4abaa7ff67200e11.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawgram.dat.tmp C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_setting.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_bkg_24.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Converter.dll C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdcloud.dll C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\f18c8519fb755947d07a712fedc3050c.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\NextPage.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_list_down.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ImeConfig\maintab_item.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_back.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\emotion\js\sizzle.min.js C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\QuickInput.exe C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\dff85943e439654ad69c1229fd1a77e8.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\errorclip.dat.tmp C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\urlcompletion.dat.tmp C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\speechinput.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0c5ebfe1e1276fbeaff059976a3dcb29.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_white_90_30_4.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\UIPLite.dll C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9cb299f92465ec2ca54d06ea1a8a98a4.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\handinput.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\2\skinpreview.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe.new C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\55efa667245a7d1d420d7b8d3ba89833.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyinUpdate\bdaucommon.dll C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\images\xiaoxijilu.jpg C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Config\quicksetting_skin.json C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\5\normal.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1569036000c6eb3c7d6873d84ebce350.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_facebox_packgae_add.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\47991647d26d29601b0a93a7d3b39c17.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\c5390ddb87ab6447cf48fa31990b8fd5.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File opened for modification C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummydict.dat C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\tb_tips.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\printscreen.png C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9a9c4c5313f12d152a3270943b9921df.png C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe N/A
File opened for modification C:\Program Files (x86)\Baidu\BaiduPinyinUpdate\bdupdate.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100\Key Modifiers = 02c00000 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100\Target IME = 040820e0 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100\Virtual Key = ba000000 C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\2 = "E0200804" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload\2 = "E0200804" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\USER\Default_User\Keyboard Layout\Preload C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\2 = "E0200804" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\USER\Default_User C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload\2 = "E0200804" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\VersionIndependentProgID\ = "BaiducnAx.ScreenShotAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe \"%1\"" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\Command C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\ = "{BE4A566E-CD2F-412A-B259-1F1965B935C4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\ = "°Ù¶ÈÊäÈë·¨Ò»¼ü·¢Í¼" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\EditFlags = "65536" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\EditFlags = "65536" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe,0" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bps\ = "BaiduImeSkinFile" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\ = "BaiducnAx 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bps C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\cellinst.exe,0" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1\ = "131473" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29F9A596-1256-43F4-BE7F-16C89D66550A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\ = "安装到百度输入法(&I)" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict\Extension = ".bdict" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer\ = "BaiducnAx.ScreenShotAx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\ = "百度输入法皮肤文件" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeSkin C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\ = "安装到百度输入法(&I)" C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
PID 1228 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
PID 1228 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
PID 1228 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
PID 1228 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1772 wrote to memory of 992 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 1772 wrote to memory of 992 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 1772 wrote to memory of 992 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 1772 wrote to memory of 992 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 1228 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
PID 1228 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
PID 1228 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
PID 1228 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
PID 1036 wrote to memory of 1552 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1036 wrote to memory of 1552 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1036 wrote to memory of 1552 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1036 wrote to memory of 1552 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1228 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
PID 1228 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
PID 1228 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
PID 1228 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
PID 1228 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1228 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1228 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1228 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 332 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 332 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 332 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 1740 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 1740 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 1740 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 1452 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 1452 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 1452 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 2796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 2796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 2796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\system32\RegSvr32.exe
PID 2012 wrote to memory of 796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\system32\RegSvr32.exe
PID 2012 wrote to memory of 796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\system32\RegSvr32.exe
PID 2012 wrote to memory of 796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\system32\RegSvr32.exe
PID 2012 wrote to memory of 796 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Windows\system32\RegSvr32.exe
PID 2012 wrote to memory of 2776 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 2776 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 2012 wrote to memory of 2776 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
PID 1228 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 1228 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
PID 2276 wrote to memory of 2644 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 2276 wrote to memory of 2644 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 2276 wrote to memory of 2644 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 2276 wrote to memory of 2644 N/A C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
PID 796 wrote to memory of 2716 N/A C:\Windows\system32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 796 wrote to memory of 2716 N/A C:\Windows\system32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 796 wrote to memory of 2716 N/A C:\Windows\system32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 796 wrote to memory of 2716 N/A C:\Windows\system32\RegSvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --clean_old

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe" --moveuserdata

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --moveuserdata

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe" 1 /product=201

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist

C:\Windows\system32\RegSvr32.exe

RegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"

C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe" --installgau

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe" /u

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe" -reg

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe" -reg

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportSogouDict bool:true

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportQQDict bool:true

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/CheckImeSetup str:AD

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --set-first-ime

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --fix

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --location

Network

Country Destination Domain Proto
US 8.8.8.8:53 d.s.baidu.com udp
US 8.8.8.8:53 stat.client.baidu.com udp
US 8.8.8.8:53 szcloud.baidu.com udp
CN 111.206.209.92:80 szcloud.baidu.com tcp
US 8.8.8.8:53 tips.ime.baidu.com udp
CN 103.211.221.165:80 tips.ime.baidu.com tcp
US 8.8.8.8:53 listupdate.ime.baidu.com udp
US 8.8.8.8:53 listupdate.ime.baidu.com udp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
CN 121.228.183.250:80 listupdate.ime.baidu.com tcp
US 8.8.8.8:53 iploc.client.baidu.com udp
US 8.8.8.8:53 shurufa.baidu.com udp
US 8.8.8.8:53 a.galileo.baidu.com udp
US 8.8.8.8:53 api.ime.baidu.com udp
CN 103.211.221.165:80 api.ime.baidu.com tcp
CN 103.211.221.165:80 api.ime.baidu.com tcp
CN 103.211.221.165:80 api.ime.baidu.com tcp
CN 1.71.157.48:80 a.galileo.baidu.com tcp
CN 1.71.157.48:80 a.galileo.baidu.com tcp
CN 220.181.107.232:80 iploc.client.baidu.com tcp
CN 111.206.209.92:80 api.ime.baidu.com tcp
CN 1.71.157.48:80 a.galileo.baidu.com tcp
CN 1.71.157.48:80 a.galileo.baidu.com tcp
CN 111.206.209.92:80 api.ime.baidu.com tcp
CN 111.206.209.92:80 api.ime.baidu.com tcp
CN 103.211.221.165:80 api.ime.baidu.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\reportsetup.dll

MD5 52c3b9ac0484ece3b524a9526272f88e
SHA1 c07268de6a13290acbf58ec5ef75e2468533d791
SHA256 210876c0ff70ffaa88a05f9ef794a96136549f4168e940e256fb4ac85b0fff71
SHA512 da7710404e5630509eeaf9e318e2a4a2d9c4f269aee6cdce5d2a8f128094e7c92940312fda9913f5c44dce5159b59159f40137ddb2e7975e450f30c6a7b24f47

\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\System.dll

MD5 35d7b29c3ed690a8b0cd323917677b42
SHA1 ad74d2babe09f94838e408c8f9f77b6b56c644f5
SHA256 714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c
SHA512 abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d

\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\insthelper.dll

MD5 8bcd300c69b67e78b09cf07aecfa14fb
SHA1 d92bdb71d8b8477a3f0838360191aecc459a3c09
SHA256 d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d
SHA512 393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4

\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\chkm.dll

MD5 3b8308f1dba641b49a642fa6d92f3451
SHA1 a11164e08bd9c594b6d608c51a2428a4c6b555a2
SHA256 2061a94b4d34a77f935f95a3741f917c91b27d0e1585c2ee2f8e00806b671db7
SHA512 dc089fc2bb43ccfcca8748013636e8d249cd91e1b08b30358d00df0decaec5782d2af85274e7b70784d4e58c934dfe5112fdcb4006de2a5dbe9c76dae9ed1f81

\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\Src\Report.dll

MD5 98a2b4d094fa825e601b1f68752d4ac5
SHA1 0197c18e2443b53add35870df81a0123acbaa0cd
SHA256 3347ab083d69d9d4bf6c8e6816c56a1eb694b581721965ebd44d240fe956e164
SHA512 47ef8d5ee9273a41169ec522245869f6d9d90b840d56d88e68bd693b4d1b4243b005cede1a5f9420ff1a5240f7de8ba7a5b915b846af9e1c57a0d4eaa584d53d

\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\Src\Protocol.dll

MD5 a438e303cf31126c5d6b882aeded21a8
SHA1 eebe92a2e07ec209e6c366899938d2f7677e9977
SHA256 7c301b9c44cae3a53a4f939a391ae36e79e29f9216fc903665b4551426cecd90
SHA512 ddc47c35d7b662e939d471e07f5f45e979abd4df14b334c5c12f229f7d185bb9925693d9dd71e36c97eef02c92f961775f5d7cd605b36af9e6a5c9d83af3964b

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummygram.dat

MD5 df695d1bb876e0aff16e80d37c13a045
SHA1 bfa3f935d0259f103213c86b19643c9d0e839d31
SHA256 8f34cb39e843f2569e530d13f9583d385d80273c7f0a7bd3227fba11336527fa
SHA512 8ad735da6d0cb7050474d53787bbbcf371cdc70ba6bb54e8b649331570f29f99f609ad897178f0c430548da245a31ffdf0db8f4cc1931f7bb1837d273d4d02e7

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe

MD5 78b547129a5af3251cd3a2cab4107d4e
SHA1 da5d2da96f238fa327cdea23225b08f813d5504d
SHA256 9415b6d6014edb194cb9e428e77900c37b1b9a950e2c97bd013d4af8f5e8455a
SHA512 ef9a1edb6272e2eeab04eeb142c5f0a7806f4e96335a1aab6d391746de795f00ea62c06ecdf0df7bc5e6933e1961afa94df11639ff5f16d0bae871a584b3bc48

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawdict.dat

MD5 d28c28b7d005a754a60839b4091aa556
SHA1 90e2b7ef24d2521b66ffa793d19dd7bbe8fe3bbb
SHA256 1d753a7609cfe79ec3abc6b2c0c6d552f29caf1251ffae2cb8fb81a71d80ee84
SHA512 96a754995b7751cb4a0df624bd8f4975b9fa40ef97329a798abf47197537c62f51f1b47900d82be14f2d2d2785e963897ab6f7cb713e6a76fef0107c4517c089

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawgram.dat

MD5 2e1b6f915bc3efb9bd950099e9a25fa2
SHA1 ada21f4380f5c2bbf9a023fb3a97c6abc67d8552
SHA256 5f6bd5aa51cf2590579116816e87a26617f1424fdb00f4703dd4ee9429d425e8
SHA512 771557c762acab825f5f96bc83cac0612b5551f2c2d85406fe2288aad9aef9a17b16769ba29a7b5ef5087f17b5f2d0538480b3c16f809c5b52fb1afc4420f51c

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\engraw.dat

MD5 5fba35a5c0c99d59803bf9d2590c3f82
SHA1 8e8e082647997cb688effe79ec12529bd03e9987
SHA256 835828871ef9af95f85b8f249f2cacdbbae6c73ef802448f7c59584eb63265f6
SHA512 4217349c66ee47d096d2a4c19fa408dd6f08a09a9c47cb9493b5a2faff6f3f4f0d855cf02905f24f0a8d1ce6bb1d4d561c4f69a1378b09ff473f997855ddedf2

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\thumbnail.dat

MD5 3c11f16a387925e9c088b0d819795bb4
SHA1 bf99c57feafd149b93c73fac2211b8be00b3e536
SHA256 0b07258015b5e139776c9be53965f4442bfc9d7265db93665f2a10a166fb04ce
SHA512 2a5cf1c37d3cc67709a427a5831a46218e15550054896b333c5ec9a7f6b370fb271d06696b842c2dc55947ed9dabaea5fb9bb1c859ca4132106cc02c590ab1be

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe

MD5 2ff02072877da8f34f9af9928aa5f5b3
SHA1 d9e5bee9e783fecd13e95e2cdea37fcaa9a1cbd7
SHA256 756d55a8085e1b07695eb90db9266e98a0f0afc67ae188867eed96badc3d59ea
SHA512 9f340860dfce4f20b674d8db7ceb15af5dd618cfb6e75a154c043a16a2fd3e57a97b763cbe84a945d06ef324b11f2b6da4ec798fa536033ccf76de2a62787c1a

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MSVCR120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe

MD5 0ccf4e1bd3bdd1119d96bd92b89e6a76
SHA1 9b00ad3520a26a9f6e0644c2796c85d8ae54c47d
SHA256 5893e51697c153e3ef8b257cba716577b7cc3e82fd0a8fbab51189706dedfc40
SHA512 e259835f453a9d7a3ece6e9b79d087ec7d596810ed072964e38b21eca613c2321b3964ec79806269eb6abcda40aafcd9d5e82f360018cbfa1e86266baff8507e

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe

MD5 ab89cdea049ae1fdc3d4ba269b47591d
SHA1 860a07b2cb483bfec40ed2fadfb20c7b3f8f43c7
SHA256 b3eafdf7094878fd617385db01cd4c06fbf34cc734252cd104d24e418bb84553
SHA512 22552f2d815b2e4b9bd19be63b34592412f1eae698fc71c28f6e73d690331c3aa2b8950aed160249317673a9f22f81086c5f2ff376b47b75d980fc90ca80b2fe

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdaucommon.dll

MD5 93bfa462ede419250bc876b2884ece05
SHA1 233a8a946f119492b8fa2b4b8993e5d3db00acfe
SHA256 6a2b893de7fbc1c0c507a35c14882236c326f553baf07409cd358308eefcb5af
SHA512 2cae7a79f3adbc23fbd7a84689321b438596bd9cec5b2bca274f0d67ae0bad7b9b984ba352256fe6079338435958e28923915d029bc4b2e52fd04dff61312245

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imepng.dll

MD5 40e91fcd84dafcc606ccc876f991a7e6
SHA1 21e2dab15eddb84c631838e1575a72598e9355c2
SHA256 bb0258c4b7ea8543f2f5aced98081d7a973f337c57be08f294ab189d13e7c417
SHA512 dda11e19996c688090776fd3ba1428af05fb234a51947e4692b83cd11eff3ad39d7a46e481c536f0aea780c827c8169616ff74b2b9b5aadb4abab11b1e852693

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imezlib.dll

MD5 de63b59c6697079ecc7646589deaafef
SHA1 709c2d6058556dd0f9d46ef840153249cd60d94b
SHA256 183db759881d0213aa708410c122a7373ba08dbe122343b6acf9292741108d97
SHA512 0e8493cc0f1ee0666305c06928d4811563aa07187bdb3146bf21b3446e946e6f582c7e1375f32281b259163de72a0d54b0ade097843bbfdd5ff599d444f54573

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdnetdll.dll

MD5 d55a908913b1f2bc2e9e0195472882f7
SHA1 627509ef0575d389e39a2dbae82e94da50346f2e
SHA256 0be32940021bce94782662b3377e2658600e0ada82ad3ce561b00a3abfdc528d
SHA512 1a500d47e0785a0467e29a4986f0dc658a9c105855d70d4c17d4a8df7d5354d808fec25f79bb507719eeb93c1a5db49a006e291b1ea4dd18049c1d94696d5eea

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\ssleay32.dll

MD5 0f6f9f42e4dd9dcd5715955e3838ec4a
SHA1 f93a11370df53d30a84268b003fab1b8eb2a3960
SHA256 6f34c5eec35a9f5af26cd163792c53fbd30ff0d04110f6bddeeff413f8dea10a
SHA512 ecc9ba94660d2d3ea7a80e2a67e3db129e983d33697fa5da6c000a7b53c3e3a1460bedb12fc82af422f03c9e9c097335e9704dd21ae9d7b4baa78f19826c4920

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libeay32.dll

MD5 b8a2583697545aea9baa1383f9796368
SHA1 a8d5fa264d96e70e36461d99a44a9a39cb186730
SHA256 1f649a43e098fef9be0cbdf6f57b1afd3aa14d06c5c1aa82f5c26b769f04f141
SHA512 cbb43e7b2cee7d76ac026ec3deb9626c43d6acbc595cebd41293cc1045808a7f09da19ab64c7b0a44432281e43e4904432906f5c3dec6bb1f3c146c907fc6864

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libcurl.dll

MD5 60054f32651599c68fab41b220f476e0
SHA1 281a63035340db32bb7d55e009f8097546f4aa9a
SHA256 4352c68ffc4308c2e24acc19608318a52dd0a9f362f1cd2c8ff07b55ae37dde9
SHA512 daa3431d8d70b0278a13b04dc1d74b44d235296c86686fc233dcd23af963bcd5977dd97ea5546cf548e222fb43f7bba5db350f1de1c2fbefe1379c717d8e2a39

\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\IMEFREETYPE.dll

MD5 8d82ce7a07be1b62440c0cec4e170a15
SHA1 3c6d41dc25978907acff8369778b4e352d56ccc1
SHA256 c6a521c1f3c2611e063d4929fb4a2c466395d4a54a17b6c1036f9e92a0d3ede2
SHA512 033f08cc83b6bc911c5cb136e152b920cb7193b1ce6e4529a84260ed0225d814059a4a47c603070db6191a86ddef4104e3eec712bccb8f0d2d0b85050612651f

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiduPinyin.exe

MD5 080a1318a5e18553f622ee9498e1a99d
SHA1 8242034ceb4f3333c410478499f02885044373c2
SHA256 020f509f0c15d6c123b02e790d4d3d674a781ceeb8d6b304bcfb7d57479c5b36
SHA512 c90571a169099ad0973c090de7a1434f52bdef635730fac44029635ca91870269237595f81b6602dbb8f5cd077acafa2d36380776a3707d94fb1e8668070d1c3

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe

MD5 2456be54b003a06e0418a2e40d24d7d7
SHA1 3b05821418dd7ee9c162bad6efeab51d6ac59b91
SHA256 5a3e0a62c53dc9f5dc231a487e70120099b35c61c7a1bb259f478e642a080f1d
SHA512 79dcaee135a8ede7d8cd278b5266441ac6728b93245f17b8d305aff36d9980fe88ae9f51b5ca5776633064d47670f751ff0cd8150807030df9ff080c6957e82b

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe

MD5 2f5aa7abfbbf2b087f9e4dfe423bd6a1
SHA1 c54a1c7d55272efc2733eea8c92e4e5d5b88c36d
SHA256 68ed1dc5216bc98e95b938643b44160805fb9564966ba3baa515df526ce6cff0
SHA512 f296c689b22ccf8d55f385e22f29e5e7e059daa44577eba05a8e42706abae4c9292c16fc9fe44d671ffb816960e69317aa5fbafb7e0702acf4f2608c6c0db719

C:\ProgramData\Baidu\Common\Global.db

MD5 829c3e3c9b2acb6cd72830b9cd90b0fa
SHA1 52b11f87f3c554fe900a714c29b428e4cafdb760
SHA256 10a5d14955952807113652da83e32416f436161c8c9aff5a1fcc2c56d847ff43
SHA512 a733cf4879fe5c0b4b48c8bd15d276b45423d21fffdddee4421c09891605e03c63663b071acf96b5eb4fe50be7c3895852ba7b429b50d9524479d69ea7b93907

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnx64.ime

MD5 385de7eb355e2b67bc8efaf1d28db78b
SHA1 f8dcd255c7160347af343bd6824640d1960a3afe
SHA256 a00392e1f6c235507cf6077f16052216de8c50ea3c601b32ea8f1e75f447d650
SHA512 95461dbb67355cd44ebe0f8ae124bd878a7588e09ef9fc682ac256a1c5c243f5d1ffcf1189f714670f4298ce8e67e6463f98bb83540652edfaddd55e3d173267

C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducn.ime

MD5 56385cb44bcf0b46d7b27ae70dc304f8
SHA1 f488aff961286a852fba6f887ba9369d7dbb8bbe
SHA256 1ef970a39e17a0f1188f7ea88a871a833613b0fbc5fbc028f2a29bcddba72159
SHA512 37725ad5e9599ce7db125453a4f63ead7d6648dca65ab93bb5ed6888404a04d86dfcea1d0a28ec4a005449d1246a452e03bb4a8bcf5c4bed42071cb1c2afb681

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\user.ini

MD5 b9b6d8a79955458ba0d79cea6e13c576
SHA1 1a4b22040821ce4401864834ebd944cac2635a01
SHA256 9e0bef1262b4ab1443125fe77a6da668625fda64a9829322004a493fe62d067c
SHA512 f70b4bda295f16121dd950fd4463ee2493f278c696f1bdff757e20d7a377fcdbdcda2346931817ca596b4b6961bf02c63fb50499471c758739f3dcb1c414b61c

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 594a495ab13f9e25f437986639e3574a
SHA1 c15ffe9884ac5e1b1765c83241be0c01dc315fbc
SHA256 b4d810cac49676bbe7afde55f2460d4ee558ccb051b873b084b1ce310660a2c3
SHA512 08917462657248b543cc2b3dc4737bea8f3dca3984df6c3bd8c505eae38c025c9f404d1e77dbb0b4bbc9b1259d2f1c9d7c8387fdc696f06e5cf585c824521719

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 e414c66bf2e61b60c3d80bd18e60d5bd
SHA1 d8d8637ddca0f689f474a5252615fd4ed2115da3
SHA256 15963d5145eb555c87f444dc63c8dde3dbe679d216388a2e1bfbfd9c5ba65d1b
SHA512 0bf4face902e04d1cdd2ff90e53ad48ecf1a9adc22de4d5c1805c33e2fe37456ebe33d5afc0706e866fac73e77ebe4a33188c79c5982ed0fb232104d2ce1944b

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 d817ddd97fcdc6d8bccb583a4c31103c
SHA1 eea25f55e680b736d964880f7e91fe714ca44793
SHA256 df855cef2830f4bc2f0f3a63727a7c5c60735bf4133690a097569780f666670e
SHA512 5d877b2a25f3c8d0b5cdc0e6f5a4b2fd34459ad292a1b4c85b98874eb52023ec3c48384c193a712f7c1b1e2693c08ca669efe2036d51a2ce295bca8ce5dc038c

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 36f9150171fecdee49cd0efc7890d239
SHA1 34a7504712efb5bf8e08843a9e101e474ed81a41
SHA256 0a512e04179c2262c1846bc2cd9279a1a26030fd871ef1afaad63c4a54cd4731
SHA512 ed7670510eba4aa29bac21537427cefa7bfc0ad69160ad7de1601a9d146c86c0f9ef89f829baf595ec3e047be5155974d7a2e3aa18bbd29abb5da817a27c979b

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 8bd681be0ff7cd577c5d410664dffbce
SHA1 6012e06eb1833a0ca1810a4271ff993713dde8ce
SHA256 b8205656ef56039f5f35e3ec4fd37ed25ba7a254d63a66b92fbdbd2962bbe407
SHA512 0e5a2502191ace453ecac113e1e6ddb4340083d47ec8457c76debc74a68d116e12839c9cf51f7bf64e1c61a5d49366f87d0c8c1cdd2294736bf5cdf47c0b12fe

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 7a92798fc305f1a72cc6af2d33f3468c
SHA1 f84b99ce8287a160d41ab01c07202dff03967010
SHA256 9e07548010ab6725520f656de366fcd8ee88aa1512e5b656550c520d93eee186
SHA512 eb45138fee23cbc9324986782abd6ee715151f2c2307ac8cedcf1752bfd0081cd1e22bfe0a7395b4fd4812ec6a567247e30ac3a58e0131cd05ff8b5fc504a6d5

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 989f034c6b1a2d22f560bf090528932a
SHA1 83c8a49772473c39bf248b0eccb1bc834b1f0ea8
SHA256 5642a45bf8c8767bafc5e7858ec4c316ccbd787804e38033ecf6d2f4e301490a
SHA512 664230d455327f9655c5b5d137e9ee1d87e5b740582f25827ee85dc9170406a5a12816f3d2020dadecf0f8c788b2977fae8c192c5b883fd78c8863f7bbbd8659

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini

MD5 bdbc7107e98c12289350c9bf47575cc2
SHA1 b151b64ca392d0ed9d9281dc6dd099112a52206d
SHA256 781f6846e93cd61c4651bbc7ed4c10cf14dfc407517d1718a371a27fee4ba571
SHA512 282334ebe505725fb585a9b37b68accecae73f4227af620ff6e9a5a1c4c9add5adbe5b4e373bd79396329b973db0f280830b2a530dabfe6ba733b832df15f8ea

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 af00948cfaa2a77d44fe50c1a7eae666
SHA1 be6ef0e47be64a5d7412da71135fc52f5071f107
SHA256 6c00146d42d54816962aae488064a71b90c7199059b3ec388d802488e4e22c59
SHA512 a7079fbbd6fb3be979ddeebbab357db4f121e47478b8ba9644704f5d932adafed20c68da1d364532afe6a84660204c85fcec08692b58171ef0ae9f7552c87863

C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini

MD5 2fb267f3b3b2ebc481ef825730e26413
SHA1 d30dbc3f0292f232d2d71b38c794a65d537e0436
SHA256 8c4f021093e4bf80c751b178d41ff60f1c88ffd6f995b8ebcc3f46ec29c303c5
SHA512 b85caaa289ccb48c53f71ab966732348b7dcea40a7f8290818a72924b77bca7b0965dda882457f8065c19a771fd8a3d94edef252b3cfb8964716e1b75cdc037a

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:29

Platform

win7-20240508-en

Max time kernel

120s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 252

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:35

Platform

win7-20240221-en

Max time kernel

122s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\common.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\common.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:33

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\common.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\common.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:35

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\tangram.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\tangram.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:36

Platform

win7-20240221-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:34

Platform

win7-20240215-en

Max time kernel

122s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1840 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1840 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1840 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1840 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1840 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1840 wrote to memory of 2324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:29

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1888 wrote to memory of 3144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:34

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2756 wrote to memory of 436 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:35

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\tangram.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\tangram.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:33

Platform

win7-20240221-en

Max time kernel

122s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe

"C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:30

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\config.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\config.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:35

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe

"C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:34

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe

"C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:36

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe

"C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2756 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 szcloud.baidu.com udp
CN 111.206.209.92:80 szcloud.baidu.com tcp
CN 111.206.209.92:80 szcloud.baidu.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:34

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1

Signatures

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4584 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4584 wrote to memory of 3652 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:31

Platform

win7-20231129-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\achievement.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\achievement.js

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:29

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 4572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1656 wrote to memory of 4572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1656 wrote to memory of 4572 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

168s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\index.html

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 3180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4936 wrote to memory of 4576 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\index.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ff85b8b46f8,0x7ff85b8b4708,0x7ff85b8b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3188 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_4936_WWNUOEOEHHWVCJLA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7683680866de1fe57bf138ad1503d9bd
SHA1 712fbe87a5470d8929e5a0128b0467902974668d
SHA256 2e89c67d8b0c6d2bac8384158c6214802801ed137fe1a09b5cf42ae6f714ca5d
SHA512 b94764f0e32b82b6d9d5f888cea857a53ed5ee874d5799f3e8ed06b9a64914e7603d8dff2cebacb76d9496421b24654dbf689c628f0cf8ca58de436f8e88ba75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 add01937fe4c8e1b5395fa578108a24c
SHA1 853421059d8e9f9d2141448799a91e82ed27f376
SHA256 a0d1a57fd43d169a54565c51b2b73f8c16211299231eb0fa97a8fc8d8a2e2835
SHA512 b142902d51915dc33c1b94bbfb1071ecda87e54a0dda750e595bd32296b46a200598a167d9568034d470760c04b2f035f9cd37cc328189a54b8393d154e5f717

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 929f0f771e2412274f33192ea13006cc
SHA1 f7116a0f680eba0f108d115538b0bbc930e9480c
SHA256 71ca193c63789fd05d78a86ad690b93dc58bcc19b1cb44cc9b2737be12316be9
SHA512 b47f68073d0f084f7f160af3ab6bfbd33cb15158cb90aa8d16994aec2adf47c9b1fca37cd3f3e7a45253849d4f993008af61ebbce748bdc4c21fd4f6419d7af3

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:29

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

165s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\achievement.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\achievement.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:36

Platform

win7-20240508-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe

"C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 szcloud.baidu.com udp
CN 111.206.209.92:80 szcloud.baidu.com tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-26 10:21

Reported

2024-05-26 10:32

Platform

win7-20240419-en

Max time kernel

119s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\config.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\config.js

Network

N/A

Files

N/A