Overview
overview
10Static
static
10eae3424e1d...18.exe
windows7-x64
7eae3424e1d...18.exe
windows10-2004-x64
7$PLUGINSDI...ol.dll
windows7-x64
3$PLUGINSDI...ol.dll
windows10-2004-x64
3$PLUGINSDI...rt.dll
windows7-x64
3$PLUGINSDI...rt.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/chkm.dll
windows7-x64
3$PLUGINSDIR/chkm.dll
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...up.dll
windows7-x64
3$PLUGINSDI...up.dll
windows10-2004-x64
3$R0/$R0/Ba...up.exe
windows7-x64
1$R0/$R0/Ba...up.exe
windows10-2004-x64
1$_24_/Pers...x.html
windows7-x64
3$_24_/Pers...x.html
windows10-2004-x64
3$_24_/Pers...ent.js
windows7-x64
3$_24_/Pers...ent.js
windows10-2004-x64
3$_24_/Pers...mon.js
windows7-x64
3$_24_/Pers...mon.js
windows10-2004-x64
3$_24_/Pers...fig.js
windows7-x64
3$_24_/Pers...fig.js
windows10-2004-x64
3$_24_/Pers...ram.js
windows7-x64
3$_24_/Pers...ram.js
windows10-2004-x64
3BDBugReport.exe
windows7-x64
3BDBugReport.exe
windows10-2004-x64
3BDBugReportx64.exe
windows7-x64
1BDBugReportx64.exe
windows10-2004-x64
1BDDownloadExe.exe
windows7-x64
6BDDownloadExe.exe
windows10-2004-x64
6Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 07:52
Behavioral task
behavioral1
Sample
eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Src/Protocol.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Src/Protocol.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Src/Report.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Src/Report.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/chkm.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/chkm.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/insthelper.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/insthelper.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/reportsetup.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/reportsetup.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$R0/$R0/BaiduPinyinWin10Setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$R0/$R0/BaiduPinyinWin10Setup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$_24_/PersonalCenter/$_25_/index.html
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
$_24_/PersonalCenter/$_25_/index.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$_24_/PersonalCenter/$_25_/js/achievement.js
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
$_24_/PersonalCenter/$_25_/js/achievement.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$_24_/PersonalCenter/$_25_/js/common.js
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$_24_/PersonalCenter/$_25_/js/common.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$_24_/PersonalCenter/$_25_/js/config.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$_24_/PersonalCenter/$_25_/js/config.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$_24_/PersonalCenter/$_25_/js/tangram.js
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
$_24_/PersonalCenter/$_25_/js/tangram.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
BDBugReport.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
BDBugReport.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
BDBugReportx64.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
BDBugReportx64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
BDDownloadExe.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
BDDownloadExe.exe
Resource
win10v2004-20240802-en
General
-
Target
eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe
-
Size
34.3MB
-
MD5
eae3424e1df0a620c27913077106d1f0
-
SHA1
9de4b609d8295c632b672caedb88c9fc6ee0ec08
-
SHA256
ad515ec278d0e97347b6a527d1c3baf3d1d96ace5a7a724dd93de2fc3b9e6ee7
-
SHA512
18ddd9107516bac217cc7a429ced0b01fe370173a9a6adca895c25275aa8dcae6b60c616e785db2159affdd1a5e00a33aac6223cdd5080588ab7b1c8bcce3533
-
SSDEEP
786432:1KuznJ/p8sjDi6mWcQTmbq2SsOP5uAgCcMyszWMA4q10WIE10:1vzJlq2czu2nKLVtnq10WQ
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 34 IoCs
pid Process 1516 dictbuilder.exe 2824 imeutil.exe 2168 imeutil.exe 2056 imeconfig.exe 1488 imetool.exe 4108 imetoolx64.exe 4956 BDDownloadExe.exe 1144 imetoolx64.exe 2508 imetoolx64.exe 3448 imetoolx64.exe 4520 imetoolx64.exe 3600 imetoolx64.exe 400 imetoolx64.exe 4192 imeutil.exe 1816 imeconfig.exe 3244 IMEBroker.exe 3412 bdupdate.exe 1948 baidupinyin.exe 5104 cellinst.exe 116 skininst.exe 3192 imeconfig.exe 1684 imeconfig.exe 4784 imeconfig.exe 3524 baidupinyin.exe 1240 imetoolx64.exe 4496 imetoolx64.exe 2780 imeconfig.exe 3400 imetoolx64.exe 4932 imetoolx64.exe 2720 imetoolx64.exe 1360 imetoolx64.exe 4696 imetoolx64.exe 2368 imetoolx64.exe 3992 IMEBroker.exe -
Loads dropped DLL 64 IoCs
pid Process 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 2824 imeutil.exe 2824 imeutil.exe 2168 imeutil.exe 2168 imeutil.exe 2168 imeutil.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 2056 imeconfig.exe 1144 imetoolx64.exe 4296 regsvr32.exe 4192 imeutil.exe 4192 imeutil.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 1816 imeconfig.exe 2180 regsvr32.exe 2180 regsvr32.exe 2180 regsvr32.exe 3412 bdupdate.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 5104 cellinst.exe 5104 cellinst.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 1948 baidupinyin.exe 116 skininst.exe 116 skininst.exe 116 skininst.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 1684 imeconfig.exe 4784 imeconfig.exe 1684 imeconfig.exe 4784 imeconfig.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin = "\"C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\baidupinyin.exe\" --autorun" imetoolx64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 BDDownloadExe.exe File opened for modification \??\PhysicalDrive0 baidupinyin.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\system32\baiducn.ime imetoolx64.exe File created C:\Windows\SysWOW64\baiducn.ime imetoolx64.exe File created C:\Windows\system32\baiducnTSF.dll imetoolx64.exe File created C:\Windows\SysWOW64\baiducn.ime imetoolx64.exe File created C:\Windows\system32\baiducnTSF.dll imetoolx64.exe File created C:\Windows\system32\baiducn.ime imetoolx64.exe File created C:\Windows\SysWOW64\baiducnTSF.dll imetoolx64.exe File created C:\Windows\system32\baiducn.ime imetoolx64.exe File opened for modification C:\Windows\system32\baiducn.ime imetoolx64.exe File created C:\Windows\SysWOW64\baiducnTSF.dll imetoolx64.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\bg_speed.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\msvcr120.dll eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SysImg\bugreport.ico eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\images\kuaisu.jpg eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\btn_tringle.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Baiducnx64.ime eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe.new eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\30264a2f29e718b05e1374efe65f846a.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_facebox_min.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_calendar.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\dropdown_down.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\UIPFull.dll eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Protocol.dll eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_imodel_left.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5513da1d3026b0da4abaa7ff67200e11.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\67805a15ac3079dbd5cab56003df3f7c.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_facebox_main_new.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\syncengine.dll eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\202de644fe2135e10e38d636b44e4391.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\635945b224196f9427ddbd8c6fbd8783.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\7b498dd9b9d7f6360ca6aca5c115c3f7.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\ca4fa9cea67c6ba7eedc3dbc6e12d83e.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\SearchBox.xml eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\PluginMgr.exe eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\HtmlNotify.dll eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\canclefix.dat.tmp eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\_btn_close.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidushurufa.url eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\7171b5e6bb728b802736f458f9f84e81.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9348d10c3d0f647370e887ec1fe41c76.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\Preview\quicksetting\5\skinpreview.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\common.dll eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\plugin\img\handinput.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\log\bcs.log baidupinyin.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\symbols.dat eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\5a07e3b4762eab71434c5f5d942e7cee.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\7c0a4ab7c7926853b75b80d71f80ac91.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bugreport.ini eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\images\xiaoxijilu.jpg eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\load.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\quickhelp.exe eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\2b8d14808164c452d591ae820d826478.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\55efa667245a7d1d420d7b8d3ba89833.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\86fe541faabafe7c0464846557eb2f7f.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\f7c40497f820723e541625f10f59a644.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_shenma.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\ic_setting.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\messagebox.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\toolwindow\tb_shouxie.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\kuxuanhei.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\PersonalCenter\images\btn_logo-panel_right.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\46a1b70df893cf4a8838866981ada887.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\NextPage.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\ic_facebox_search_go.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\a629f090ed3f54a65c1243c2d617435c.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\MiniSkin\btn_logo_panel_appearance.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\8121f59182287d21876ac87255e2b572.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\9cb299f92465ec2ca54d06ea1a8a98a4.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\d45395783aec8140157c27209db23528.png dictbuilder.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\skinbox\images\random-install.gif eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\Notify\HtmlFuncNotify\images\duohang.jpg eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\resource\emotion\images\scroll-bg.png eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe File created C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dict\Default\packageicon.png dictbuilder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMEBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baidupinyin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dictbuilder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cellinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skininst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMEBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imetool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BDDownloadExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imeutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baidupinyin.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppName = "baidupinyin.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppName = "IMESkinInput.exe" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppName = "pluginmgr.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94} imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppName = "imetoolx64.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134}\AppName = "imetool.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\Policy = "3" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{409A2B36-B1D9-442a-A4DD-9C5EBCBA5134} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95}\AppName = "quickhelp.exe" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA95} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA94}\AppName = "skinbox.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA96}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA91}\AppName = "imeconfig.exe" imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93}\Policy = "3" imetoolx64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{04CCE131-9A31-493e-AAFC-1AB51FDE2883}\Policy = "3" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E06E40F9-3614-42f7-BB35-C01E7412FA93} imetoolx64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921}\AppPath = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" imetoolx64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B1A491FF-0A2A-405b-B462-BC8B6B82D921} imetoolx64.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeSkin skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\ = "安装到百度输入法(&I)" cellinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ = "°Ù¶ÈÊäÈë·¨Ò»¼ü·¢Í¼" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29F9A596-1256-43F4-BE7F-16C89D66550A}\ = "BaiducnAx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\ = "°Ù¶ÈÊäÈë·¨Ò»¼ü·¢Í¼" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bps\ = "BaiduImeSkinFile" skininst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\EditFlags = "65536" skininst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe \"%1\"" skininst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\skininst.exe,0" skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiducnAx.DLL regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bps skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\ = "百度输入法皮肤文件" skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\DefaultIcon\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\cellinst.exe,0" cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CurVer\ = "BaiducnAx.ScreenShotAx.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\ = "中文(简体) - 百度输入法" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\ = "°Ù¶ÈÊäÈë·¨Ò»¼ü·¢Í¼" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll, 102" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bcd cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open\Command\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\cellinst.exe \"%1\"" cellinst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Control regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028\\BaiducnAx.dll, 102" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{29F9A596-1256-43F4-BE7F-16C89D66550A} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\AppID = "{29F9A596-1256-43F4-BE7F-16C89D66550A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx\ = "°Ù¶ÈÊäÈë·¨Ò»¼ü·¢Í¼" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiducnAx.ScreenShotAx.1\CLSID\ = "{D64016F6-4D8E-4B35-AB22-9B2060800112}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeDict\Extension = ".bdict" cellinst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ToolboxBitmap32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{170462E1-875A-4DC4-A37D-EB3CEFDE9FEF}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/BaiduImeSkin\Extension = ".bps" skininst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ = "°Ù¶ÈÊäÈë·¨Ò»¼ü·¢Í¼" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BE4A566E-CD2F-412A-B259-1F1965B935C4}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Baidu\\BaiduPinyin\\3.3.2.1028" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bps skininst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\Shell\Open cellinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeSkinFile\Shell skininst.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduImeDictFile\EditFlags = "65536" cellinst.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\ = "{BE4A566E-CD2F-412A-B259-1F1965B935C4}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BdImeSkinFile skininst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\ = "IScreenShotAx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC34BB9-44B9-4660-8B75-AC11729A3A91}\TypeLib\ = "{BE4A566E-CD2F-412A-B259-1F1965B935C4}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe Token: SeDebugPrivilege 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe Token: SeRestorePrivilege 1144 imetoolx64.exe Token: SeBackupPrivilege 1144 imetoolx64.exe Token: SeRestorePrivilege 1144 imetoolx64.exe Token: SeBackupPrivilege 1144 imetoolx64.exe Token: SeRestorePrivilege 4296 regsvr32.exe Token: SeBackupPrivilege 4296 regsvr32.exe Token: SeRestorePrivilege 3400 imetoolx64.exe Token: SeBackupPrivilege 3400 imetoolx64.exe Token: SeRestorePrivilege 3400 imetoolx64.exe Token: SeBackupPrivilege 3400 imetoolx64.exe Token: SeRestorePrivilege 5008 regsvr32.exe Token: SeBackupPrivilege 5008 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 412 wrote to memory of 1516 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 87 PID 412 wrote to memory of 1516 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 87 PID 412 wrote to memory of 1516 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 87 PID 412 wrote to memory of 2824 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 88 PID 412 wrote to memory of 2824 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 88 PID 412 wrote to memory of 2824 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 88 PID 412 wrote to memory of 2168 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 89 PID 412 wrote to memory of 2168 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 89 PID 412 wrote to memory of 2168 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 89 PID 2168 wrote to memory of 2056 2168 imeutil.exe 90 PID 2168 wrote to memory of 2056 2168 imeutil.exe 90 PID 2168 wrote to memory of 2056 2168 imeutil.exe 90 PID 412 wrote to memory of 1488 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 91 PID 412 wrote to memory of 1488 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 91 PID 412 wrote to memory of 1488 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 91 PID 1488 wrote to memory of 4108 1488 imetool.exe 92 PID 1488 wrote to memory of 4108 1488 imetool.exe 92 PID 412 wrote to memory of 4956 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 93 PID 412 wrote to memory of 4956 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 93 PID 412 wrote to memory of 4956 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 93 PID 412 wrote to memory of 1144 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 94 PID 412 wrote to memory of 1144 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 94 PID 1144 wrote to memory of 1148 1144 imetoolx64.exe 95 PID 1144 wrote to memory of 1148 1144 imetoolx64.exe 95 PID 1148 wrote to memory of 4296 1148 RegSvr32.exe 96 PID 1148 wrote to memory of 4296 1148 RegSvr32.exe 96 PID 1148 wrote to memory of 4296 1148 RegSvr32.exe 96 PID 1144 wrote to memory of 2508 1144 imetoolx64.exe 97 PID 1144 wrote to memory of 2508 1144 imetoolx64.exe 97 PID 1144 wrote to memory of 3448 1144 imetoolx64.exe 98 PID 1144 wrote to memory of 3448 1144 imetoolx64.exe 98 PID 1144 wrote to memory of 4520 1144 imetoolx64.exe 99 PID 1144 wrote to memory of 4520 1144 imetoolx64.exe 99 PID 1144 wrote to memory of 3600 1144 imetoolx64.exe 100 PID 1144 wrote to memory of 3600 1144 imetoolx64.exe 100 PID 1144 wrote to memory of 3400 1144 imetoolx64.exe 101 PID 1144 wrote to memory of 3400 1144 imetoolx64.exe 101 PID 1144 wrote to memory of 400 1144 imetoolx64.exe 102 PID 1144 wrote to memory of 400 1144 imetoolx64.exe 102 PID 412 wrote to memory of 4192 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 103 PID 412 wrote to memory of 4192 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 103 PID 412 wrote to memory of 4192 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 103 PID 4192 wrote to memory of 1816 4192 imeutil.exe 105 PID 4192 wrote to memory of 1816 4192 imeutil.exe 105 PID 4192 wrote to memory of 1816 4192 imeutil.exe 105 PID 400 wrote to memory of 3244 400 imetoolx64.exe 106 PID 400 wrote to memory of 3244 400 imetoolx64.exe 106 PID 400 wrote to memory of 3244 400 imetoolx64.exe 106 PID 3400 wrote to memory of 2180 3400 RegSvr32.exe 107 PID 3400 wrote to memory of 2180 3400 RegSvr32.exe 107 PID 3400 wrote to memory of 2180 3400 RegSvr32.exe 107 PID 412 wrote to memory of 3412 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 108 PID 412 wrote to memory of 3412 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 108 PID 412 wrote to memory of 3412 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 108 PID 412 wrote to memory of 1948 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 110 PID 412 wrote to memory of 1948 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 110 PID 412 wrote to memory of 1948 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 110 PID 412 wrote to memory of 5104 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 111 PID 412 wrote to memory of 5104 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 111 PID 412 wrote to memory of 5104 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 111 PID 412 wrote to memory of 116 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 112 PID 412 wrote to memory of 116 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 112 PID 412 wrote to memory of 116 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 112 PID 412 wrote to memory of 3524 412 eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eae3424e1df0a620c27913077106d1f0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\dictbuilder.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1516
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --clean_old2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2056
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetool.exe" --moveuserdata2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --moveuserdata3⤵
- Executes dropped EXE
PID:4108
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BDDownloadExe.exe" 1 /product=2012⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4956
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Windows\SysWOW64\baiducnTSF.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt3⤵
- Executes dropped EXE
PID:2508
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler3⤵
- Executes dropped EXE
PID:3448
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec3⤵
- Executes dropped EXE
PID:4520
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:3600
-
-
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"3⤵
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2180
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3244
-
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe" --quit2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --usercenter=close3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1816
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\bdupdate.exe" --installgau2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3412
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe" /u2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe" -reg2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5104
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe" -reg2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:116
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --location3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3400 -
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Windows\SysWOW64\baiducnTSF.dll"4⤵PID:3548
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Windows\SysWOW64\baiducnTSF.dll"5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --startmenuopt4⤵
- Executes dropped EXE
PID:4932
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --vistataskscheduler4⤵
- Executes dropped EXE
PID:2720
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --filesec4⤵
- Executes dropped EXE
PID:1360
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --whitelist4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:4696
-
-
C:\Windows\SYSTEM32\RegSvr32.exeRegSvr32.exe /s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"4⤵PID:4440
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll"5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --install-shell4⤵
- Executes dropped EXE
PID:2368 -
C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\IMEBroker.exe" --quit5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportSogouDict bool:true2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3192
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/ImportQQDict bool:true2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imeconfig.exe" --setopt /Command/CheckImeSetup str:AD2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4784
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --set-first-ime2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe"C:\Program Files (x86)\Baidu\BaiduPinyin\3.3.2.1028\imetoolx64.exe" --fix2⤵
- Executes dropped EXE
PID:4496
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
367KB
MD5b5e16bd1f7edaa0d56c9e2ce65f35516
SHA1ca4b7fc4c77680b8ce4b1bdbb2b231beb06c98e2
SHA25691702ae34d17e643983accc23f937c0956d5d5e07b26871e025de4a6da85b696
SHA512ec0fdc8d2a8b1f93a2282c0af139dddc637533758e65d6e2b052a8e20c8a031d3d4133e04c1c082981035a35afa552b219ac0503f43181c4d399f95581e91b29
-
Filesize
2.8MB
MD5080a1318a5e18553f622ee9498e1a99d
SHA18242034ceb4f3333c410478499f02885044373c2
SHA256020f509f0c15d6c123b02e790d4d3d674a781ceeb8d6b304bcfb7d57479c5b36
SHA512c90571a169099ad0973c090de7a1434f52bdef635730fac44029635ca91870269237595f81b6602dbb8f5cd077acafa2d36380776a3707d94fb1e8668070d1c3
-
Filesize
2KB
MD52acb717904708b6b98f41dc5f2dd17d0
SHA14a2460b5904e20339109bd4ef04b0f43ad3bc30b
SHA256d9e8604274f890c75250ff38ddd069f4c8c412c8b3cf8a98e67b2706bfced59c
SHA512e736e4c7e0fa239964546e2d4fa0241e80f82fbef7acc31b9373e6c9c02c99b09ae20fd402fc922bec9288537588e4b91ebe1970651ed87877cb2bdc93b2494c
-
Filesize
399KB
MD556385cb44bcf0b46d7b27ae70dc304f8
SHA1f488aff961286a852fba6f887ba9369d7dbb8bbe
SHA2561ef970a39e17a0f1188f7ea88a871a833613b0fbc5fbc028f2a29bcddba72159
SHA51237725ad5e9599ce7db125453a4f63ead7d6648dca65ab93bb5ed6888404a04d86dfcea1d0a28ec4a005449d1246a452e03bb4a8bcf5c4bed42071cb1c2afb681
-
Filesize
518KB
MD5047883fa5f336320c303345fd0c2a37c
SHA1d5a647ce1dde1faa4128c1db5c82851ca73716a7
SHA256aca42b70ee70806ff6a298acbfda17051f3514073ba1bffeb64006d56d75a9ea
SHA512b8e8032fd8c4a94fa7841bfa4a9b89c894766cfebb2702da2570acddee1c161c7a12551f51d3dce81fb10d55e56075c226843d811a20ef6cafafa3e58418dd48
-
Filesize
606KB
MD5523d13d373e36022819a8bfd4106afa7
SHA1928fd5209a568333193b4327897fbcd25829a876
SHA2566717422b8a66c295cdc52624794354c642c0f5b3c9fc945e17c700765815a2ff
SHA512d5be101c0a4c7bdf5eddf351311e8a7db74d2fef8f97171e3ea0820fc7384c8505915ecfc774f70c519ed87807173397f6771d515bbc816d113a24460b72fafd
-
Filesize
469KB
MD5385de7eb355e2b67bc8efaf1d28db78b
SHA1f8dcd255c7160347af343bd6824640d1960a3afe
SHA256a00392e1f6c235507cf6077f16052216de8c50ea3c601b32ea8f1e75f447d650
SHA51295461dbb67355cd44ebe0f8ae124bd878a7588e09ef9fc682ac256a1c5c243f5d1ffcf1189f714670f4298ce8e67e6463f98bb83540652edfaddd55e3d173267
-
Filesize
139KB
MD593bfa462ede419250bc876b2884ece05
SHA1233a8a946f119492b8fa2b4b8993e5d3db00acfe
SHA2566a2b893de7fbc1c0c507a35c14882236c326f553baf07409cd358308eefcb5af
SHA5122cae7a79f3adbc23fbd7a84689321b438596bd9cec5b2bca274f0d67ae0bad7b9b984ba352256fe6079338435958e28923915d029bc4b2e52fd04dff61312245
-
Filesize
195KB
MD5d55a908913b1f2bc2e9e0195472882f7
SHA1627509ef0575d389e39a2dbae82e94da50346f2e
SHA2560be32940021bce94782662b3377e2658600e0ada82ad3ce561b00a3abfdc528d
SHA5121a500d47e0785a0467e29a4986f0dc658a9c105855d70d4c17d4a8df7d5354d808fec25f79bb507719eeb93c1a5db49a006e291b1ea4dd18049c1d94696d5eea
-
Filesize
376KB
MD53c11f16a387925e9c088b0d819795bb4
SHA1bf99c57feafd149b93c73fac2211b8be00b3e536
SHA2560b07258015b5e139776c9be53965f4442bfc9d7265db93665f2a10a166fb04ce
SHA5122a5cf1c37d3cc67709a427a5831a46218e15550054896b333c5ec9a7f6b370fb271d06696b842c2dc55947ed9dabaea5fb9bb1c859ca4132106cc02c590ab1be
-
Filesize
16.0MB
MD5df695d1bb876e0aff16e80d37c13a045
SHA1bfa3f935d0259f103213c86b19643c9d0e839d31
SHA2568f34cb39e843f2569e530d13f9583d385d80273c7f0a7bd3227fba11336527fa
SHA5128ad735da6d0cb7050474d53787bbbcf371cdc70ba6bb54e8b649331570f29f99f609ad897178f0c430548da245a31ffdf0db8f4cc1931f7bb1837d273d4d02e7
-
Filesize
385KB
MD55fba35a5c0c99d59803bf9d2590c3f82
SHA18e8e082647997cb688effe79ec12529bd03e9987
SHA256835828871ef9af95f85b8f249f2cacdbbae6c73ef802448f7c59584eb63265f6
SHA5124217349c66ee47d096d2a4c19fa408dd6f08a09a9c47cb9493b5a2faff6f3f4f0d855cf02905f24f0a8d1ce6bb1d4d561c4f69a1378b09ff473f997855ddedf2
-
Filesize
6.3MB
MD5d28c28b7d005a754a60839b4091aa556
SHA190e2b7ef24d2521b66ffa793d19dd7bbe8fe3bbb
SHA2561d753a7609cfe79ec3abc6b2c0c6d552f29caf1251ffae2cb8fb81a71d80ee84
SHA51296a754995b7751cb4a0df624bd8f4975b9fa40ef97329a798abf47197537c62f51f1b47900d82be14f2d2d2785e963897ab6f7cb713e6a76fef0107c4517c089
-
Filesize
15.1MB
MD52e1b6f915bc3efb9bd950099e9a25fa2
SHA1ada21f4380f5c2bbf9a023fb3a97c6abc67d8552
SHA2565f6bd5aa51cf2590579116816e87a26617f1424fdb00f4703dd4ee9429d425e8
SHA512771557c762acab825f5f96bc83cac0612b5551f2c2d85406fe2288aad9aef9a17b16769ba29a7b5ef5087f17b5f2d0538480b3c16f809c5b52fb1afc4420f51c
-
Filesize
264KB
MD578b547129a5af3251cd3a2cab4107d4e
SHA1da5d2da96f238fa327cdea23225b08f813d5504d
SHA2569415b6d6014edb194cb9e428e77900c37b1b9a950e2c97bd013d4af8f5e8455a
SHA512ef9a1edb6272e2eeab04eeb142c5f0a7806f4e96335a1aab6d391746de795f00ea62c06ecdf0df7bc5e6933e1961afa94df11639ff5f16d0bae871a584b3bc48
-
Filesize
3.2MB
MD50ccf4e1bd3bdd1119d96bd92b89e6a76
SHA19b00ad3520a26a9f6e0644c2796c85d8ae54c47d
SHA2565893e51697c153e3ef8b257cba716577b7cc3e82fd0a8fbab51189706dedfc40
SHA512e259835f453a9d7a3ece6e9b79d087ec7d596810ed072964e38b21eca613c2321b3964ec79806269eb6abcda40aafcd9d5e82f360018cbfa1e86266baff8507e
-
Filesize
762KB
MD58d82ce7a07be1b62440c0cec4e170a15
SHA13c6d41dc25978907acff8369778b4e352d56ccc1
SHA256c6a521c1f3c2611e063d4929fb4a2c466395d4a54a17b6c1036f9e92a0d3ede2
SHA512033f08cc83b6bc911c5cb136e152b920cb7193b1ce6e4529a84260ed0225d814059a4a47c603070db6191a86ddef4104e3eec712bccb8f0d2d0b85050612651f
-
Filesize
298KB
MD540e91fcd84dafcc606ccc876f991a7e6
SHA121e2dab15eddb84c631838e1575a72598e9355c2
SHA256bb0258c4b7ea8543f2f5aced98081d7a973f337c57be08f294ab189d13e7c417
SHA512dda11e19996c688090776fd3ba1428af05fb234a51947e4692b83cd11eff3ad39d7a46e481c536f0aea780c827c8169616ff74b2b9b5aadb4abab11b1e852693
-
Filesize
432KB
MD5f51b87edfcba2b76efffe705dd4e6951
SHA1ed3d4d21a33d47960634f15b297309369d550030
SHA25614145a84c8d19e1ec17f4f79778e8fcf998a5fd60c2c5852391caf88d0dcd7aa
SHA512fbe76bfe49fd9382541b0aaecef568ec1d0db21fe7aff0df47e8fb05060a3e60a053198dcf225da44f6bda682f32c26fcdfd4ee8bac6bd4831ee41ff9ff5695e
-
Filesize
495KB
MD556c71233b091ae9c9bdffde78d01178c
SHA149008558d094e5245df0ee187854f08eba719cfe
SHA25637ec71fc85302dce47e3610aa97fc516d577d4297e37acd4413a2d50d09efb8b
SHA512fc5abba1a9401fc20805363674c00c2ee94ad037297fe82f58f6e60dbe6eff39b2579babaa95cc766708ad1f7c9a965d87311c15cff4a3f1cadfe38ccf0d4245
-
Filesize
105KB
MD52ff02072877da8f34f9af9928aa5f5b3
SHA1d9e5bee9e783fecd13e95e2cdea37fcaa9a1cbd7
SHA256756d55a8085e1b07695eb90db9266e98a0f0afc67ae188867eed96badc3d59ea
SHA5129f340860dfce4f20b674d8db7ceb15af5dd618cfb6e75a154c043a16a2fd3e57a97b763cbe84a945d06ef324b11f2b6da4ec798fa536033ccf76de2a62787c1a
-
Filesize
186KB
MD5de63b59c6697079ecc7646589deaafef
SHA1709c2d6058556dd0f9d46ef840153249cd60d94b
SHA256183db759881d0213aa708410c122a7373ba08dbe122343b6acf9292741108d97
SHA5120e8493cc0f1ee0666305c06928d4811563aa07187bdb3146bf21b3446e946e6f582c7e1375f32281b259163de72a0d54b0ade097843bbfdd5ff599d444f54573
-
Filesize
295KB
MD560054f32651599c68fab41b220f476e0
SHA1281a63035340db32bb7d55e009f8097546f4aa9a
SHA2564352c68ffc4308c2e24acc19608318a52dd0a9f362f1cd2c8ff07b55ae37dde9
SHA512daa3431d8d70b0278a13b04dc1d74b44d235296c86686fc233dcd23af963bcd5977dd97ea5546cf548e222fb43f7bba5db350f1de1c2fbefe1379c717d8e2a39
-
Filesize
1.1MB
MD5b8a2583697545aea9baa1383f9796368
SHA1a8d5fa264d96e70e36461d99a44a9a39cb186730
SHA2561f649a43e098fef9be0cbdf6f57b1afd3aa14d06c5c1aa82f5c26b769f04f141
SHA512cbb43e7b2cee7d76ac026ec3deb9626c43d6acbc595cebd41293cc1045808a7f09da19ab64c7b0a44432281e43e4904432906f5c3dec6bb1f3c146c907fc6864
-
Filesize
444KB
MD5fd5cabbe52272bd76007b68186ebaf00
SHA1efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA25687c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA5121563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5
-
Filesize
948KB
MD5034ccadc1c073e4216e9466b720f9849
SHA1f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA25686e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA5125f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7
-
Filesize
267KB
MD50f6f9f42e4dd9dcd5715955e3838ec4a
SHA1f93a11370df53d30a84268b003fab1b8eb2a3960
SHA2566f34c5eec35a9f5af26cd163792c53fbd30ff0d04110f6bddeeff413f8dea10a
SHA512ecc9ba94660d2d3ea7a80e2a67e3db129e983d33697fa5da6c000a7b53c3e3a1460bedb12fc82af422f03c9e9c097335e9704dd21ae9d7b4baa78f19826c4920
-
Filesize
161KB
MD559294fde17337c3b141160be336fa7b0
SHA159331a76ec7bdb6ef4cf3566391587229b942378
SHA256044bea17ccaff8d1bd437dd13a0d37798ac1629f7fc6fb1cf6d5c4d0e065e5f4
SHA512f9be627ce0587e89132e013000d88db0b943f6b11e630e78aefd2f347a12f7ddf30b0a71ed5049017f2148083166924bc2c6ae35ed9d635c492dd84312d0e414
-
Filesize
52B
MD5917a62c357ce8515c527c41fa19c7057
SHA18066cc995bc595e11f34dc51ac75a5c85a5f406a
SHA25682abec24a9d1af7bf8d62aebc19b24172e8457a9363628076cb9cd6d20677b1d
SHA5126fd16a4e67af2fa18843e450c71995b6bf475f38525b78503f7fd6d1a41ac8f1eb5a23d6348c3a6f587c4648e76d551227e93bb538a68b4f34930741a57500ce
-
Filesize
1KB
MD57d2ca78958319ff880b929d587555501
SHA1f0feab55168969c2fe4f0b565056ea017b1cd885
SHA25698f5ffdf4930a16e94a13856d3df0a9647b0601de59a82d042fee246071895f8
SHA51226a245a9e037d12b45e04bdeea7668caf55c9769a19e519ae76122881c2a0d2232453dc463642075f5ec7f5d8bdb39ede0c60e97575aae043e983f3f9ed63138
-
Filesize
1KB
MD5cc820abb5ae954afe9d1fc1c73dd227c
SHA161230f50cce9b4a8f5af59dc70b6cb79c3d52dfd
SHA25693c1040d970e2580f255721f7a9840628971c7eb0f833dad5f1fcbc4fa6e7a36
SHA51238bae580ec435d12267547da95cd102bdf4ac2039244518c0590ef8de23039fb0b4e938ff5220b9bb69443a4f1c389be10256f5557ae763782779bd3b865fe5a
-
Filesize
1KB
MD5ce6061ad1b772cc52c2e5c3b03a53ae2
SHA15f7e4cf86c120403721c74bf2e2fc8c5b6b17213
SHA25627bb447e1668469c20bb086184a89c7fcbff8e05145613a35bc53729f6d5b06a
SHA5122a14e0583992c526c3177da9ba2a431af1409bd6f41b10483e87da25bd2e51906c57b866236d6a5be3bb90717702c7870a12672adc7ae49752e43a20f47153aa
-
Filesize
2KB
MD5b02cbf464cdd8044d2f6c2e1402a0852
SHA17458ab6d69842195acfda05b23bc4f976bb39ac7
SHA25615d657f61e7c88bc21c97601c607c3ad95edfc9f84bb882a941d582473d6b5b0
SHA512a4e2c7050c4d4fbe3f777fe86da940e347b9752271a03525f6195d5d2a9c7da902a1a9c8316b9874ab1d5596769fb5714f76f5d17e0cda9225a7c95d34e856a0
-
Filesize
298B
MD5ab279f49ed459ec7c6bd5840169f0337
SHA134c0e2888c32613470b34521d07e2400bf97a4b6
SHA256a90b1ce29ce2a99fc9a0931edcb25d85ebc4f89b2ac314a9e46f5af10f2e60ab
SHA51246909cc1cd816fff0d5c908f3294a521f37f5b88921b998ead7e7e71194ecd4de1cfc79f1da1ee1d118fcd4d9b0ec1a91a2dc84813276ef08d5d2aa8404455fa
-
Filesize
1KB
MD51bd244654eea77c8e2fb7ce50ab70ed6
SHA1285ec5739db08b57ed0b095b65c73a0f88e041f8
SHA25613b0ba3ba2adf6a9c08e74711a2ccb3a58fb49dbad3917b2817a1858e745f153
SHA512413b2b0d620ffad69c786cc0a3558dc479633256e00b3f9cdc84d35285e9c3855e69129af8ba2a0a128c440687e1853bd08150c69316c60499618d979250ec5d
-
Filesize
272B
MD56b087fe1070437f38dd48ab04a6ab8fd
SHA1c662c1fe5b5538fdfcf101c0923a7a0721eb7d2b
SHA256244bcbbeb46688b581755d3682289dc966fece07261d3952b6cb3291ef959c5f
SHA51256c46c4a8214760b2952588925793ca6d558d9793fb8b0e235c49e0573d39ae0897a4aa07987e38efcd28882057b5c43305a3391dfc0d99d7342bf8d259e7a77
-
Filesize
269B
MD51b259b5c5049e0c31f17daaa9429173d
SHA1dd84168f100a56c2eb6b2d3dc7596ad248611fd9
SHA256a5a0b097e91b243371408dc0cd30d426aee25e5f51f7a2a604667f1f61e0395e
SHA51200bdd283b927069d7c4f2a1c9decd1332156df9fb1d5a7f14e56b8df43c7dc5988cc02b70e57bd84bb71c162fac617b4e5e44625618f3944a2aa080bc2a15954
-
Filesize
2KB
MD53433d6d406701d0f7afdb96f29a8ade7
SHA1e06249b69d4b4802cda45d359b5adb2f64b22a1c
SHA2567e75d795dd1ba9396b570aa293e7bb9313ca1750dbcfe22070771b0e3c27b07c
SHA512adc32e59e6ab83b4567bd7f81d624b75496170c5e968cb78a4c1b130d69d87a6ae27b959fe9e6a81a72939462584168a8c9c61279d0ca85acc0588d533cd67a6
-
Filesize
2KB
MD59f3cb0da97796318a820244ba11f48ab
SHA16f7bcb18fbc72bfb64adfdf7a2f7b4998bce39ed
SHA256987458d9b0d2033fe4df7b51b92e71b0cd4b16c22b68822939656628b3ad2754
SHA5126d0c908ead54143f54d193834ba5f24548898c55e64de6b37c8eb20c14394e0d373579d7c04ff47cc8917f6c7b16ed11bb64182a154d5c9332e35f47acf0f7ae
-
Filesize
4KB
MD5acb03a7127f0975a492dd8e20209663f
SHA15686280e481e218a2681d983ec62b196b4eb9029
SHA256edd8c7758c67c4a35ed54fa4a971bbacf0d822e44793038ae103ffef5b92e46d
SHA5129e7586455c8eec68f58bc4d7464839ac3629d7352fb54144c1c8a3088f7e564e3eef5a10325f7bbc66383d2b6a2106354192943b4ea9b36cf6263babc80391f5
-
Filesize
5KB
MD5b5bbd7d5c28b31abb61c10d09bc94920
SHA1b733734e2603a64f2a294e5c25a9ea7fc89bccb7
SHA2569f983463c01a649e4379e133f8d61497914ac989baabe502ae4c75f2144efe3b
SHA512ab7f6f7a20ce6492855ba78fa254e3d35caf4047aafb977d957382ef5468af18fda217e4159e875a25533b3235ff062ac680e9e022f46e86d3d24355e27ee40e
-
Filesize
1KB
MD5e917a27eb6a6204031c2011be4fcddc0
SHA1565adb0a3c5576fa54c459e4e55138c305340ae6
SHA256a52540ba1b56cef60f7d1d185afe6dff2ab181cb1162cc53a0348e7bccfa366d
SHA51244cafca6aec7e57f9caa9d51e5dc5634af89f6bec30d72f26d533bc0df5c6f79c9b2c5b8a699b5727ba0e0c130717bf2c451376755be2da6e3d695396a63d990
-
Filesize
568B
MD50fcd28ed0e69ca531809e8e2058eb246
SHA15d7a1862ee5c8a708c91a9866b503d87cbfacc84
SHA2562c6c16ec784410c022bfe6dd4618fb2f4cff421c0cbc151707afbf9db0ad3a3c
SHA512276995e090a70844cbc912d9660d39c33dc5f8eed0985dd5d9c8b56a360c933f2ca63cbf32eb548031b4557260f0b720487242b2fcbc63e7e4e6937c2ac887c4
-
Filesize
668KB
MD5a438e303cf31126c5d6b882aeded21a8
SHA1eebe92a2e07ec209e6c366899938d2f7677e9977
SHA2567c301b9c44cae3a53a4f939a391ae36e79e29f9216fc903665b4551426cecd90
SHA512ddc47c35d7b662e939d471e07f5f45e979abd4df14b334c5c12f229f7d185bb9925693d9dd71e36c97eef02c92f961775f5d7cd605b36af9e6a5c9d83af3964b
-
Filesize
316KB
MD598a2b4d094fa825e601b1f68752d4ac5
SHA10197c18e2443b53add35870df81a0123acbaa0cd
SHA2563347ab083d69d9d4bf6c8e6816c56a1eb694b581721965ebd44d240fe956e164
SHA51247ef8d5ee9273a41169ec522245869f6d9d90b840d56d88e68bd693b4d1b4243b005cede1a5f9420ff1a5240f7de8ba7a5b915b846af9e1c57a0d4eaa584d53d
-
Filesize
19KB
MD535d7b29c3ed690a8b0cd323917677b42
SHA1ad74d2babe09f94838e408c8f9f77b6b56c644f5
SHA256714bd22a836a7f164b848541b8bf8ac80a20ff38e10e412bf9ef518620a80b8c
SHA512abc6f37b7306de737adf998607e81304ecc1589ac8e3164651b237def11b424a190e84608f4f6ce44a63ce225d93be7c617a736c82fb6b9077c5222c2e17b67d
-
Filesize
74KB
MD53b8308f1dba641b49a642fa6d92f3451
SHA1a11164e08bd9c594b6d608c51a2428a4c6b555a2
SHA2562061a94b4d34a77f935f95a3741f917c91b27d0e1585c2ee2f8e00806b671db7
SHA512dc089fc2bb43ccfcca8748013636e8d249cd91e1b08b30358d00df0decaec5782d2af85274e7b70784d4e58c934dfe5112fdcb4006de2a5dbe9c76dae9ed1f81
-
Filesize
774KB
MD58bcd300c69b67e78b09cf07aecfa14fb
SHA1d92bdb71d8b8477a3f0838360191aecc459a3c09
SHA256d62d59db60544bd44db6d710f3b6d48608bee022d908dc46d16885e79dd1ca0d
SHA512393667c3423ed6defeca5c7c51c3244106ebb737398b34822a38edf9fa68cead72016a77c29d4f47d0c5c784c6339e8080d3b35eb17d325658a951c464951cf4
-
Filesize
309KB
MD552c3b9ac0484ece3b524a9526272f88e
SHA1c07268de6a13290acbf58ec5ef75e2468533d791
SHA256210876c0ff70ffaa88a05f9ef794a96136549f4168e940e256fb4ac85b0fff71
SHA512da7710404e5630509eeaf9e318e2a4a2d9c4f269aee6cdce5d2a8f128094e7c92940312fda9913f5c44dce5159b59159f40137ddb2e7975e450f30c6a7b24f47