Analysis Overview
SHA256
0d4e910847a8da89c1a61e75ddd8db232083e735486178457c547e6a3958dcc1
Threat Level: Shows suspicious behavior
The file 752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Registers COM server for autorun
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Program crash
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Modifies data under HKEY_USERS
Modifies Control Panel
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 10:22
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:31
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
172s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 3900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4896 wrote to memory of 3900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4896 wrote to memory of 3900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:28
Platform
win7-20240508-en
Max time kernel
122s
Max time network
135s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3068 wrote to memory of 2196 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:31
Platform
win7-20231129-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:30
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
169s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3432 wrote to memory of 924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3432 wrote to memory of 924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3432 wrote to memory of 924 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 924 -ip 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:31
Platform
win7-20240220-en
Max time kernel
120s
Max time network
131s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 224
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:33
Platform
win10v2004-20240508-en
Max time kernel
130s
Max time network
172s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe
"C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:35
Platform
win7-20240221-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe
"C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:30
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\system32\\baiducnTSF.dll" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\system32\\baiducnTSF.dll" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ime_skin_thumb_0.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\QuickInput.exe | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5823ad64c517d9214da2b4f5891cb8c0.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_list_down.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ime_skin_thumb_1.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\css\style.css | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\quickhelp.exe | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\4bb89b649344ae236145981a282ac8c9.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_jieping.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\90fdae7bdd452083f27372799c5a31f2.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_white_90_30.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\1\skinpreview.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Baiducnx64.ime | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport_bdfaceimp.ini | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\6ee778accda04860ddcf53f65cd9ca83.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\78dfc796e4a99118f7ef0a8a05cd41be.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SysImg\notify\bdpinyin_new.ico | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\bg_facebox_white.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_10.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ImeConfig\maintab_bkg.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\zmbaidu.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\85daf75ab557a705c9ff3a41ca328c84.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9bbab073de56765c42a031fc6ed4a554.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\ca290b3c6e88957d0c0b24c483f0fbf5.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\cc358560120f0bedee57f8ab748071eb.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\d11447267773853a100806edd06abd7b.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0bc354bed69bc75690ccfea355712e11.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\3dfeff82b394f764dbf5ebc348bbd8af.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\6f1252010438615fe023b8157578e25e.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SysImg\updatebanner.bmp | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\infor.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\js\tangram.js | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\3\horver.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\syncengine.dll | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\qingxinlv.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\btn_min.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_geren.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0e38445364fa27928f416c41860975c0.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\4ef77ad90f85b9d5faa90e2b1d2b8a54.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\b014567339a200eba7d447e263c190b5.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_note.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imezlib.dll | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_settingcenter.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_4.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_shenma.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1a43a493cdaa0cd9084e40d3921f35e4.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\radiobox.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\btn_setting.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0b62d7e3ff7fa859e62baeff6761a301.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1a9f2044a290af7fd8d0086544be2732.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_login_reload.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\icon_logo_panel_avatar.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_calendar.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\default.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\55efa667245a7d1d420d7b8d3ba89833.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummydict.dat | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\quicksetting\config_res.rdb | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\089a723c8ada53878f1985f41dc9f044.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\a5bbf9a04af264a8e6802a2e2df1bd42.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\checkbox_uncheck.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_delect.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skinbox.exe | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\db6ce587368cff26f4521b0e9643cfe4.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\be5610f727832f3893f544ac951b321d.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\ = "中文(简体) - 百度输入法" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ = "C:\\Windows\\SysWow64\\baiducnTSF.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeSkin\Extension = ".bps" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.bps | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\ = "Open" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bps | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe \"%1\"" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\VersionIndependentProgID\ = "BaiducnAx.ScreenShotAx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer\ = "BaiducnAx.ScreenShotAx.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\ = "百度输入法皮肤文件" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe,0" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict\Extension = ".bdict" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\ = "中文(简体) - 百度输入法" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\TypeLib\ = "{BE4A566E-CD2F-412A-B259-1F1965B935C4}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll, 102" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\ = "百度输入法分类词库" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\ = "安装到百度输入法(&I)" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\cellinst.exe \"%1\"" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --clean_old
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe" --moveuserdata
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --moveuserdata
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe" 1 /product=201
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install
C:\Windows\SYSTEM32\RegSvr32.exe
RegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\SysWOW64\baiducnTSF.dll"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist
C:\Windows\SYSTEM32\RegSvr32.exe
RegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe" --installgau
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe" /u
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe" -reg
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe" -reg
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportSogouDict bool:true
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportQQDict bool:true
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/CheckImeSetup str:AD
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --set-first-ime
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --fix
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --location
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install
C:\Windows\SYSTEM32\RegSvr32.exe
RegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\SysWOW64\baiducnTSF.dll"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist
C:\Windows\SYSTEM32\RegSvr32.exe
RegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stat.client.baidu.com | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | szcloud.baidu.com | udp |
| CN | 111.206.209.92:80 | szcloud.baidu.com | tcp |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stat.client.baidu.com | udp |
| US | 8.8.8.8:53 | tips.ime.baidu.com | udp |
| CN | 103.211.221.165:80 | tips.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | listupdate.ime.baidu.com | udp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 111.206.209.92:80 | szcloud.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | shurufa.baidu.com | udp |
| US | 8.8.8.8:53 | a.galileo.baidu.com | udp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | stat.client.baidu.com | udp |
| US | 8.8.8.8:53 | api.ime.baidu.com | udp |
| US | 8.8.8.8:53 | iploc.client.baidu.com | udp |
| CN | 1.71.157.48:80 | a.galileo.baidu.com | tcp |
| CN | 1.71.157.48:80 | a.galileo.baidu.com | tcp |
| CN | 111.206.209.92:80 | api.ime.baidu.com | tcp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
| CN | 220.181.107.232:80 | iploc.client.baidu.com | tcp |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
| CN | 111.206.209.92:80 | api.ime.baidu.com | tcp |
| CN | 111.206.209.92:80 | api.ime.baidu.com | tcp |
| CN | 1.71.157.48:80 | a.galileo.baidu.com | tcp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\reportsetup.dll
| MD5 | 52c3b9ac0484ece3b524a9526272f88e |
| SHA1 | c07268de6a13290acbf58ec5ef75e2468533d791 |
| SHA256 | 210876c0ff70ffaa88a05f9ef794a96136549f4168e940e256fb4ac85b0fff71 |
| SHA512 | da7710404e5630509eeaf9e318e2a4a2d9c4f269aee6cdce5d2a8f128094e7c92940312fda9913f5c44dce5159b59159f40137ddb2e7975e450f30c6a7b24f47 |
C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\System.dll
| MD5 | 35d7b29c3ed690a8b0cd323917677b42 |
| SHA1 | ad74d2babe09f94838e408c8f9f77b6b56c644f5 |
| SHA256 | 714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c |
| SHA512 | abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d |
C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\insthelper.dll
| MD5 | 8bcd300c69b67e78b09cf07aecfa14fb |
| SHA1 | d92bdb71d8b8477a3f0838360191aecc459a3c09 |
| SHA256 | d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d |
| SHA512 | 393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4 |
C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\chkm.dll
| MD5 | 3b8308f1dba641b49a642fa6d92f3451 |
| SHA1 | a11164e08bd9c594b6d608c51a2428a4c6b555a2 |
| SHA256 | 2061a94b4d34a77f935f95a3741f917c91b27d0e1585c2ee2f8e00806b671db7 |
| SHA512 | dc089fc2bb43ccfcca8748013636e8d249cd91e1b08b30358d00df0decaec5782d2af85274e7b70784d4e58c934dfe5112fdcb4006de2a5dbe9c76dae9ed1f81 |
C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\Src\Report.dll
| MD5 | 98a2b4d094fa825e601b1f68752d4ac5 |
| SHA1 | 0197c18e2443b53add35870df81a0123acbaa0cd |
| SHA256 | 3347ab083d69d9d4bf6c8e6816c56a1eb694b581721965ebd44d240fe956e164 |
| SHA512 | 47ef8d5ee9273a41169ec522245869f6d9d90b840d56d88e68bd693b4d1b4243b005cede1a5f9420ff1a5240f7de8ba7a5b915b846af9e1c57a0d4eaa584d53d |
C:\Users\Admin\AppData\Local\Temp\nsb63BD.tmp\Src\Protocol.dll
| MD5 | a438e303cf31126c5d6b882aeded21a8 |
| SHA1 | eebe92a2e07ec209e6c366899938d2f7677e9977 |
| SHA256 | 7c301b9c44cae3a53a4f939a391ae36e79e29f9216fc903665b4551426cecd90 |
| SHA512 | ddc47c35d7b662e939d471e07f5f45e979abd4df14b334c5c12f229f7d185bb9925693d9dd71e36c97eef02c92f961775f5d7cd605b36af9e6a5c9d83af3964b |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummygram.dat
| MD5 | df695d1bb876e0aff16e80d37c13a045 |
| SHA1 | bfa3f935d0259f103213c86b19643c9d0e839d31 |
| SHA256 | 8f34cb39e843f2569e530d13f9583d385d80273c7f0a7bd3227fba11336527fa |
| SHA512 | 8ad735da6d0cb7050474d53787bbbcf371cdc70ba6bb54e8b649331570f29f99f609ad897178f0c430548da245a31ffdf0db8f4cc1931f7bb1837d273d4d02e7 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
| MD5 | 78b547129a5af3251cd3a2cab4107d4e |
| SHA1 | da5d2da96f238fa327cdea23225b08f813d5504d |
| SHA256 | 9415b6d6014edb194cb9e428e77900c37b1b9a950e2c97bd013d4af8f5e8455a |
| SHA512 | ef9a1edb6272e2eeab04eeb142c5f0a7806f4e96335a1aab6d391746de795f00ea62c06ecdf0df7bc5e6933e1961afa94df11639ff5f16d0bae871a584b3bc48 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawdict.dat
| MD5 | d28c28b7d005a754a60839b4091aa556 |
| SHA1 | 90e2b7ef24d2521b66ffa793d19dd7bbe8fe3bbb |
| SHA256 | 1d753a7609cfe79ec3abc6b2c0c6d552f29caf1251ffae2cb8fb81a71d80ee84 |
| SHA512 | 96a754995b7751cb4a0df624bd8f4975b9fa40ef97329a798abf47197537c62f51f1b47900d82be14f2d2d2785e963897ab6f7cb713e6a76fef0107c4517c089 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawgram.dat
| MD5 | 2e1b6f915bc3efb9bd950099e9a25fa2 |
| SHA1 | ada21f4380f5c2bbf9a023fb3a97c6abc67d8552 |
| SHA256 | 5f6bd5aa51cf2590579116816e87a26617f1424fdb00f4703dd4ee9429d425e8 |
| SHA512 | 771557c762acab825f5f96bc83cac0612b5551f2c2d85406fe2288aad9aef9a17b16769ba29a7b5ef5087f17b5f2d0538480b3c16f809c5b52fb1afc4420f51c |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\engraw.dat
| MD5 | 5fba35a5c0c99d59803bf9d2590c3f82 |
| SHA1 | 8e8e082647997cb688effe79ec12529bd03e9987 |
| SHA256 | 835828871ef9af95f85b8f249f2cacdbbae6c73ef802448f7c59584eb63265f6 |
| SHA512 | 4217349c66ee47d096d2a4c19fa408dd6f08a09a9c47cb9493b5a2faff6f3f4f0d855cf02905f24f0a8d1ce6bb1d4d561c4f69a1378b09ff473f997855ddedf2 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\thumbnail.dat
| MD5 | 3c11f16a387925e9c088b0d819795bb4 |
| SHA1 | bf99c57feafd149b93c73fac2211b8be00b3e536 |
| SHA256 | 0b07258015b5e139776c9be53965f4442bfc9d7265db93665f2a10a166fb04ce |
| SHA512 | 2a5cf1c37d3cc67709a427a5831a46218e15550054896b333c5ec9a7f6b370fb271d06696b842c2dc55947ed9dabaea5fb9bb1c859ca4132106cc02c590ab1be |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
| MD5 | 2ff02072877da8f34f9af9928aa5f5b3 |
| SHA1 | d9e5bee9e783fecd13e95e2cdea37fcaa9a1cbd7 |
| SHA256 | 756d55a8085e1b07695eb90db9266e98a0f0afc67ae188867eed96badc3d59ea |
| SHA512 | 9f340860dfce4f20b674d8db7ceb15af5dd618cfb6e75a154c043a16a2fd3e57a97b763cbe84a945d06ef324b11f2b6da4ec798fa536033ccf76de2a62787c1a |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\msvcr120.dll
| MD5 | 034ccadc1c073e4216e9466b720f9849 |
| SHA1 | f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1 |
| SHA256 | 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f |
| SHA512 | 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\msvcp120.dll
| MD5 | fd5cabbe52272bd76007b68186ebaf00 |
| SHA1 | efd1e306c1092c17f6944cc6bf9a1bfad4d14613 |
| SHA256 | 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608 |
| SHA512 | 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libcurl.dll
| MD5 | 60054f32651599c68fab41b220f476e0 |
| SHA1 | 281a63035340db32bb7d55e009f8097546f4aa9a |
| SHA256 | 4352c68ffc4308c2e24acc19608318a52dd0a9f362f1cd2c8ff07b55ae37dde9 |
| SHA512 | daa3431d8d70b0278a13b04dc1d74b44d235296c86686fc233dcd23af963bcd5977dd97ea5546cf548e222fb43f7bba5db350f1de1c2fbefe1379c717d8e2a39 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\ssleay32.dll
| MD5 | 0f6f9f42e4dd9dcd5715955e3838ec4a |
| SHA1 | f93a11370df53d30a84268b003fab1b8eb2a3960 |
| SHA256 | 6f34c5eec35a9f5af26cd163792c53fbd30ff0d04110f6bddeeff413f8dea10a |
| SHA512 | ecc9ba94660d2d3ea7a80e2a67e3db129e983d33697fa5da6c000a7b53c3e3a1460bedb12fc82af422f03c9e9c097335e9704dd21ae9d7b4baa78f19826c4920 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libeay32.dll
| MD5 | b8a2583697545aea9baa1383f9796368 |
| SHA1 | a8d5fa264d96e70e36461d99a44a9a39cb186730 |
| SHA256 | 1f649a43e098fef9be0cbdf6f57b1afd3aa14d06c5c1aa82f5c26b769f04f141 |
| SHA512 | cbb43e7b2cee7d76ac026ec3deb9626c43d6acbc595cebd41293cc1045808a7f09da19ab64c7b0a44432281e43e4904432906f5c3dec6bb1f3c146c907fc6864 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imepng.dll
| MD5 | 40e91fcd84dafcc606ccc876f991a7e6 |
| SHA1 | 21e2dab15eddb84c631838e1575a72598e9355c2 |
| SHA256 | bb0258c4b7ea8543f2f5aced98081d7a973f337c57be08f294ab189d13e7c417 |
| SHA512 | dda11e19996c688090776fd3ba1428af05fb234a51947e4692b83cd11eff3ad39d7a46e481c536f0aea780c827c8169616ff74b2b9b5aadb4abab11b1e852693 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiduPinyin.exe
| MD5 | 080a1318a5e18553f622ee9498e1a99d |
| SHA1 | 8242034ceb4f3333c410478499f02885044373c2 |
| SHA256 | 020f509f0c15d6c123b02e790d4d3d674a781ceeb8d6b304bcfb7d57479c5b36 |
| SHA512 | c90571a169099ad0973c090de7a1434f52bdef635730fac44029635ca91870269237595f81b6602dbb8f5cd077acafa2d36380776a3707d94fb1e8668070d1c3 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
| MD5 | ab89cdea049ae1fdc3d4ba269b47591d |
| SHA1 | 860a07b2cb483bfec40ed2fadfb20c7b3f8f43c7 |
| SHA256 | b3eafdf7094878fd617385db01cd4c06fbf34cc734252cd104d24e418bb84553 |
| SHA512 | 22552f2d815b2e4b9bd19be63b34592412f1eae698fc71c28f6e73d690331c3aa2b8950aed160249317673a9f22f81086c5f2ff376b47b75d980fc90ca80b2fe |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\IMEFREETYPE.dll
| MD5 | 8d82ce7a07be1b62440c0cec4e170a15 |
| SHA1 | 3c6d41dc25978907acff8369778b4e352d56ccc1 |
| SHA256 | c6a521c1f3c2611e063d4929fb4a2c466395d4a54a17b6c1036f9e92a0d3ede2 |
| SHA512 | 033f08cc83b6bc911c5cb136e152b920cb7193b1ce6e4529a84260ed0225d814059a4a47c603070db6191a86ddef4104e3eec712bccb8f0d2d0b85050612651f |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imezlib.dll
| MD5 | de63b59c6697079ecc7646589deaafef |
| SHA1 | 709c2d6058556dd0f9d46ef840153249cd60d94b |
| SHA256 | 183db759881d0213aa708410c122a7373ba08dbe122343b6acf9292741108d97 |
| SHA512 | 0e8493cc0f1ee0666305c06928d4811563aa07187bdb3146bf21b3446e946e6f582c7e1375f32281b259163de72a0d54b0ade097843bbfdd5ff599d444f54573 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdnetdll.dll
| MD5 | d55a908913b1f2bc2e9e0195472882f7 |
| SHA1 | 627509ef0575d389e39a2dbae82e94da50346f2e |
| SHA256 | 0be32940021bce94782662b3377e2658600e0ada82ad3ce561b00a3abfdc528d |
| SHA512 | 1a500d47e0785a0467e29a4986f0dc658a9c105855d70d4c17d4a8df7d5354d808fec25f79bb507719eeb93c1a5db49a006e291b1ea4dd18049c1d94696d5eea |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdaucommon.dll
| MD5 | 93bfa462ede419250bc876b2884ece05 |
| SHA1 | 233a8a946f119492b8fa2b4b8993e5d3db00acfe |
| SHA256 | 6a2b893de7fbc1c0c507a35c14882236c326f553baf07409cd358308eefcb5af |
| SHA512 | 2cae7a79f3adbc23fbd7a84689321b438596bd9cec5b2bca274f0d67ae0bad7b9b984ba352256fe6079338435958e28923915d029bc4b2e52fd04dff61312245 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
| MD5 | 0ccf4e1bd3bdd1119d96bd92b89e6a76 |
| SHA1 | 9b00ad3520a26a9f6e0644c2796c85d8ae54c47d |
| SHA256 | 5893e51697c153e3ef8b257cba716577b7cc3e82fd0a8fbab51189706dedfc40 |
| SHA512 | e259835f453a9d7a3ece6e9b79d087ec7d596810ed072964e38b21eca613c2321b3964ec79806269eb6abcda40aafcd9d5e82f360018cbfa1e86266baff8507e |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
| MD5 | 2456be54b003a06e0418a2e40d24d7d7 |
| SHA1 | 3b05821418dd7ee9c162bad6efeab51d6ac59b91 |
| SHA256 | 5a3e0a62c53dc9f5dc231a487e70120099b35c61c7a1bb259f478e642a080f1d |
| SHA512 | 79dcaee135a8ede7d8cd278b5266441ac6728b93245f17b8d305aff36d9980fe88ae9f51b5ca5776633064d47670f751ff0cd8150807030df9ff080c6957e82b |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
| MD5 | 2f5aa7abfbbf2b087f9e4dfe423bd6a1 |
| SHA1 | c54a1c7d55272efc2733eea8c92e4e5d5b88c36d |
| SHA256 | 68ed1dc5216bc98e95b938643b44160805fb9564966ba3baa515df526ce6cff0 |
| SHA512 | f296c689b22ccf8d55f385e22f29e5e7e059daa44577eba05a8e42706abae4c9292c16fc9fe44d671ffb816960e69317aa5fbafb7e0702acf4f2608c6c0db719 |
C:\ProgramData\Baidu\Common\Global.db
| MD5 | 78c80d224904b9e4b9499353e2bb570a |
| SHA1 | 494e5e9f09c81111271c2bbfeea211e4064b9d37 |
| SHA256 | 9dcbcbb31e7f4616fe36dee093ea650ce4311a6b98decc95f8d4fef4914338a3 |
| SHA512 | fe722dc9e68971e458cd0e3d3f4740d759e88b7e522f7f42f67a8643d65cf0feb06a0c087441802cf852b4695062ac935690e03483193f1de380c5a9456ecf13 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducn.ime
| MD5 | 56385cb44bcf0b46d7b27ae70dc304f8 |
| SHA1 | f488aff961286a852fba6f887ba9369d7dbb8bbe |
| SHA256 | 1ef970a39e17a0f1188f7ea88a871a833613b0fbc5fbc028f2a29bcddba72159 |
| SHA512 | 37725ad5e9599ce7db125453a4f63ead7d6648dca65ab93bb5ed6888404a04d86dfcea1d0a28ec4a005449d1246a452e03bb4a8bcf5c4bed42071cb1c2afb681 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnx64.ime
| MD5 | 385de7eb355e2b67bc8efaf1d28db78b |
| SHA1 | f8dcd255c7160347af343bd6824640d1960a3afe |
| SHA256 | a00392e1f6c235507cf6077f16052216de8c50ea3c601b32ea8f1e75f447d650 |
| SHA512 | 95461dbb67355cd44ebe0f8ae124bd878a7588e09ef9fc682ac256a1c5c243f5d1ffcf1189f714670f4298ce8e67e6463f98bb83540652edfaddd55e3d173267 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnTSFx64.dll
| MD5 | 523d13d373e36022819a8bfd4106afa7 |
| SHA1 | 928fd5209a568333193b4327897fbcd25829a876 |
| SHA256 | 6717422b8a66c295cdc52624794354c642c0f5b3c9fc945e17c700765815a2ff |
| SHA512 | d5be101c0a4c7bdf5eddf351311e8a7db74d2fef8f97171e3ea0820fc7384c8505915ecfc774f70c519ed87807173397f6771d515bbc816d113a24460b72fafd |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnTSF.dll
| MD5 | 047883fa5f336320c303345fd0c2a37c |
| SHA1 | d5a647ce1dde1faa4128c1db5c82851ca73716a7 |
| SHA256 | aca42b70ee70806ff6a298acbfda17051f3514073ba1bffeb64006d56d75a9ea |
| SHA512 | b8e8032fd8c4a94fa7841bfa4a9b89c894766cfebb2702da2570acddee1c161c7a12551f51d3dce81fb10d55e56075c226843d811a20ef6cafafa3e58418dd48 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\autoupdate.ini
| MD5 | 3c45a3efd6faca8afd99af299c37b0a2 |
| SHA1 | 3f9658399ed8de6292e7cf7c16060248c7114f90 |
| SHA256 | ca25c996b6d5ebe5348c6baddd2073309539171bcf706e6c6c1d06e7ce421ffc |
| SHA512 | 21f708eabc7152beb7479a3fa7c19c7b95028f3f78fd34c15fb180a16b03c0b02de290dff611692acf2c80cd5c9885e7818cf312adcf859cd975ca1c79b913d2 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\app.ini
| MD5 | 2acb717904708b6b98f41dc5f2dd17d0 |
| SHA1 | 4a2460b5904e20339109bd4ef04b0f43ad3bc30b |
| SHA256 | d9e8604274f890c75250ff38ddd069f4c8c412c8b3cf8a98e67b2706bfced59c |
| SHA512 | e736e4c7e0fa239964546e2d4fa0241e80f82fbef7acc31b9373e6c9c02c99b09ae20fd402fc922bec9288537588e4b91ebe1970651ed87877cb2bdc93b2494c |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\common.ini
| MD5 | 0fcd28ed0e69ca531809e8e2058eb246 |
| SHA1 | 5d7a1862ee5c8a708c91a9866b503d87cbfacc84 |
| SHA256 | 2c6c16ec784410c022bfe6dd4618fb2f4cff421c0cbc151707afbf9db0ad3a3c |
| SHA512 | 276995e090a70844cbc912d9660d39c33dc5f8eed0985dd5d9c8b56a360c933f2ca63cbf32eb548031b4557260f0b720487242b2fcbc63e7e4e6937c2ac887c4 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | 2ef237975ba195302430d3917ae557b2 |
| SHA1 | 0b5aa3003e57fc25a6043224f557a0d22ad33c80 |
| SHA256 | dbde22027829840767e2043a8ea9ba9b9495477d8926d8ba6b3d9251a379b907 |
| SHA512 | 400186f38d3584a51e42faa4d1e434383e3a1c041c9a4f92272960f236546f2a43835b05688589e77188aa421889aa4bc09775531ac4fe6cc8759a50df3a1e49 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | 94aace7e8db312e4309a763f7de02615 |
| SHA1 | 21fd5f9124559dbc731793ab199f38058012b251 |
| SHA256 | 55495404ee79e3d57ce0bbb0b1ef608b81bcc5edd408a00a51c04b3496325508 |
| SHA512 | 2575240d741acbb596a30497fb5031858fae005013ae287716b8149e69308a180db634d5b2654bf91de4bd94e28554c0e8f743267721a2afc84f9bd86dc69a2d |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | f352b2482a325a6871ae74859bb9f04b |
| SHA1 | 235b5744155abee234b46bc14eadd93581514b81 |
| SHA256 | ccbd4e577790e5433261f8e44fc25186b6037e34f8ce1300d5b73d82d25e4880 |
| SHA512 | 31e83118f3b39ee2b079132ee714ff0d27e697ef76cdd6381831345c7cbbaaca54b0c8eab5a8710d26e75e5f06b39036d6ca7874b1bfa1e82b2f514f3564c7dc |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | e0a095730f835e0e7478370494d7b83f |
| SHA1 | cbf10f25be12f519b4153921b3968994221e34fd |
| SHA256 | 087ff9cbed1cae73d82b55f54ead208d9e62e3db8c1064b1f68d4be751525a05 |
| SHA512 | 2ee95ed6b2fa2537dd84a634eb46c412d45710d52e804a1ec4aa2e2aa0dffa1bfd95c9ecef89229225fd580479c4b1d055992593b408c6773d14185d04d26788 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 81907ca28ac98ab419d426e01aa3d48b |
| SHA1 | 7a7120e6193e241e38dc70d79666d24024be8093 |
| SHA256 | 038ed6a7239f237f9e58fa75f0f43c47730c6ca46b266b9c4f21fea059f62bcf |
| SHA512 | 54dacb61d7f6f3aafdf6c31e6ee480426404e5cd710f0ae3ba0bfc9cf069f267b04cee37950ea81d0613ff9e5905c35fcd67924fab8ea51de3de8bd3e8bb2908 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | 7b2b2832e759dca63140a12649190551 |
| SHA1 | 6c2581ec8289b3f00d2fe883aba4a59a661e7b43 |
| SHA256 | 0e98e065638d841cbbdfa639ad09e68097611aae44cca0fbc164de9202e9732a |
| SHA512 | fd91662c1c8625e7d4280fcac1873d5c3223e253b3ce87c496c41d7c11286ad78a7dd744c9ed29ef5f475007c3c2e1b255d1b917547f11df9d9c83dcd5d56532 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | b244d142970f4fe298ad320adad6f739 |
| SHA1 | c1a1347c63dcc7978c7dff81d4651ff9a2966d9f |
| SHA256 | 5127c735b441607adfb1dff2a640a574eca4a99b82e140e13ba6fe40d30d5c39 |
| SHA512 | 052536e87ebf1c59d0e4891070846a4433a1cbe81aaa865c7675a65e0a1c5bf8ee7e9d8b44119536fe5284dc42ef3938aa1b3bcc5e10b35bc89543af6e4dfea8 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | e93ac512626c45264525ccb2fdbc88e4 |
| SHA1 | 588224ed01168ad9355eb4f0ae0dc8ca7af9a590 |
| SHA256 | 379fd56370dd3f14f0a378d46a49412a6858def2b69f97462f49118f2b59dc54 |
| SHA512 | e6a00e9b772fe7bcd51b829e92ed4cbeb7721a94d0e01c47d89b8c4ab35d5317bb8cf645297b2d2ca632d37ac5388bda6dd1c4bc5019f8061dc8507d51ac73fd |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 01e6a2a43777aa803d1099cf977ccfb7 |
| SHA1 | 1c964afd6d1ff42cce318aecdde70f8af4f3ce06 |
| SHA256 | a2358aceb9641e189ac150226e39d428959d35b320b636da6523c04ed6c40cdb |
| SHA512 | e408f868e74388b32af330e94afcf9c640e696059507b2e8d255e124dbf8c2daf863357b9d2152b0690c8ea290aa78d2fb7663b043148500ae1230ccf838c033 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | a65a1485e411592e8e6376afece3402a |
| SHA1 | eba0ec02b6a1e46694695364ef00210d960f9439 |
| SHA256 | 08792c5f47c35cd041207194cfe6c241adc60153517a5ce2e681ba285264ac14 |
| SHA512 | 1d10f810357aefdb2e4e230d24239093a5b549765df672746ef60ba3c169e74fe38c9e077f96003528cccd52eb4852c60c28d3f762c81000c22cc7b591066ac0 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 97db575c53470e2812c998ce9211cbd8 |
| SHA1 | dcb5a92ce1539937d11ca5d75a352e7ff2b9e7c2 |
| SHA256 | 697d27f7fcd1648bcac9880fe20b59c5390a84cc52f3669fca6220fa034dab2b |
| SHA512 | b9ba012412b64d01f285c12cc581c82f39071451548451b4c4f08bbed99ef97874674b84901fdf59784b4f79cd1919c72d997afed40820aa1736d690f979004a |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 4d7f729eaf4361a6461ec5c2cdb206a2 |
| SHA1 | d65d9f3350b9d5ad199a993605a2dcfa8bd47e37 |
| SHA256 | b66d80f8a2b4ecd28b2d01e73b435b111e4752efce459ed1d27fb96b763b6fb7 |
| SHA512 | 37dc62770a5d9760ca85b1c95b23f92b0501da2b3ad82141d94167cafa68dc680b77a3e058ed7715ffcf3de7275f70daf6e48997a1a5591693d952e7cf860dcd |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | f1ede77ce6342d08ffefd923de89f04f |
| SHA1 | ea4af90b7a25f46adc1c8051217f98de35af12e4 |
| SHA256 | cae2055ba0e8fb682e18dd77d00e05c0ad0db4a0845cb599a157dd110509d855 |
| SHA512 | 60bd7836c6dc3e07ffa9b2d36f1cbf06d680a5089e03e3482c9e27908b970b879238ad7743cf671a7a449f21b027478938134b0995d8c6294d5e758880f3c2e0 |
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe
| MD5 | 59294fde17337c3b141160be336fa7b0 |
| SHA1 | 59331a76ec7bdb6ef4cf3566391587229b942378 |
| SHA256 | 044bea17ccaff8d1bd437dd13a0d37798ac1629f7fc6fb1cf6d5c4d0e065e5f4 |
| SHA512 | f9be627ce0587e89132e013000d88db0b943f6b11e630e78aefd2f347a12f7ddf30b0a71ed5049017f2148083166924bc2c6ae35ed9d635c492dd84312d0e414 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 9d5cefafbc538ec83c31969ece92b375 |
| SHA1 | 6169822e24ac7c84f188c298b77b28b3661cdd4b |
| SHA256 | 30f0b84a2a46c2448fafb371936ebdb0779a739aeecc40ecadf9005a60196a39 |
| SHA512 | 06201d8e71f2eb6b6f6b0c92daa83939b6987b5c60d8306e44b204ca582433737a01b78d037b04430de9eef562d02957936f4aa0000ed84af2943efbb7726e40 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:31
Platform
win7-20240220-en
Max time kernel
123s
Max time network
134s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1740 wrote to memory of 2188 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:29
Platform
win7-20240508-en
Max time kernel
121s
Max time network
139s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000006a7c11827b36b1ef2a2827ac46e888aa7cacd5e0a26a77178cdd85e849874410000000000e8000000002000020000000a4df88c3328eefa0f59c6b57591062ea6eabcabaa367873f4e1e314a4334104b90000000ddfbf5d709894a33c618b984cffff618f18b1dbe86775c4f6925b677f4368ca7d262d79500120b401386b70c5555d532f02914c35e8065a49137bbad303c033dcbbb9d03b53579d01bcb419eb44e7070b240c35f66e5d6d5abdebea690d7ecad13ce0f54406b852bc7db514ff3f6d68ba60f4f0c50054a157778952b8e72af2e2541f9a2705eaef527d6d8c5f7247784400000001da9558591c1b45c3fb65c3b6f36c6bfa1b48d371f3e0ae7e7b40f3b58b4f8825e48f713cc8d6c416f8db0b5d76d01e84d5acaee1c2d2581c17b9876f9855fcf | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422881054" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ba705129dad0ddb39220aa48f3b64c31d9355fe52dddb6a34084a9e03d937e63000000000e8000000002000020000000ba9b94d9b7cf2930880687ebed746a3a26db01e42b0aa6dd2ce7171438096433200000000f8aee2430148584b6fa1f56083da4deaf72710ceb45b76684f534aba0c4c59a400000007d50726c84251943993d75f4ca5680b6930c38483fd8870ef2f031394d66b04f3e89f8e8237378653fe26197a86f274184a9b7bcfb7c7f50cbba3c290a726b67 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e3543d57afda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68298C91-1B4A-11EF-86BF-CE57F181EBEB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2132 wrote to memory of 2704 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2132 wrote to memory of 2704 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2132 wrote to memory of 2704 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2132 wrote to memory of 2704 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\index.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab5D21.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar5DB0.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ddda27b48c23ce6d56c0f0182df75f41 |
| SHA1 | 517a7fa49d4be7bcd1fa8fba7d96ad98ee40e8c8 |
| SHA256 | e8a481db8f2446402b0fa1c71eb391961e16d91f27939214ca72e6414cbd8666 |
| SHA512 | 5fb14a2f46621808d707057e770be012d71501993d84b4ca46e6cb2698a1c9276070ed237b80e5b0a7eb63b07d792744ca9b1c481a18a2d5ad6e4adf25c24912 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 785ea53793af9887c15fa4cff17c5cce |
| SHA1 | 475cb234cf27c4cb42c786611ebe01098be84b8d |
| SHA256 | aafcd7331de2aafbcfe0e86a16f43527c1f1af5328547189f89a9dff1f7c6a58 |
| SHA512 | 3130d9f4de51b24516936179ad14cc2e14df38ab59a416c6f5a02dea6caa9ecab8d9776059d96106bf3624911651b86e018ede5968302434ff81d1fc1b5a3ada |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77673cc71bbae6e0b942f363dcaa3e7f |
| SHA1 | 5b143ac6a4b51ab9822a4346703d73e8fef1f37c |
| SHA256 | a087781c7b9d7e7c826fbae6a6159cc8c19e0ce79ba643f16252f9e146c09e12 |
| SHA512 | 703740f4b4a4a60bfea12d61c6b65bd6039b57323041e7f6404543be6419238bc5e0aeec0dba21ea47ad22d99b20b2e83e22371d3f9f29edf09a0aaf6ae0e212 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 959d6e882446ba8dc4a6afee3ba3f0a7 |
| SHA1 | a45d4700877e0cf6ac1c0be8d6bd0ee69caa76ba |
| SHA256 | 9c85f262b3fcfd9e72644aa25a1d2bc8110aaa0948f3dba3c5f816eb6f979deb |
| SHA512 | 6b2a3fea45514ac247bde9f1a695a50899f71e31616ee5f6f7455f536763d1809a40688b95bb1d8c936b39577ba69d35aaffd3c1d59b8fae2779a37ff7db1f32 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6351e4e58a0388b1599b23ccebc86277 |
| SHA1 | 9f83dff8b4befecc5c1fbce7f3720db5735e00c9 |
| SHA256 | 7260be357f5bd957c38a37fcee823cb5aee895c814fe0d445917c5d3e8418462 |
| SHA512 | 2cb696140446280354eae5e57966716f2359c08cc796023698e550d8d97e7eaccfa36837f788f60deddb1e59c6cc3734822632fe9e12de75d85914684597c4a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f80a154120aa95119b696a82cbeee1ff |
| SHA1 | 4de61ac4625aec625d2f927682c064af703b7165 |
| SHA256 | 5fb2c94e7fa67e82c2be9499f1bf0b23852a705daff63c700573642f082bb932 |
| SHA512 | b0b419099776e972d94694716f2863e98c13816d4de27225870b6003518780b671f8341dc875ba93a119cac92a0b5df28d654e0b0a1920a20145100dc3391f21 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0763b865e691b6fb105093cbb848c715 |
| SHA1 | dc0f56d96306fc3510d645623f62d94820f48a5f |
| SHA256 | d34aa2af2904018c10718059338f1e078de9622716e7f1690b946968db9589c3 |
| SHA512 | ceca95a5ba033a2f5001469d25c08fbb20052e086ab35d9fa28b9b138465a8ba0dd7913bc83ceea173bdc08d4ad652d692dd708637cdac1f32784425d4c47d57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b558faf48269f082154b96cec6a74f4 |
| SHA1 | bc2a4f73e791175a7e43ad0258076c6efb3464a2 |
| SHA256 | 994579d9a2f80fc1aad3e97592dda8ef87066589f19211a84ca9d8571853298e |
| SHA512 | 04fbf1c08f4ac728366e1a5fc4aa732949ee2633614bc4899f7836c11b8a10088226a96b10df479479d5961c80a8730804058570f081f11bac04e25b679787d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1040911b85b452aa6305405e5ce0f994 |
| SHA1 | b9f271611db09cbf743a263ecaedb5e49a2aabe6 |
| SHA256 | 609cb8e0ae346d042308597e1cf0a35ecf44fc5957cce8c91f6b23e44f5f1d2c |
| SHA512 | d08c280a4417acd72d15c4a5fa14e6e374e613f82af3fcc387c3c3e24440d9beae1ff057eff9a67cb4134e3af53c9787d12b8be3718679a3442f819d28cc0d7b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8fe7bf377c36c86671a0e1cc0b687c01 |
| SHA1 | 46ac58bca2f4c4a7747b859800c9afecad2c485c |
| SHA256 | 1195ccb466d794ce3bb92473627ab307461d211107a445fe646770064f95d04a |
| SHA512 | 2aea44ecd49c0c88a81ec01fea5ac9f0f0f175884449945b5d0fc6f1673293ef9e589fb8684e0dfe7c1ad87fa0dbc95aa1f78797174bd9d1aa86476c2e21233b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 481cbd260feebde769fe1c26c14d7c7a |
| SHA1 | 8749860b58db16e609787f66bbff773eb5bd8082 |
| SHA256 | 95f35d071da41b6015d077f8b5df5c51f4bc3d0fd62793d8566ebf011cc6d698 |
| SHA512 | cf44bfbe7981991c8c6a331051e6698404c2782835ff298d04e07afaf5b4a4ea810badef98faa2076ebfb983f236c7992689236839be3d1042135a4260b1b28f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b868c18c33c4202c796a2a2b4cadb748 |
| SHA1 | 5651d18acf495605b82d69beb7be05381c83a491 |
| SHA256 | 13ede31e99d2d97ba04ce9241d9ad6880e6463e7db929e53ca79059f960de547 |
| SHA512 | 56e0ea47c96825b04a6d5771e4d5dc65b4e8c2c7ec9644431dd8b31a99fccdd64e491edbb6dc34938037584a288088329d466715c0133f7bf2de3caf8a26662c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60a1d0ff9b43162b2bedfb6ea3fa88dc |
| SHA1 | 0188bffe2639ea2576f28e77416c463f0fcda808 |
| SHA256 | 38bb93df05f7a852fc90f22f326838e764d246dd9fa2ad75218f7c042991c2c3 |
| SHA512 | 168291189fe4653de314d64e45290b14bd764f7f8ab44ef0de7a92fddc50b6f41c7dc9293c7ba82f8ef861585766592bba180fa5e6e32c2e7a34a7931bcb3f3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2fd7b3e7727556e4895e606ef5aa10ac |
| SHA1 | 58cd054978e072685ae4aad89122feecc4d57187 |
| SHA256 | b5c04a4a77c971847698ab6a0b7e0c18b8607d34f27ec8184e6915633e3db8b9 |
| SHA512 | 4ced68a58b7380261f7dd367188fa96cf8fb8d9a00eabb9baeaaff9f39c546c14afdb1e327fc43e3c3cf2378f2ca701d46b61eac8fc44b811adb670487d8ab37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2904d5fa3474ab9234b5d745dbea211b |
| SHA1 | 2edb6e1ee490552a5a525a3880b2dce44a8afb16 |
| SHA256 | 7292fd35695c3aacaaf6e5eeb701a618d593adf4f84112048b092f583e8d8d7c |
| SHA512 | 9ab4eb77072cecb3c8b16f8d983066928875b0bace0aaf55cba9cddc9ff7bbf08f4ac09713467ce2b29e8c8ce405caa236e1c72e007972ca8161400d3a8152c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a9fb73f64309f931f33c7c8519d1b4e |
| SHA1 | f9e77e28f3b02eff0201f474f79991b62bfd938e |
| SHA256 | 1e0e177ecec483eed76fdcda8a82bb3b1aabba44604e9570027192890c0ea3b6 |
| SHA512 | bf6f091c18a765a8b55f53e69a1352dc69514b6132697e2ceca04087c140aeabf6594a01df3a27a2bfabf4ce9f816d9ec9a069087d4e4bac3b612bc5375920e1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f5e49376083f658caee4f5071feb566 |
| SHA1 | e5becf94069071ab191dc26d0fb135ac7ba8252c |
| SHA256 | ecfaa2a625389647e166d5fc10ea32be3a7fba0cd05648465f7fcd74503a4a50 |
| SHA512 | b3e9a505efd3db05972eaca7dc1520c71271e62def6553105274e100928d508dc76ad22934b3249725cc1819a128dfce1ca9585825d0c882b91f83c361eceecc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d1f97cd35ccf5d0ec877559ffd28e3f4 |
| SHA1 | d9023795af191a8a9fc0571e5f7c902f7cc363f9 |
| SHA256 | 533dd457315083cf1cd66ca3622fb4d9a66f97c124daea082ed64f44ce243f0a |
| SHA512 | 1232f9b2d10345f6ebabd8ce73447d17cca90792dc19dd216a9af697ea3c8934b9271034d1e02f999304473ce5ccaef65d4bff4cb7ff31c8753395444ecc4855 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a7d7b05fbce5178ee7348d950f403cf4 |
| SHA1 | 9cc882e71dcee0b6161b07ba5e256e9258d54ab8 |
| SHA256 | 2b908b7da994f2dfa28b23c21eaa65ee451ad6b63e72865d81fdd1623aa692e1 |
| SHA512 | 1ea8e7111bd1b6c8f331a2ab9603b17110773f13d4e7ae8c630aa63238494e3885903e129dbfd37625ef5269d06aca4f10b14d90698257131b71af160518d2d4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:33
Platform
win7-20240221-en
Max time kernel
128s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\baiducn.ime | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| File opened for modification | C:\Windows\system32\baiducn.ime | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| File created | C:\Windows\SysWOW64\baiducn.ime | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\2984addf7b4844a4d26130ca9104d1bd.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_quick_19.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\24a0df386b3f6816fee7cd57df89e9e4.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\773d8f8ed47cd9c1e8075ef2fec0b1b5.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\be5610f727832f3893f544ac951b321d.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\aa9901ff1020deeafec27e4eb6bd64af.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport.ini | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\moren.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\bubbleRemind.html | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\medals.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\quicksetting\about_res.rdb | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5dd2cc858b6e0b1d95cec227eb4fee3a.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\85daf75ab557a705c9ff3a41ca328c84.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_90_24_disable.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ImeConfig\maintab_bkg.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\emotion\images\common.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\939495d82b45ae98b2fe9680e7a261d4.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\ZhiNengABC.ini | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\images\closeBg.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\41b866646d71194d311ee0fe608cba63.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\947c14ab6897eba55722fe71c661e4e0.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_white_60_24.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\htmlnotify.xml | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\syncengine.dll | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport_uiplite.ini | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5513da1d3026b0da4abaa7ff67200e11.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawgram.dat.tmp | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_setting.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_bkg_24.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Converter.dll | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdcloud.dll | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\f18c8519fb755947d07a712fedc3050c.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\NextPage.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_list_down.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ImeConfig\maintab_item.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_back.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\emotion\js\sizzle.min.js | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\QuickInput.exe | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\dff85943e439654ad69c1229fd1a77e8.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\errorclip.dat.tmp | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\urlcompletion.dat.tmp | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\speechinput.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\0c5ebfe1e1276fbeaff059976a3dcb29.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_white_90_30_4.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\UIPLite.dll | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9cb299f92465ec2ca54d06ea1a8a98a4.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\handinput.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\2\skinpreview.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe.new | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\55efa667245a7d1d420d7b8d3ba89833.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyinUpdate\bdaucommon.dll | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\images\xiaoxijilu.jpg | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Config\quicksetting_skin.json | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\5\normal.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\1569036000c6eb3c7d6873d84ebce350.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_facebox_packgae_add.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\47991647d26d29601b0a93a7d3b39c17.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\c5390ddb87ab6447cf48fa31990b8fd5.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummydict.dat | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\tb_tips.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\printscreen.png | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9a9c4c5313f12d152a3270943b9921df.png | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Baidu\BaiduPinyinUpdate\bdupdate.exe | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100\Key Modifiers = 02c00000 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100\Target IME = 040820e0 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Input Method\Hot Keys\00000100\Virtual Key = ba000000 | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\2 = "E0200804" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload\2 = "E0200804" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\USER\Default_User\Keyboard Layout\Preload | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\2 = "E0200804" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\USER\Default_User | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload\2 = "E0200804" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\VersionIndependentProgID\ = "BaiducnAx.ScreenShotAx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe \"%1\"" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\Command | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\ = "{BE4A566E-CD2F-412A-B259-1F1965B935C4}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\ = "°Ù¶ÈÊäÈë·¨Ò»¼ü·¢Í¼" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\EditFlags = "65536" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID\ = "BaiducnAx.ScreenShotAx.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\EditFlags = "65536" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe,0" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bps\ = "BaiduImeSkinFile" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\ = "BaiducnAx 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bps | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\cellinst.exe,0" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\MiscStatus\1\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29F9A596-1256-43F4-BE7F-16C89D66550A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\ = "安装到百度输入法(&I)" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict\Extension = ".bdict" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer\ = "BaiducnAx.ScreenShotAx.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\ = "百度输入法皮肤文件" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeSkin | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\ = "安装到百度输入法(&I)" | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\752b8a6b45ceb452cd4ef28e8f9d3965_JaffaCakes118.exe"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --clean_old
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe" --moveuserdata
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --moveuserdata
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe" 1 /product=201
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist
C:\Windows\system32\RegSvr32.exe
RegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe" --installgau
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe" /u
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe" -reg
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe" -reg
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportSogouDict bool:true
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportQQDict bool:true
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/CheckImeSetup str:AD
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --set-first-ime
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --fix
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --location
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | d.s.baidu.com | udp |
| US | 8.8.8.8:53 | stat.client.baidu.com | udp |
| US | 8.8.8.8:53 | szcloud.baidu.com | udp |
| CN | 111.206.209.92:80 | szcloud.baidu.com | tcp |
| US | 8.8.8.8:53 | tips.ime.baidu.com | udp |
| CN | 103.211.221.165:80 | tips.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | listupdate.ime.baidu.com | udp |
| US | 8.8.8.8:53 | listupdate.ime.baidu.com | udp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| CN | 121.228.183.250:80 | listupdate.ime.baidu.com | tcp |
| US | 8.8.8.8:53 | iploc.client.baidu.com | udp |
| US | 8.8.8.8:53 | shurufa.baidu.com | udp |
| US | 8.8.8.8:53 | a.galileo.baidu.com | udp |
| US | 8.8.8.8:53 | api.ime.baidu.com | udp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
| CN | 1.71.157.48:80 | a.galileo.baidu.com | tcp |
| CN | 1.71.157.48:80 | a.galileo.baidu.com | tcp |
| CN | 220.181.107.232:80 | iploc.client.baidu.com | tcp |
| CN | 111.206.209.92:80 | api.ime.baidu.com | tcp |
| CN | 1.71.157.48:80 | a.galileo.baidu.com | tcp |
| CN | 1.71.157.48:80 | a.galileo.baidu.com | tcp |
| CN | 111.206.209.92:80 | api.ime.baidu.com | tcp |
| CN | 111.206.209.92:80 | api.ime.baidu.com | tcp |
| CN | 103.211.221.165:80 | api.ime.baidu.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\reportsetup.dll
| MD5 | 52c3b9ac0484ece3b524a9526272f88e |
| SHA1 | c07268de6a13290acbf58ec5ef75e2468533d791 |
| SHA256 | 210876c0ff70ffaa88a05f9ef794a96136549f4168e940e256fb4ac85b0fff71 |
| SHA512 | da7710404e5630509eeaf9e318e2a4a2d9c4f269aee6cdce5d2a8f128094e7c92940312fda9913f5c44dce5159b59159f40137ddb2e7975e450f30c6a7b24f47 |
\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\System.dll
| MD5 | 35d7b29c3ed690a8b0cd323917677b42 |
| SHA1 | ad74d2babe09f94838e408c8f9f77b6b56c644f5 |
| SHA256 | 714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c |
| SHA512 | abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d |
\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\insthelper.dll
| MD5 | 8bcd300c69b67e78b09cf07aecfa14fb |
| SHA1 | d92bdb71d8b8477a3f0838360191aecc459a3c09 |
| SHA256 | d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d |
| SHA512 | 393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4 |
\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\chkm.dll
| MD5 | 3b8308f1dba641b49a642fa6d92f3451 |
| SHA1 | a11164e08bd9c594b6d608c51a2428a4c6b555a2 |
| SHA256 | 2061a94b4d34a77f935f95a3741f917c91b27d0e1585c2ee2f8e00806b671db7 |
| SHA512 | dc089fc2bb43ccfcca8748013636e8d249cd91e1b08b30358d00df0decaec5782d2af85274e7b70784d4e58c934dfe5112fdcb4006de2a5dbe9c76dae9ed1f81 |
\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\Src\Report.dll
| MD5 | 98a2b4d094fa825e601b1f68752d4ac5 |
| SHA1 | 0197c18e2443b53add35870df81a0123acbaa0cd |
| SHA256 | 3347ab083d69d9d4bf6c8e6816c56a1eb694b581721965ebd44d240fe956e164 |
| SHA512 | 47ef8d5ee9273a41169ec522245869f6d9d90b840d56d88e68bd693b4d1b4243b005cede1a5f9420ff1a5240f7de8ba7a5b915b846af9e1c57a0d4eaa584d53d |
\Users\Admin\AppData\Local\Temp\nsi1A94.tmp\Src\Protocol.dll
| MD5 | a438e303cf31126c5d6b882aeded21a8 |
| SHA1 | eebe92a2e07ec209e6c366899938d2f7677e9977 |
| SHA256 | 7c301b9c44cae3a53a4f939a391ae36e79e29f9216fc903665b4551426cecd90 |
| SHA512 | ddc47c35d7b662e939d471e07f5f45e979abd4df14b334c5c12f229f7d185bb9925693d9dd71e36c97eef02c92f961775f5d7cd605b36af9e6a5c9d83af3964b |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\dummygram.dat
| MD5 | df695d1bb876e0aff16e80d37c13a045 |
| SHA1 | bfa3f935d0259f103213c86b19643c9d0e839d31 |
| SHA256 | 8f34cb39e843f2569e530d13f9583d385d80273c7f0a7bd3227fba11336527fa |
| SHA512 | 8ad735da6d0cb7050474d53787bbbcf371cdc70ba6bb54e8b649331570f29f99f609ad897178f0c430548da245a31ffdf0db8f4cc1931f7bb1837d273d4d02e7 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe
| MD5 | 78b547129a5af3251cd3a2cab4107d4e |
| SHA1 | da5d2da96f238fa327cdea23225b08f813d5504d |
| SHA256 | 9415b6d6014edb194cb9e428e77900c37b1b9a950e2c97bd013d4af8f5e8455a |
| SHA512 | ef9a1edb6272e2eeab04eeb142c5f0a7806f4e96335a1aab6d391746de795f00ea62c06ecdf0df7bc5e6933e1961afa94df11639ff5f16d0bae871a584b3bc48 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawdict.dat
| MD5 | d28c28b7d005a754a60839b4091aa556 |
| SHA1 | 90e2b7ef24d2521b66ffa793d19dd7bbe8fe3bbb |
| SHA256 | 1d753a7609cfe79ec3abc6b2c0c6d552f29caf1251ffae2cb8fb81a71d80ee84 |
| SHA512 | 96a754995b7751cb4a0df624bd8f4975b9fa40ef97329a798abf47197537c62f51f1b47900d82be14f2d2d2785e963897ab6f7cb713e6a76fef0107c4517c089 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\rawgram.dat
| MD5 | 2e1b6f915bc3efb9bd950099e9a25fa2 |
| SHA1 | ada21f4380f5c2bbf9a023fb3a97c6abc67d8552 |
| SHA256 | 5f6bd5aa51cf2590579116816e87a26617f1424fdb00f4703dd4ee9429d425e8 |
| SHA512 | 771557c762acab825f5f96bc83cac0612b5551f2c2d85406fe2288aad9aef9a17b16769ba29a7b5ef5087f17b5f2d0538480b3c16f809c5b52fb1afc4420f51c |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\engraw.dat
| MD5 | 5fba35a5c0c99d59803bf9d2590c3f82 |
| SHA1 | 8e8e082647997cb688effe79ec12529bd03e9987 |
| SHA256 | 835828871ef9af95f85b8f249f2cacdbbae6c73ef802448f7c59584eb63265f6 |
| SHA512 | 4217349c66ee47d096d2a4c19fa408dd6f08a09a9c47cb9493b5a2faff6f3f4f0d855cf02905f24f0a8d1ce6bb1d4d561c4f69a1378b09ff473f997855ddedf2 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\thumbnail.dat
| MD5 | 3c11f16a387925e9c088b0d819795bb4 |
| SHA1 | bf99c57feafd149b93c73fac2211b8be00b3e536 |
| SHA256 | 0b07258015b5e139776c9be53965f4442bfc9d7265db93665f2a10a166fb04ce |
| SHA512 | 2a5cf1c37d3cc67709a427a5831a46218e15550054896b333c5ec9a7f6b370fb271d06696b842c2dc55947ed9dabaea5fb9bb1c859ca4132106cc02c590ab1be |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe
| MD5 | 2ff02072877da8f34f9af9928aa5f5b3 |
| SHA1 | d9e5bee9e783fecd13e95e2cdea37fcaa9a1cbd7 |
| SHA256 | 756d55a8085e1b07695eb90db9266e98a0f0afc67ae188867eed96badc3d59ea |
| SHA512 | 9f340860dfce4f20b674d8db7ceb15af5dd618cfb6e75a154c043a16a2fd3e57a97b763cbe84a945d06ef324b11f2b6da4ec798fa536033ccf76de2a62787c1a |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MSVCR120.dll
| MD5 | 034ccadc1c073e4216e9466b720f9849 |
| SHA1 | f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1 |
| SHA256 | 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f |
| SHA512 | 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\msvcp120.dll
| MD5 | fd5cabbe52272bd76007b68186ebaf00 |
| SHA1 | efd1e306c1092c17f6944cc6bf9a1bfad4d14613 |
| SHA256 | 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608 |
| SHA512 | 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe
| MD5 | 0ccf4e1bd3bdd1119d96bd92b89e6a76 |
| SHA1 | 9b00ad3520a26a9f6e0644c2796c85d8ae54c47d |
| SHA256 | 5893e51697c153e3ef8b257cba716577b7cc3e82fd0a8fbab51189706dedfc40 |
| SHA512 | e259835f453a9d7a3ece6e9b79d087ec7d596810ed072964e38b21eca613c2321b3964ec79806269eb6abcda40aafcd9d5e82f360018cbfa1e86266baff8507e |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe
| MD5 | ab89cdea049ae1fdc3d4ba269b47591d |
| SHA1 | 860a07b2cb483bfec40ed2fadfb20c7b3f8f43c7 |
| SHA256 | b3eafdf7094878fd617385db01cd4c06fbf34cc734252cd104d24e418bb84553 |
| SHA512 | 22552f2d815b2e4b9bd19be63b34592412f1eae698fc71c28f6e73d690331c3aa2b8950aed160249317673a9f22f81086c5f2ff376b47b75d980fc90ca80b2fe |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdaucommon.dll
| MD5 | 93bfa462ede419250bc876b2884ece05 |
| SHA1 | 233a8a946f119492b8fa2b4b8993e5d3db00acfe |
| SHA256 | 6a2b893de7fbc1c0c507a35c14882236c326f553baf07409cd358308eefcb5af |
| SHA512 | 2cae7a79f3adbc23fbd7a84689321b438596bd9cec5b2bca274f0d67ae0bad7b9b984ba352256fe6079338435958e28923915d029bc4b2e52fd04dff61312245 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imepng.dll
| MD5 | 40e91fcd84dafcc606ccc876f991a7e6 |
| SHA1 | 21e2dab15eddb84c631838e1575a72598e9355c2 |
| SHA256 | bb0258c4b7ea8543f2f5aced98081d7a973f337c57be08f294ab189d13e7c417 |
| SHA512 | dda11e19996c688090776fd3ba1428af05fb234a51947e4692b83cd11eff3ad39d7a46e481c536f0aea780c827c8169616ff74b2b9b5aadb4abab11b1e852693 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imezlib.dll
| MD5 | de63b59c6697079ecc7646589deaafef |
| SHA1 | 709c2d6058556dd0f9d46ef840153249cd60d94b |
| SHA256 | 183db759881d0213aa708410c122a7373ba08dbe122343b6acf9292741108d97 |
| SHA512 | 0e8493cc0f1ee0666305c06928d4811563aa07187bdb3146bf21b3446e946e6f582c7e1375f32281b259163de72a0d54b0ade097843bbfdd5ff599d444f54573 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdnetdll.dll
| MD5 | d55a908913b1f2bc2e9e0195472882f7 |
| SHA1 | 627509ef0575d389e39a2dbae82e94da50346f2e |
| SHA256 | 0be32940021bce94782662b3377e2658600e0ada82ad3ce561b00a3abfdc528d |
| SHA512 | 1a500d47e0785a0467e29a4986f0dc658a9c105855d70d4c17d4a8df7d5354d808fec25f79bb507719eeb93c1a5db49a006e291b1ea4dd18049c1d94696d5eea |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\ssleay32.dll
| MD5 | 0f6f9f42e4dd9dcd5715955e3838ec4a |
| SHA1 | f93a11370df53d30a84268b003fab1b8eb2a3960 |
| SHA256 | 6f34c5eec35a9f5af26cd163792c53fbd30ff0d04110f6bddeeff413f8dea10a |
| SHA512 | ecc9ba94660d2d3ea7a80e2a67e3db129e983d33697fa5da6c000a7b53c3e3a1460bedb12fc82af422f03c9e9c097335e9704dd21ae9d7b4baa78f19826c4920 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libeay32.dll
| MD5 | b8a2583697545aea9baa1383f9796368 |
| SHA1 | a8d5fa264d96e70e36461d99a44a9a39cb186730 |
| SHA256 | 1f649a43e098fef9be0cbdf6f57b1afd3aa14d06c5c1aa82f5c26b769f04f141 |
| SHA512 | cbb43e7b2cee7d76ac026ec3deb9626c43d6acbc595cebd41293cc1045808a7f09da19ab64c7b0a44432281e43e4904432906f5c3dec6bb1f3c146c907fc6864 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\libcurl.dll
| MD5 | 60054f32651599c68fab41b220f476e0 |
| SHA1 | 281a63035340db32bb7d55e009f8097546f4aa9a |
| SHA256 | 4352c68ffc4308c2e24acc19608318a52dd0a9f362f1cd2c8ff07b55ae37dde9 |
| SHA512 | daa3431d8d70b0278a13b04dc1d74b44d235296c86686fc233dcd23af963bcd5977dd97ea5546cf548e222fb43f7bba5db350f1de1c2fbefe1379c717d8e2a39 |
\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\IMEFREETYPE.dll
| MD5 | 8d82ce7a07be1b62440c0cec4e170a15 |
| SHA1 | 3c6d41dc25978907acff8369778b4e352d56ccc1 |
| SHA256 | c6a521c1f3c2611e063d4929fb4a2c466395d4a54a17b6c1036f9e92a0d3ede2 |
| SHA512 | 033f08cc83b6bc911c5cb136e152b920cb7193b1ce6e4529a84260ed0225d814059a4a47c603070db6191a86ddef4104e3eec712bccb8f0d2d0b85050612651f |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiduPinyin.exe
| MD5 | 080a1318a5e18553f622ee9498e1a99d |
| SHA1 | 8242034ceb4f3333c410478499f02885044373c2 |
| SHA256 | 020f509f0c15d6c123b02e790d4d3d674a781ceeb8d6b304bcfb7d57479c5b36 |
| SHA512 | c90571a169099ad0973c090de7a1434f52bdef635730fac44029635ca91870269237595f81b6602dbb8f5cd077acafa2d36380776a3707d94fb1e8668070d1c3 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe
| MD5 | 2456be54b003a06e0418a2e40d24d7d7 |
| SHA1 | 3b05821418dd7ee9c162bad6efeab51d6ac59b91 |
| SHA256 | 5a3e0a62c53dc9f5dc231a487e70120099b35c61c7a1bb259f478e642a080f1d |
| SHA512 | 79dcaee135a8ede7d8cd278b5266441ac6728b93245f17b8d305aff36d9980fe88ae9f51b5ca5776633064d47670f751ff0cd8150807030df9ff080c6957e82b |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe
| MD5 | 2f5aa7abfbbf2b087f9e4dfe423bd6a1 |
| SHA1 | c54a1c7d55272efc2733eea8c92e4e5d5b88c36d |
| SHA256 | 68ed1dc5216bc98e95b938643b44160805fb9564966ba3baa515df526ce6cff0 |
| SHA512 | f296c689b22ccf8d55f385e22f29e5e7e059daa44577eba05a8e42706abae4c9292c16fc9fe44d671ffb816960e69317aa5fbafb7e0702acf4f2608c6c0db719 |
C:\ProgramData\Baidu\Common\Global.db
| MD5 | 829c3e3c9b2acb6cd72830b9cd90b0fa |
| SHA1 | 52b11f87f3c554fe900a714c29b428e4cafdb760 |
| SHA256 | 10a5d14955952807113652da83e32416f436161c8c9aff5a1fcc2c56d847ff43 |
| SHA512 | a733cf4879fe5c0b4b48c8bd15d276b45423d21fffdddee4421c09891605e03c63663b071acf96b5eb4fe50be7c3895852ba7b429b50d9524479d69ea7b93907 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducnx64.ime
| MD5 | 385de7eb355e2b67bc8efaf1d28db78b |
| SHA1 | f8dcd255c7160347af343bd6824640d1960a3afe |
| SHA256 | a00392e1f6c235507cf6077f16052216de8c50ea3c601b32ea8f1e75f447d650 |
| SHA512 | 95461dbb67355cd44ebe0f8ae124bd878a7588e09ef9fc682ac256a1c5c243f5d1ffcf1189f714670f4298ce8e67e6463f98bb83540652edfaddd55e3d173267 |
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baiducn.ime
| MD5 | 56385cb44bcf0b46d7b27ae70dc304f8 |
| SHA1 | f488aff961286a852fba6f887ba9369d7dbb8bbe |
| SHA256 | 1ef970a39e17a0f1188f7ea88a871a833613b0fbc5fbc028f2a29bcddba72159 |
| SHA512 | 37725ad5e9599ce7db125453a4f63ead7d6648dca65ab93bb5ed6888404a04d86dfcea1d0a28ec4a005449d1246a452e03bb4a8bcf5c4bed42071cb1c2afb681 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\user.ini
| MD5 | b9b6d8a79955458ba0d79cea6e13c576 |
| SHA1 | 1a4b22040821ce4401864834ebd944cac2635a01 |
| SHA256 | 9e0bef1262b4ab1443125fe77a6da668625fda64a9829322004a493fe62d067c |
| SHA512 | f70b4bda295f16121dd950fd4463ee2493f278c696f1bdff757e20d7a377fcdbdcda2346931817ca596b4b6961bf02c63fb50499471c758739f3dcb1c414b61c |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | 594a495ab13f9e25f437986639e3574a |
| SHA1 | c15ffe9884ac5e1b1765c83241be0c01dc315fbc |
| SHA256 | b4d810cac49676bbe7afde55f2460d4ee558ccb051b873b084b1ce310660a2c3 |
| SHA512 | 08917462657248b543cc2b3dc4737bea8f3dca3984df6c3bd8c505eae38c025c9f404d1e77dbb0b4bbc9b1259d2f1c9d7c8387fdc696f06e5cf585c824521719 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | e414c66bf2e61b60c3d80bd18e60d5bd |
| SHA1 | d8d8637ddca0f689f474a5252615fd4ed2115da3 |
| SHA256 | 15963d5145eb555c87f444dc63c8dde3dbe679d216388a2e1bfbfd9c5ba65d1b |
| SHA512 | 0bf4face902e04d1cdd2ff90e53ad48ecf1a9adc22de4d5c1805c33e2fe37456ebe33d5afc0706e866fac73e77ebe4a33188c79c5982ed0fb232104d2ce1944b |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | d817ddd97fcdc6d8bccb583a4c31103c |
| SHA1 | eea25f55e680b736d964880f7e91fe714ca44793 |
| SHA256 | df855cef2830f4bc2f0f3a63727a7c5c60735bf4133690a097569780f666670e |
| SHA512 | 5d877b2a25f3c8d0b5cdc0e6f5a4b2fd34459ad292a1b4c85b98874eb52023ec3c48384c193a712f7c1b1e2693c08ca669efe2036d51a2ce295bca8ce5dc038c |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | 36f9150171fecdee49cd0efc7890d239 |
| SHA1 | 34a7504712efb5bf8e08843a9e101e474ed81a41 |
| SHA256 | 0a512e04179c2262c1846bc2cd9279a1a26030fd871ef1afaad63c4a54cd4731 |
| SHA512 | ed7670510eba4aa29bac21537427cefa7bfc0ad69160ad7de1601a9d146c86c0f9ef89f829baf595ec3e047be5155974d7a2e3aa18bbd29abb5da817a27c979b |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 8bd681be0ff7cd577c5d410664dffbce |
| SHA1 | 6012e06eb1833a0ca1810a4271ff993713dde8ce |
| SHA256 | b8205656ef56039f5f35e3ec4fd37ed25ba7a254d63a66b92fbdbd2962bbe407 |
| SHA512 | 0e5a2502191ace453ecac113e1e6ddb4340083d47ec8457c76debc74a68d116e12839c9cf51f7bf64e1c61a5d49366f87d0c8c1cdd2294736bf5cdf47c0b12fe |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 7a92798fc305f1a72cc6af2d33f3468c |
| SHA1 | f84b99ce8287a160d41ab01c07202dff03967010 |
| SHA256 | 9e07548010ab6725520f656de366fcd8ee88aa1512e5b656550c520d93eee186 |
| SHA512 | eb45138fee23cbc9324986782abd6ee715151f2c2307ac8cedcf1752bfd0081cd1e22bfe0a7395b4fd4812ec6a567247e30ac3a58e0131cd05ff8b5fc504a6d5 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | 989f034c6b1a2d22f560bf090528932a |
| SHA1 | 83c8a49772473c39bf248b0eccb1bc834b1f0ea8 |
| SHA256 | 5642a45bf8c8767bafc5e7858ec4c316ccbd787804e38033ecf6d2f4e301490a |
| SHA512 | 664230d455327f9655c5b5d137e9ee1d87e5b740582f25827ee85dc9170406a5a12816f3d2020dadecf0f8c788b2977fae8c192c5b883fd78c8863f7bbbd8659 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Account\.common\Status.ini
| MD5 | bdbc7107e98c12289350c9bf47575cc2 |
| SHA1 | b151b64ca392d0ed9d9281dc6dd099112a52206d |
| SHA256 | 781f6846e93cd61c4651bbc7ed4c10cf14dfc407517d1718a371a27fee4ba571 |
| SHA512 | 282334ebe505725fb585a9b37b68accecae73f4227af620ff6e9a5a1c4c9add5adbe5b4e373bd79396329b973db0f280830b2a530dabfe6ba733b832df15f8ea |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | af00948cfaa2a77d44fe50c1a7eae666 |
| SHA1 | be6ef0e47be64a5d7412da71135fc52f5071f107 |
| SHA256 | 6c00146d42d54816962aae488064a71b90c7199059b3ec388d802488e4e22c59 |
| SHA512 | a7079fbbd6fb3be979ddeebbab357db4f121e47478b8ba9644704f5d932adafed20c68da1d364532afe6a84660204c85fcec08692b58171ef0ae9f7552c87863 |
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPinyin\Status.ini
| MD5 | 2fb267f3b3b2ebc481ef825730e26413 |
| SHA1 | d30dbc3f0292f232d2d71b38c794a65d537e0436 |
| SHA256 | 8c4f021093e4bf80c751b178d41ff60f1c88ffd6f995b8ebcc3f46ec29c303c5 |
| SHA512 | b85caaa289ccb48c53f71ab966732348b7dcea40a7f8290818a72924b77bca7b0965dda882457f8065c19a771fd8a3d94edef252b3cfb8964716e1b75cdc037a |
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:29
Platform
win7-20240508-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 252
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:35
Platform
win7-20240221-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\common.js
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:33
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
159s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\common.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:35
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
156s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\tangram.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:36
Platform
win7-20240221-en
Max time kernel
118s
Max time network
131s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:34
Platform
win7-20240215-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1840 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1840 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1840 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1840 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1840 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1840 wrote to memory of 2324 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Protocol.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:29
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
161s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1888 wrote to memory of 3144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1888 wrote to memory of 3144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1888 wrote to memory of 3144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Src\Report.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:34
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2756 wrote to memory of 436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2756 wrote to memory of 436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2756 wrote to memory of 436 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\insthelper.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 436 -ip 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:35
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\tangram.js
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:33
Platform
win7-20240221-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe
"C:\Users\Admin\AppData\Local\Temp\$R0\$R0\BaiduPinyinWin10Setup.exe"
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:30
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
160s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\config.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:35
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe
"C:\Users\Admin\AppData\Local\Temp\BDBugReport.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:34
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe
"C:\Users\Admin\AppData\Local\Temp\BDBugReportx64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:36
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
177s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe
"C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2756 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | szcloud.baidu.com | udp |
| CN | 111.206.209.92:80 | szcloud.baidu.com | tcp |
| CN | 111.206.209.92:80 | szcloud.baidu.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:34
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4584 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4584 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4584 wrote to memory of 3652 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chkm.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:31
Platform
win7-20231129-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\achievement.js
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:29
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
164s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 4572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1656 wrote to memory of 4572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1656 wrote to memory of 4572 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\reportsetup.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:31
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
168s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\index.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x7c,0x108,0x7ff85b8b46f8,0x7ff85b8b4708,0x7ff85b8b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2146784046939869232,1761530892384035602,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3188 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_4936_WWNUOEOEHHWVCJLA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7683680866de1fe57bf138ad1503d9bd |
| SHA1 | 712fbe87a5470d8929e5a0128b0467902974668d |
| SHA256 | 2e89c67d8b0c6d2bac8384158c6214802801ed137fe1a09b5cf42ae6f714ca5d |
| SHA512 | b94764f0e32b82b6d9d5f888cea857a53ed5ee874d5799f3e8ed06b9a64914e7603d8dff2cebacb76d9496421b24654dbf689c628f0cf8ca58de436f8e88ba75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | add01937fe4c8e1b5395fa578108a24c |
| SHA1 | 853421059d8e9f9d2141448799a91e82ed27f376 |
| SHA256 | a0d1a57fd43d169a54565c51b2b73f8c16211299231eb0fa97a8fc8d8a2e2835 |
| SHA512 | b142902d51915dc33c1b94bbfb1071ecda87e54a0dda750e595bd32296b46a200598a167d9568034d470760c04b2f035f9cd37cc328189a54b8393d154e5f717 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 929f0f771e2412274f33192ea13006cc |
| SHA1 | f7116a0f680eba0f108d115538b0bbc930e9480c |
| SHA256 | 71ca193c63789fd05d78a86ad690b93dc58bcc19b1cb44cc9b2737be12316be9 |
| SHA512 | b47f68073d0f084f7f160af3ab6bfbd33cb15158cb90aa8d16994aec2adf47c9b1fca37cd3f3e7a45253849d4f993008af61ebbce748bdc4c21fd4f6419d7af3 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:29
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
165s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\achievement.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:36
Platform
win7-20240508-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe
"C:\Users\Admin\AppData\Local\Temp\BDDownloadExe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | szcloud.baidu.com | udp |
| CN | 111.206.209.92:80 | szcloud.baidu.com | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-26 10:21
Reported
2024-05-26 10:32
Platform
win7-20240419-en
Max time kernel
119s
Max time network
133s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\$_24_\PersonalCenter\$_25_\js\config.js