Malware Analysis Report

2025-08-05 23:22

Sample ID 250120-n8sq6sykap
Target JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc
SHA256 78007a8d9ab75cb5ff4039a9627925a0eb5a32f137148a2c3dd4e1a8dc7f2be9
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

78007a8d9ab75cb5ff4039a9627925a0eb5a32f137148a2c3dd4e1a8dc7f2be9

Threat Level: Shows suspicious behavior

The file JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-20 12:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:06

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\pipi\PIPIStartSvr.exe N/A
N/A N/A C:\pipi\PIPIStartSvr.exe N/A
N/A N/A C:\pipi\PIPIStartSvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\ = "PIPI Link Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\mcckmplayervod.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\pncrt.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\pncrt.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\PIPI_Update.job C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
File opened for modification C:\Windows\Tasks\PIPI_Update.job C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\pipi\PIPIStartSvr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\pipi\jfCacheMgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{1E315374-71A5-471A-B683-4C4ADB5C588B} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\TypeLib\ = "{DDB55E8E-A844-4558-8D7D-8511352BE59F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.flv\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09571A4B-F1FE-4C60-9760-DE6D310C7C31}\ = "CoreAVC Video Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\TypeLib\ = "{F6887547-369E-42FB-9921-85DBD895FF76}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E315374-71A5-471A-B683-4C4ADB5C588B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wav\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mp3\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.3gp\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\FriendlyName = "CoreAAC Audio Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ram\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\MiscStatus\1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mpeg\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\MiscStatus\1 C:\pipi\jfCacheMgr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E315374-71A5-471A-B683-4C4ADB5C588B}\ProgID\ = "JfCheck.JfURLSearchHook.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C395D46-8B0F-440D-B962-2F4A97355453}\InprocServer32\ = "C:\\pipi\\codec\\MPCVideoDec.ax" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FA20E2A-496E-4CAC-8D07-B5C227EBD3FA}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wma\shell\pipiopen\command C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mpeg\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook.1\ = "PIPI Link Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.swf\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.3gp\shell C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\ProgID C:\pipi\jfCacheMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CC10D1C-1032-4570-9BAA-607466123845}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\MiscStatus\1\ = "721297" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIPIWEBPLAYER.PIPIWebPlayerCtrl.1\Insertable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ram\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\TypeLib\ = "{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.ram\shell C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C395D46-8B0F-440D-B962-2F4A97355453}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.Jfchk.1\ = "Jfchk Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook.1\CLSID\ = "{1E315374-71A5-471A-B683-4C4ADB5C588B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amr\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asx\shell\pipiopen\command C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mp3\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mkv\shell C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DF8601-815A-475D-990A-8916C7F03D5B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amr\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3gp\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer\shell\open C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CC10D1C-1032-4570-9BAA-607466123845}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FA20E2A-496E-4CAC-8D07-B5C227EBD3FA} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ = "_IMCCKMPlayerXCEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{632C6705-17AB-4407-9281-F60D0A7726BE}\ToolboxBitmap32\ = "C:\\pipi\\JfCheck.dll, 101" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv\shell C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.ram\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\pipi\jfCacheMgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\pipi\jfCacheMgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 2828 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 2724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 2724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 2724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 2724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 2724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 2724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 2724 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 2752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
PID 2752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
PID 2752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
PID 2752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
PID 2752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
PID 2752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
PID 2752 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
PID 2732 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 2732 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp C:\pipi\PIPIStartSvr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe"

C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe

"C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe"

C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe

C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe /verysilent

C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp" /SL5="$90216,6213687,71168,C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe" /verysilent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\JfCheck.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\MCCKMPlayerX.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\PIPIWebPlayer.ocx"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAAC.ax"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAVC.ax"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\MPCVideoDec.ax"

C:\pipi\PIPIStartSvr.exe

"C:\pipi\PIPIStartSvr.exe" -i

C:\pipi\jfCacheMgr.exe

"C:\pipi\jfCacheMgr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 recommend.pipi.cn udp
US 8.8.8.8:53 query.pipisite.com udp

Files

\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe

MD5 e209b3e6154589c34b7ebdad8d73980b
SHA1 b0be9c6dc0d8627b754a3c2ff1044b191e3a9052
SHA256 883184254d9e4abde6311df166143a5ff1c6845cdc86fc3dc6dcf3859f343d38
SHA512 01be02ab5de0df44abf60434e9cf72ffc199fb9ea8e7df4e83b86581558cc8e0776262a164f172bc020add351261822dce57755287f92fb6f1fde1f0936e25cc

\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe

MD5 cc3bba23d59e99c1bbd3727d77392518
SHA1 cd779107009e75ae256dcd93d472cb715dfa472e
SHA256 3303531c4370dab0b019c82f3ddb1294ac053bb9ce2b91cacc6370bbb3d20bf0
SHA512 661fa143987313bcf0bd29409358b80f1261af3589382c6e639cefa3a54ac14bc0d45f3555a031456dd57fe41736171b0b147ab23dda495110452f4dd70f26da

\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp

MD5 fb111f1c53146bc0e04b2103f7a4d4a3
SHA1 f3abb93fd2f3520929744075336acf0c33e4d544
SHA256 03cfea10a4f72c59389fdc2f9cb465a3bf2baeddb074aa2cde711e622e4a5d78
SHA512 03c4dc797737f7fdf66d5998c8c36a3c1b154398f0664f65a0c9b9485bd635698e6333d7bf756f9251f9512554c33817ce15942b38a55fe6bcd6e6bfdbb80855

memory/2752-28-0x0000000000400000-0x0000000000418000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\jpg2bmp.dll

MD5 df1fd0bed631d245485deeb4cfdc29f1
SHA1 739579e6460091e567d53a2d0179bc3a2abeb038
SHA256 2607f1f086472678f15e9fa6e0f21e91e816d8c4015d2ff3359e69263311d240
SHA512 9c2e73ecefc9b5b1f1691bdcc9fb457fb387f83f8a8e466eba4a985392a9fdb9fd2d8799e65f65e4f54de6e8c7199196be82c8525633bbff9ec3f10fad05bd8c

memory/2732-48-0x0000000000310000-0x0000000000338000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\PIPIRecommend.dll

MD5 1ce3ea602274c3cc2e6037933e2b8bb2
SHA1 9a6137688fec60e6247085beba8a5aa064069bc0
SHA256 c56af8733c25963a17abb24e7340e2cb98abdd37232741391b6771bcf2a3821b
SHA512 d98070fec53eaa0ad39c72b38e493f828971864db2844e2c225b1ba1e803e9960f2d2b23610b569fe31875a05049d336e6932c6b5184dc5c8f78b01f36ad3b55

C:\pipi\jfCacheMgr.exe

MD5 46f26ea44b601aceffb91595b949ff63
SHA1 0a5e49443eb64e7e3395d578d852a2d61a8a2923
SHA256 c481592291afeea322c440d0b03323f2920cfb619e326e93f36dc28b52e2312e
SHA512 b1edd7f979937669ae5e811b75d2114866307f03f258880f8d2c43aab76e1bea87c668cce2be6de7e019564c3354fdede508798a13cf41e8b5d5fa3507888610

memory/2752-217-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2732-218-0x0000000000400000-0x00000000004E1000-memory.dmp

\pipi\PIPIPlayer.exe

MD5 19abe9404a640fb9d492e7432c123804
SHA1 fb06a19b30378cb9fb4dd72b62d1f3557658102e
SHA256 77eec39e9633cc07fb6fbdee6748c6c6be3003152a3cbdb07c3ae313ab65bd53
SHA512 139b392e30c3b503d2fed0e6058b869fd653ae76530be050d8314daf12b0aa4e9a148b998ba6275d858c22da40fc9a96785787207236c839dad7fb6b5785f7bb

\pipi\KmFileTypeSetting.exe

MD5 773504a6e1b891dbda9e7cd906393df8
SHA1 3dcda41aa9b14b9572870f3a961e8572c3dea4f2
SHA256 5ed50ab0bfd7f3a0e7f7b7cb1b3a2a366c05e9630f8bf1b0435513f24fe1bdf2
SHA512 36a5bc03a4fe7e219b18f6a1d90ff9611d304952ffe855f8a4b28f1459a5c7c8b306d4ecde3f49e79cdfbbf1007c026a2d8ed709eaf6f34de507c5f4caacce63

\pipi\unins000.exe

MD5 2c6d392a649e15f0218a8c888ed85b8b
SHA1 d823c2dd56b4d7b761a136b261d315e958d20b3e
SHA256 58cd2fddcac89292d5332b401cf61cab57cce5220352e9344b668874d00fc337
SHA512 382417dd1f9a8f70b93644157a56ae473e74c371f95d269c5e99963c5096bec90d70f6efc24ec1fc598cf50fcbfc909f94a340d3cb05215810f04f063d6c3f87

C:\pipi\JfCheck.dll

MD5 1657afe7575729742c65193390623784
SHA1 27c648287b0400c2344fbc335bc78010b751efe3
SHA256 7f3baae263dd7f486f83270b6ab241d5fa79610fa171eedbb320bdc6a74aa623
SHA512 b3aa8a4e4eac6b3bf9193c43a446c50a187c07f3d9c823ea83da131254928f8ef1a6a7c30ee1b667efb9a2521477bea5eb26cb5f282ce3c5672a33d3b7d3ce59

C:\pipi\MCCKMPlayerX.dll

MD5 51ac0e8d96e644a5ac1c670b37269a9f
SHA1 ef761c6b88b2ed9174184b364d9ef472bfb85ecb
SHA256 1f50f6ee5b6f2e0fbaed1fdd47c20bff5f7099d6b07a5cde23ba8e24120324f9
SHA512 ab9d57b2e5b18af3760f3b811ae2286101ac9ea948fa042073acdd543dca3b1bf8b8c758e2e4ab5696eaf0181d5e6824d2e6a0f78153bdc2b7f6eba0e78718ca

C:\pipi\MFC71.DLL

MD5 f35a584e947a5b401feb0fe01db4a0d7
SHA1 664dc99e78261a43d876311931694b6ef87cc8b9
SHA256 4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32
SHA512 b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

C:\pipi\MSVCR71.dll

MD5 86f1895ae8c5e8b17d99ece768a70732
SHA1 d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA256 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA512 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

C:\pipi\MSVCP71.dll

MD5 561fa2abb31dfa8fab762145f81667c2
SHA1 c8ccb04eedac821a13fae314a2435192860c72b8
SHA256 df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA512 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

C:\Windows\SysWOW64\config\mcckmplayervod.ini

MD5 5378f5b11a7f76e5363bd9246670d2f4
SHA1 58377e3e0763caca75e84dcf6595ed620e72430f
SHA256 352c88b52b5e831263ed4486ef774c38c5c36fc07375204f4d539a4ce8d756d1
SHA512 38175ef3a721595f8204f1be010fbe48e033ba7746d05c6a6b4585c5a20dfbfe4d60d7dd6d3fd4166bc4fcfb7f83ba12e952cb13c31d499bbeb1f62a15e44480

memory/2092-338-0x0000000000120000-0x000000000012A000-memory.dmp

memory/2092-329-0x0000000000120000-0x000000000012A000-memory.dmp

C:\Windows\SysWOW64\config\mcckmplayervod.ini

MD5 c9fd3c9037f9a4484d0635868ea571e4
SHA1 02ac3179b0ac4b6ea91fa861ebcae2bc8072bdb3
SHA256 e54b124bceed3b3495bb1298cb03276b7505d850f6e3386afaa4668adc41ae4c
SHA512 776bf5a8f2a6550ad837df16192a64b81decf071633ae130d77e51c509c75f7de9b62975e096366fa4b4361a582224c4ca32f7d75219a6f8614450ac784c266b

C:\pipi\PIPIWebPlayer.ocx

MD5 cb2d2dc09a6e895817462579fbd04f72
SHA1 dae1d1db8d377e16e14de46b6aba7a343f9ce9c6
SHA256 908868ced5007895a97a2bfe28137cfe21dbce7a0a406d4d6d73c733f6d01581
SHA512 e35c21871ea6b167b0bf01f94e45b352d033a9311052daf09184590e9af6e2ac45f13034d91306276f6c831e5c01cf39da972d670b61403cb6ff4f365ed3e45a

C:\pipi\jfres_plug.dll

MD5 d429f2117ba8d39c28f85a8d7d50a7c6
SHA1 042be6a8f49bbdc61b467bb018743ffccaca7262
SHA256 896fd2153552f48b47ea98a171720020a09ce0cff5517a9e728a576a942b1c13
SHA512 57de255f2d11bba70591f4b64e3f13d4ffac20892afe662adfa61de07ec656bf4c49303d04afbd31195a2447142c4303bde4f6c4b92c1147754fb09719ba165c

C:\pipi\config\partner.ini

MD5 23a7ec3ae915bf850ac0ca9fa4627efd
SHA1 cf9b332f74bd6583e05ea448e7ca61e0840f46b0
SHA256 4380b09b0804ff4910cd84b2231d5a671a7a40e7cb67c3276f9007fb1ef28294
SHA512 2ca515e1bc2e64844db065d42b1f6f1b900b669ece1b403c4923ea2747103853b960f86eb6b2a8299afe265fd0827231d27519d69d72bbcf46abfd019d89885d

C:\pipi\config\config.ini

MD5 e4a3f8797262dfaf39aea78e9f5dfc86
SHA1 f191ba6ed659c02fe025da21d7eeb7341a9c3ce2
SHA256 0572dfd01784d4603573f60c8287ec9ec7751b8fe1e1abd96bed391029950c89
SHA512 dfb6429be8e555d1f0c0422909b929737e5b046e006f1f311e55ade3199a81c8c894b338fda4aeaca5b8d4000e451f8fbb2034c35b461f955c9d55fe1bff73e0

C:\pipi\config\enumwindow.ini

MD5 97129f3dad72c31fc0c0522b13d8a8e9
SHA1 5746b079d104ebc4ead8e3a1840a72caf9aeedac
SHA256 39b8d619b336a8edabe2b10ab945e0dbed4dc51dfe6453bdb884f48469e539ab
SHA512 984b150090134d35bf6172a7c06d98758d9898b8657cb891febf1b69e7e8fdbb27dd05a8e3d3cc148b1b4c7722bd8188941b4b32afae16e428595c9957d4a770

C:\pipi\codec\rm\pncrt.dll

MD5 13001eb0a58b4de96126b16ab15fd8cc
SHA1 4dfe6d2d02e9fa194f4af3d054b458b5a4bafbe6
SHA256 e983aa97fe1ce6af92f06433a71e03f54d3fc78392e26691cace927094bab8d7
SHA512 1a7c052bc1e7c824a3aff5e27c5cbd0720893e341dfb93062021b82c3a6d940c4ea23cbcdfaaeb174d90f51c36f0d8c62f693766f42172f894b6b689d26f49b2

C:\pipi\config\config.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\pipi\codec\CoreAAC.ax

MD5 b0ffac757be8d6cc41e1131eb2b0d959
SHA1 0e41733a050bc2ed53fda6337d6501b9942317c2
SHA256 04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597
SHA512 356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3

C:\pipi\codec\CoreAVC.ax

MD5 40850535fa9d08698e69d2985f1dc20b
SHA1 670ac35368499b3abe9339b7a9467e31b33b3cad
SHA256 67b3280ec7a04f686a94f87d7e19220f62b8e28647660fabd08ff57902ec2e9d
SHA512 52d909dc11f06883ae7c6ab5ef97c989a12838ad8b95681771583546669c3c19fd4a9077ce3c383330a1e9af4155324533ed62b36d70c66224f53a8160106906

memory/2960-584-0x0000000010000000-0x0000000010103000-memory.dmp

memory/2960-585-0x0000000010000000-0x0000000010103000-memory.dmp

C:\pipi\codec\MPCVideoDec.ax

MD5 b49bb7b63fd5dab01d7be40144da3625
SHA1 3c077fba0dd9b382711f8889060d3948c7e6ae95
SHA256 919aa595ec2b18b811e3562ba9667c539015d401d3ef53f2c0f8e4b0ea51bebe
SHA512 461a5766dab7a20d905229116a000d8a0e73ec0a693f46fa7846322770df45fdf7a70aee4dfc77fd3d2dc7e2dd94615efb159497500694ff747c83dd7df78b76

\pipi\PIPIStartSvr.exe

MD5 ce035202671f9c9dd1d0cd26d4a06adc
SHA1 34d42b94be4367371a74f5c0db3b760c16a80557
SHA256 6bbbc4d67cce170dc3b234c85a136d96e2f4a83cf2001cbb2bc1837bce218b02
SHA512 00415034debed0c8a65ab8c96b89828729eb9d2446ae882f363004290aba049369717ac28cd54f0a35a75b3b5183382d01e41c39c13a36297f9d27d7ddb3a7cd

C:\pipi\topWizardSmallImageFile.jpg

MD5 5ed5fd48c11acc65c88b0954a7224fe1
SHA1 5bfe240886fdae4f231671bf46c67d4c1cfe2f27
SHA256 51c476f505836fa5a4e5a0331fca86d03ef729aaacd4ba08a4351cd3a933136e
SHA512 dc5ee19db8136c13718a40dbbb65e8bd10932ad8c28e94239d466c1382e0c68ca46ef513b215762e81f2dbfadd9dc67dafe465317963040da36901858d3975da

C:\pipi\setupwelcome.JPG

MD5 5f2e955342701741fa97750aa5d99487
SHA1 eb81e74ef78dd94e4da1d041d04afc5bad2b4d47
SHA256 8ac83f47e5353f052b1f7c729f4e1b1ae41377010421b71ea034d20850b4efed
SHA512 6b708d617905902fbad5fa83f16c699240c046d4ed11fdfb963ecc41795a6f2bd014a0ec4450893c62954a62dbfeacdf1132a320b442d993bfd2b27eed986efa

C:\pipi\wizard_recommand.JPG

MD5 1f03b9d855e4f6044db8d3d9834a5e46
SHA1 0b52092d8edc49e57ff48d8e81ddb8f2e8db6fb7
SHA256 eaf146a8b301d03c0ee4a21d05ede09b7cb6bfd4eca5882014c69701bb6257f5
SHA512 050dbf6fa7d6629881be01e81fea412104144da96071497e22019347f28dd49321468bca030f62898247c025e7d108be420d2ca18d46d9b45e7bd18148493d89

C:\pipi\google_logo.JPG

MD5 4beef83fec516b37b5219e8433c07498
SHA1 8fab8c53263ecbe34109a2e91ef4a739a8735646
SHA256 f4cf7983c35b8842b356371c557885faf26261ef523d0f9e0d3921e20f165e8c
SHA512 577009e03ee341b7ad4b0979b6e47df79f64cf9139c4eb4e26696c3b21b74960f61362253363bba8e49537ad039626b9dfad182b6b68b73ddce7bb9ac86b694f

C:\pipi\config\skin.ini

MD5 f33179b59f10498a6ae36f981fb485b8
SHA1 ca724a40aa3c6d62461ead3a6815eececdc71195
SHA256 3407e2ddd689f40f3e8e3c2c8dd87b52a182143acf1ffedcc7608e72fecff9d7
SHA512 4db4cb0471e9fc2bcdffc5ad87375c239ea3ec103cdca57b5376ac530cd2284a2e60730b22017346a53b0adeb768330a3569f1a25ba9e51fb8ff9f0f0b440730

C:\pipi\baidu_logo.JPG

MD5 674b355f4facfe3c02d9a4b2230b59dd
SHA1 e4543a4d01d28ffb184c25d283b0fdff83f6353d
SHA256 2a8053f50ee7658429a06c42282afeea4433307486e00f09d1c4b111fca74c3a
SHA512 c4f77ee544aeb0c4e77f673ec4bb23076dcc2de1595296eb1cb6da40e9651676ea72b4c6f503d663091126fb0fa1cf065b74a6acef48752baa391ace54d53f81

C:\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\topWizardSmallImageFile.bmp

MD5 2bf58dfc87fed4cd136b38eda09b03b5
SHA1 0466c573f89c2311bec15e1892af8bb1981f8e46
SHA256 59bc1f995b1c0989689039de7bdd50201ba75f700e1aba7ac548751629f77ed3
SHA512 f7f82b12cec7b036aae733da6c0639dc193ba979d5662b0c5595ed6e1a8120f314a6f9f4fc74c0f8d44f79884dc66d25129755160ee7dc688e7c9c0e5bc7dfe0

memory/2752-702-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2732-701-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\pipi\config\config.ini

MD5 37e880e056079ca389ea1355298070f9
SHA1 c2670cfd86411ce33baf3329b14494569cdfffc8
SHA256 6af40df9a276648b83b43d1b218e93419b9697ae98ed9b318228d890f98d8f99
SHA512 29a6b50c7b46951d7f1eb69e5aa5332b510009709716702dfe097ea6c7f177d28dcc19ef65d6fa0145295fade682116c9328bff6dcb66e603a7e8d434618d2ae

C:\pipi\config\config.ini

MD5 54e880bd430eff4ae4e9c24b8262b94a
SHA1 76fe6fbb36277f1730e485013a8260385d422ae8
SHA256 37467129443334ef0a740c3081ea83d9eb6d4dcc779583b1f886ab76b646f1d4
SHA512 3f46cb49bd4f5044318806bf96eec059d14a65cc3756846fe1b5d4f4c5dab497dcb2cbc015473403b3ccef65cddecb56d245cf80572d9faca698960405c765d1

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-20 12:04

Reported

2025-01-20 12:07

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\ = "PIPI Link Helper" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\mcckmplayervod.ini C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Windows\SysWOW64\pncrt.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Windows\SysWOW64\pncrt.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\PIPI_Update.job C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
File opened for modification C:\Windows\Tasks\PIPI_Update.job C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\pipi\jfCacheMgr.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\pipi\PIPIStartSvr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\pipi\jfCacheMgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{1E315374-71A5-471A-B683-4C4ADB5C588B} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D51BD5A3-7548-11CF-A520-0080C77EF58A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp3\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9783F9D-7E56-4205-9CA1-225CD9349BD7}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A1-7548-11CF-A520-0080C77EF58A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.flv\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2745192-8F50-4ACC-AA27-2AC0B85A875F}\ = "PIPIWebPlayer Property Page" C:\pipi\jfCacheMgr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{632C6705-17AB-4407-9281-F60D0A7726BE}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.MVSearch.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\CLSID = "{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\ = "CoreAAC Audio Decoder About" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\InprocServer32\ = "C:\\pipi\\JfCheck.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CC10D1C-1032-4570-9BAA-607466123845} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\FilterData = 0200000000004000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b717aeb36e44f52ce119f530020af0ba77079eb36e44f52ce119f530020af0ba770 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{187463A0-5BB7-11D3-ACBE-0080C75E246E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\ = "MCCKMPlayerXC" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FilterData = 0200000000006000030000000000000030706933000000000000000001000000000000000000000030747933000000008800000098000000317069330000000000000000010000000000000000000000307479330000000088000000a8000000327069330800000000000000010000000000000000000000307479330000000088000000b80000007669647300001000800000aa00389b71406a9b5a221ad111bad900609744111a416a9b5a221ad111bad900609744111a00000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8C-524F-11CE-9F53-0020AF0BA770} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDB55E8E-A844-4558-8D7D-8511352BE59F}\1.0\HELPDIR\ = "C:\\pipi" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mp3\shell C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452}\ = "_DPIPIWebPlayerEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Multi-file Parser" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDB55E8E-A844-4558-8D7D-8511352BE59F}\1.0\0\win32\ = "C:\\pipi\\PIPIWebPlayer.ocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\ToolboxBitmap32\ = "C:\\pipi\\PIPIWE~1.OCX, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.Jfchk.1\ = "Jfchk Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\TypeLib\ = "{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\CLSID = "{A888DF60-1E90-11CF-AC98-00AA004C0FA9}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5AA0389-D274-48E1-BF50-ACB05A56DDE0}\InprocServer32\ = "C:\\pipi\\codec\\MPCVideoDec.ax" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\shell\open\ C:\pipi\jfCacheMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories C:\pipi\jfCacheMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\file C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.asf\shell\pipiopen\command C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PIPIWEBPLAYER.PIPIWebPlayerCtrl.1 C:\pipi\jfCacheMgr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DF8601-815A-475D-990A-8916C7F03D5B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.rmvb\shell\pipiopen\ = "Play With PIPIPlayer" C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\TypeLib\ = "{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.flv\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b714d4a504700001000800000aa00389b7100000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\shell\pipiopen C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{09571A4B-F1FE-4C60-9760-DE6D310C7C31}\FilterData = 02000000000280000200000000000000307069330000000000000000090000000000000000000000307479330000000060010000700100003174793300000000600100008001000032747933000000006001000090010000337479330000000060010000a0010000347479330000000060010000b0010000357479330000000060010000c0010000367479330000000060010000d0010000377479330000000060010000e0010000387479330000000060010000f00100003170693308000000000000000900000000000000000000003074793300000000600100000002000031747933000000006001000010020000327479330000000060010000200200003374793300000000600100003002000034747933000000006001000040020000357479330000000060010000500200003674793300000000600100006002000037747933000000006001000070020000387479330000000060010000800200007669647300001000800000aa00389b716176633100001000800000aa00389b714156433100001000800000aa00389b716832363400001000800000aa00389b714832363400001000800000aa00389b717832363400001000800000aa00389b715832363400001000800000aa00389b715653534800001000800000aa00389b71cb712d8d3f24e345b2d85fd7967ec09badd2296f30e1aa45b42ff623ad354a905956313200001000800000aa00389b714934323000001000800000aa00389b714e56313200001000800000aa00389b715955593200001000800000aa00389b715559565900001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba770 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{632C6705-17AB-4407-9281-F60D0A7726BE}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv\shell\pipiopen\command C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A
N/A N/A C:\pipi\jfCacheMgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 5012 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 5012 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
PID 1132 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 1132 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 1132 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
PID 3408 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp
PID 3408 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp
PID 3408 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp
PID 3964 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\Windows\SysWOW64\regsvr32.exe
PID 3964 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\pipi\PIPIStartSvr.exe
PID 3964 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\pipi\PIPIStartSvr.exe
PID 3964 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\pipi\PIPIStartSvr.exe
PID 3964 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\pipi\jfCacheMgr.exe
PID 3964 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\pipi\jfCacheMgr.exe
PID 3964 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp C:\pipi\jfCacheMgr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe"

C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe

"C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe"

C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe

C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe /verysilent

C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp

"C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp" /SL5="$5026E,6213687,71168,C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe" /verysilent

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\JfCheck.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\MCCKMPlayerX.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\PIPIWebPlayer.ocx"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAAC.ax"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAVC.ax"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\MPCVideoDec.ax"

C:\pipi\PIPIStartSvr.exe

"C:\pipi\PIPIStartSvr.exe" -i

C:\pipi\jfCacheMgr.exe

"C:\pipi\jfCacheMgr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 recommend.pipi.cn udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 217.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 120.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe

MD5 e209b3e6154589c34b7ebdad8d73980b
SHA1 b0be9c6dc0d8627b754a3c2ff1044b191e3a9052
SHA256 883184254d9e4abde6311df166143a5ff1c6845cdc86fc3dc6dcf3859f343d38
SHA512 01be02ab5de0df44abf60434e9cf72ffc199fb9ea8e7df4e83b86581558cc8e0776262a164f172bc020add351261822dce57755287f92fb6f1fde1f0936e25cc

C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe

MD5 cc3bba23d59e99c1bbd3727d77392518
SHA1 cd779107009e75ae256dcd93d472cb715dfa472e
SHA256 3303531c4370dab0b019c82f3ddb1294ac053bb9ce2b91cacc6370bbb3d20bf0
SHA512 661fa143987313bcf0bd29409358b80f1261af3589382c6e639cefa3a54ac14bc0d45f3555a031456dd57fe41736171b0b147ab23dda495110452f4dd70f26da

memory/3408-17-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3408-20-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp

MD5 fb111f1c53146bc0e04b2103f7a4d4a3
SHA1 f3abb93fd2f3520929744075336acf0c33e4d544
SHA256 03cfea10a4f72c59389fdc2f9cb465a3bf2baeddb074aa2cde711e622e4a5d78
SHA512 03c4dc797737f7fdf66d5998c8c36a3c1b154398f0664f65a0c9b9485bd635698e6333d7bf756f9251f9512554c33817ce15942b38a55fe6bcd6e6bfdbb80855

memory/3964-29-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IQ813.tmp\jpg2bmp.dll

MD5 df1fd0bed631d245485deeb4cfdc29f1
SHA1 739579e6460091e567d53a2d0179bc3a2abeb038
SHA256 2607f1f086472678f15e9fa6e0f21e91e816d8c4015d2ff3359e69263311d240
SHA512 9c2e73ecefc9b5b1f1691bdcc9fb457fb387f83f8a8e466eba4a985392a9fdb9fd2d8799e65f65e4f54de6e8c7199196be82c8525633bbff9ec3f10fad05bd8c

C:\Users\Admin\AppData\Local\Temp\is-IQ813.tmp\PIPIRecommend.dll

MD5 1ce3ea602274c3cc2e6037933e2b8bb2
SHA1 9a6137688fec60e6247085beba8a5aa064069bc0
SHA256 c56af8733c25963a17abb24e7340e2cb98abdd37232741391b6771bcf2a3821b
SHA512 d98070fec53eaa0ad39c72b38e493f828971864db2844e2c225b1ba1e803e9960f2d2b23610b569fe31875a05049d336e6932c6b5184dc5c8f78b01f36ad3b55

memory/3964-38-0x0000000003990000-0x00000000039B8000-memory.dmp

memory/3408-60-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3964-61-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\pipi\jfCacheMgr.exe

MD5 46f26ea44b601aceffb91595b949ff63
SHA1 0a5e49443eb64e7e3395d578d852a2d61a8a2923
SHA256 c481592291afeea322c440d0b03323f2920cfb619e326e93f36dc28b52e2312e
SHA512 b1edd7f979937669ae5e811b75d2114866307f03f258880f8d2c43aab76e1bea87c668cce2be6de7e019564c3354fdede508798a13cf41e8b5d5fa3507888610

C:\pipi\PIPIPlayer.exe

MD5 19abe9404a640fb9d492e7432c123804
SHA1 fb06a19b30378cb9fb4dd72b62d1f3557658102e
SHA256 77eec39e9633cc07fb6fbdee6748c6c6be3003152a3cbdb07c3ae313ab65bd53
SHA512 139b392e30c3b503d2fed0e6058b869fd653ae76530be050d8314daf12b0aa4e9a148b998ba6275d858c22da40fc9a96785787207236c839dad7fb6b5785f7bb

C:\pipi\JfCheck.dll

MD5 1657afe7575729742c65193390623784
SHA1 27c648287b0400c2344fbc335bc78010b751efe3
SHA256 7f3baae263dd7f486f83270b6ab241d5fa79610fa171eedbb320bdc6a74aa623
SHA512 b3aa8a4e4eac6b3bf9193c43a446c50a187c07f3d9c823ea83da131254928f8ef1a6a7c30ee1b667efb9a2521477bea5eb26cb5f282ce3c5672a33d3b7d3ce59

C:\pipi\MCCKMPlayerX.dll

MD5 51ac0e8d96e644a5ac1c670b37269a9f
SHA1 ef761c6b88b2ed9174184b364d9ef472bfb85ecb
SHA256 1f50f6ee5b6f2e0fbaed1fdd47c20bff5f7099d6b07a5cde23ba8e24120324f9
SHA512 ab9d57b2e5b18af3760f3b811ae2286101ac9ea948fa042073acdd543dca3b1bf8b8c758e2e4ab5696eaf0181d5e6824d2e6a0f78153bdc2b7f6eba0e78718ca

C:\pipi\MSVCP71.dll

MD5 561fa2abb31dfa8fab762145f81667c2
SHA1 c8ccb04eedac821a13fae314a2435192860c72b8
SHA256 df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA512 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

C:\pipi\MFC71.dll

MD5 f35a584e947a5b401feb0fe01db4a0d7
SHA1 664dc99e78261a43d876311931694b6ef87cc8b9
SHA256 4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32
SHA512 b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4

C:\pipi\msvcr71.dll

MD5 86f1895ae8c5e8b17d99ece768a70732
SHA1 d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA256 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA512 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

C:\Windows\SysWOW64\config\mcckmplayervod.ini

MD5 5378f5b11a7f76e5363bd9246670d2f4
SHA1 58377e3e0763caca75e84dcf6595ed620e72430f
SHA256 352c88b52b5e831263ed4486ef774c38c5c36fc07375204f4d539a4ce8d756d1
SHA512 38175ef3a721595f8204f1be010fbe48e033ba7746d05c6a6b4585c5a20dfbfe4d60d7dd6d3fd4166bc4fcfb7f83ba12e952cb13c31d499bbeb1f62a15e44480

C:\Windows\SysWOW64\config\mcckmplayervod.ini

MD5 bce0add342645081e876fc1b5c493857
SHA1 70b95fa92734665acd4f5920443b1a2fcb5c3127
SHA256 4e1ae73cb97aac9553eb06b33352ff32f3ff799512d60fb9632eaa76de209492
SHA512 8cbbd8142e32a02843156512535ca793083b05fa4b9c3ae48c4ecc5da3e9a9f2b5dc73772239bbaeae5043afbd1b4a2524d8ae60eefec18d3bb715bd714bc0e8

C:\Windows\SysWOW64\config\mcckmplayervod.ini

MD5 c9fd3c9037f9a4484d0635868ea571e4
SHA1 02ac3179b0ac4b6ea91fa861ebcae2bc8072bdb3
SHA256 e54b124bceed3b3495bb1298cb03276b7505d850f6e3386afaa4668adc41ae4c
SHA512 776bf5a8f2a6550ad837df16192a64b81decf071633ae130d77e51c509c75f7de9b62975e096366fa4b4361a582224c4ca32f7d75219a6f8614450ac784c266b

C:\pipi\config\partner.ini

MD5 23a7ec3ae915bf850ac0ca9fa4627efd
SHA1 cf9b332f74bd6583e05ea448e7ca61e0840f46b0
SHA256 4380b09b0804ff4910cd84b2231d5a671a7a40e7cb67c3276f9007fb1ef28294
SHA512 2ca515e1bc2e64844db065d42b1f6f1b900b669ece1b403c4923ea2747103853b960f86eb6b2a8299afe265fd0827231d27519d69d72bbcf46abfd019d89885d

C:\pipi\config\config.ini

MD5 e4a3f8797262dfaf39aea78e9f5dfc86
SHA1 f191ba6ed659c02fe025da21d7eeb7341a9c3ce2
SHA256 0572dfd01784d4603573f60c8287ec9ec7751b8fe1e1abd96bed391029950c89
SHA512 dfb6429be8e555d1f0c0422909b929737e5b046e006f1f311e55ade3199a81c8c894b338fda4aeaca5b8d4000e451f8fbb2034c35b461f955c9d55fe1bff73e0

C:\pipi\config\enumwindow.ini

MD5 97129f3dad72c31fc0c0522b13d8a8e9
SHA1 5746b079d104ebc4ead8e3a1840a72caf9aeedac
SHA256 39b8d619b336a8edabe2b10ab945e0dbed4dc51dfe6453bdb884f48469e539ab
SHA512 984b150090134d35bf6172a7c06d98758d9898b8657cb891febf1b69e7e8fdbb27dd05a8e3d3cc148b1b4c7722bd8188941b4b32afae16e428595c9957d4a770

C:\pipi\jfres_plug.dll

MD5 d429f2117ba8d39c28f85a8d7d50a7c6
SHA1 042be6a8f49bbdc61b467bb018743ffccaca7262
SHA256 896fd2153552f48b47ea98a171720020a09ce0cff5517a9e728a576a942b1c13
SHA512 57de255f2d11bba70591f4b64e3f13d4ffac20892afe662adfa61de07ec656bf4c49303d04afbd31195a2447142c4303bde4f6c4b92c1147754fb09719ba165c

C:\pipi\PIPIWebPlayer.ocx

MD5 cb2d2dc09a6e895817462579fbd04f72
SHA1 dae1d1db8d377e16e14de46b6aba7a343f9ce9c6
SHA256 908868ced5007895a97a2bfe28137cfe21dbce7a0a406d4d6d73c733f6d01581
SHA512 e35c21871ea6b167b0bf01f94e45b352d033a9311052daf09184590e9af6e2ac45f13034d91306276f6c831e5c01cf39da972d670b61403cb6ff4f365ed3e45a

C:\pipi\codec\rm\pncrt.dll

MD5 13001eb0a58b4de96126b16ab15fd8cc
SHA1 4dfe6d2d02e9fa194f4af3d054b458b5a4bafbe6
SHA256 e983aa97fe1ce6af92f06433a71e03f54d3fc78392e26691cace927094bab8d7
SHA512 1a7c052bc1e7c824a3aff5e27c5cbd0720893e341dfb93062021b82c3a6d940c4ea23cbcdfaaeb174d90f51c36f0d8c62f693766f42172f894b6b689d26f49b2

C:\pipi\config\config.ini

MD5 6dea98687b555d25b9400b6608a7c3c1
SHA1 840775ca8fcc8b3d32289107cad7379f38057144
SHA256 b3163e59f46029b0be23f91e48fd7ae6f89a59e116033c0fe4afd6ebc6c06b8f
SHA512 164633e7777326a4bbb32462bbf59b488b7d22d0d040fa9fb5d6c8e6b82de585b9508ae2a3f5ffb6349799b77bd2dde8a7ee93bd07f99b0fb4b1c9af0950ed82

C:\pipi\codec\CoreAAC.ax

MD5 b0ffac757be8d6cc41e1131eb2b0d959
SHA1 0e41733a050bc2ed53fda6337d6501b9942317c2
SHA256 04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597
SHA512 356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3

C:\pipi\codec\CoreAVC.ax

MD5 40850535fa9d08698e69d2985f1dc20b
SHA1 670ac35368499b3abe9339b7a9467e31b33b3cad
SHA256 67b3280ec7a04f686a94f87d7e19220f62b8e28647660fabd08ff57902ec2e9d
SHA512 52d909dc11f06883ae7c6ab5ef97c989a12838ad8b95681771583546669c3c19fd4a9077ce3c383330a1e9af4155324533ed62b36d70c66224f53a8160106906

memory/4808-563-0x0000000010000000-0x0000000010103000-memory.dmp

memory/4808-562-0x0000000010000000-0x0000000010103000-memory.dmp

C:\pipi\codec\MPCVideoDec.ax

MD5 b49bb7b63fd5dab01d7be40144da3625
SHA1 3c077fba0dd9b382711f8889060d3948c7e6ae95
SHA256 919aa595ec2b18b811e3562ba9667c539015d401d3ef53f2c0f8e4b0ea51bebe
SHA512 461a5766dab7a20d905229116a000d8a0e73ec0a693f46fa7846322770df45fdf7a70aee4dfc77fd3d2dc7e2dd94615efb159497500694ff747c83dd7df78b76

C:\pipi\PIPIStartSvr.exe

MD5 ce035202671f9c9dd1d0cd26d4a06adc
SHA1 34d42b94be4367371a74f5c0db3b760c16a80557
SHA256 6bbbc4d67cce170dc3b234c85a136d96e2f4a83cf2001cbb2bc1837bce218b02
SHA512 00415034debed0c8a65ab8c96b89828729eb9d2446ae882f363004290aba049369717ac28cd54f0a35a75b3b5183382d01e41c39c13a36297f9d27d7ddb3a7cd

C:\pipi\wizard_recommand.JPG

MD5 1f03b9d855e4f6044db8d3d9834a5e46
SHA1 0b52092d8edc49e57ff48d8e81ddb8f2e8db6fb7
SHA256 eaf146a8b301d03c0ee4a21d05ede09b7cb6bfd4eca5882014c69701bb6257f5
SHA512 050dbf6fa7d6629881be01e81fea412104144da96071497e22019347f28dd49321468bca030f62898247c025e7d108be420d2ca18d46d9b45e7bd18148493d89

C:\pipi\unins000.exe

MD5 2c6d392a649e15f0218a8c888ed85b8b
SHA1 d823c2dd56b4d7b761a136b261d315e958d20b3e
SHA256 58cd2fddcac89292d5332b401cf61cab57cce5220352e9344b668874d00fc337
SHA512 382417dd1f9a8f70b93644157a56ae473e74c371f95d269c5e99963c5096bec90d70f6efc24ec1fc598cf50fcbfc909f94a340d3cb05215810f04f063d6c3f87

C:\pipi\topWizardSmallImageFile.jpg

MD5 5ed5fd48c11acc65c88b0954a7224fe1
SHA1 5bfe240886fdae4f231671bf46c67d4c1cfe2f27
SHA256 51c476f505836fa5a4e5a0331fca86d03ef729aaacd4ba08a4351cd3a933136e
SHA512 dc5ee19db8136c13718a40dbbb65e8bd10932ad8c28e94239d466c1382e0c68ca46ef513b215762e81f2dbfadd9dc67dafe465317963040da36901858d3975da

C:\pipi\setupwelcome.JPG

MD5 5f2e955342701741fa97750aa5d99487
SHA1 eb81e74ef78dd94e4da1d041d04afc5bad2b4d47
SHA256 8ac83f47e5353f052b1f7c729f4e1b1ae41377010421b71ea034d20850b4efed
SHA512 6b708d617905902fbad5fa83f16c699240c046d4ed11fdfb963ecc41795a6f2bd014a0ec4450893c62954a62dbfeacdf1132a320b442d993bfd2b27eed986efa

C:\pipi\KmFileTypeSetting.exe

MD5 773504a6e1b891dbda9e7cd906393df8
SHA1 3dcda41aa9b14b9572870f3a961e8572c3dea4f2
SHA256 5ed50ab0bfd7f3a0e7f7b7cb1b3a2a366c05e9630f8bf1b0435513f24fe1bdf2
SHA512 36a5bc03a4fe7e219b18f6a1d90ff9611d304952ffe855f8a4b28f1459a5c7c8b306d4ecde3f49e79cdfbbf1007c026a2d8ed709eaf6f34de507c5f4caacce63

C:\pipi\google_logo.JPG

MD5 4beef83fec516b37b5219e8433c07498
SHA1 8fab8c53263ecbe34109a2e91ef4a739a8735646
SHA256 f4cf7983c35b8842b356371c557885faf26261ef523d0f9e0d3921e20f165e8c
SHA512 577009e03ee341b7ad4b0979b6e47df79f64cf9139c4eb4e26696c3b21b74960f61362253363bba8e49537ad039626b9dfad182b6b68b73ddce7bb9ac86b694f

C:\pipi\KmBugslayerUtil.dll

MD5 b81c426c5cf1e529cbe740237a87f33f
SHA1 eeae32c6916e18a15f33df4820684818c74ffa55
SHA256 e2c8764c4b352f4d33674b0e86208833bb8e8b86bc2980d844472d8420105922
SHA512 05f75ec8ec8d20a6588c85036e475b4cdf7ba94b0ec9456a2e20d5f833c9cbdd77f668f5b2bc88abcdc4deae6c2b45bccb6573fb0e11ab87050b7b56cb41f2a6

C:\pipi\libdb43.dll

MD5 2d5a45f9b7c32a3612a120ee66608d95
SHA1 78335a698b4500a1348c1c5ffd5015ea56a9987a
SHA256 7394c140e21c8dc95790d30eaec28d2c3807b8a63813de4252db874c938eb2c2
SHA512 9ad364d6d810caa8a5c0162a3b1a2f79bcebf30864f3ba12a87e1a3ced0a7f60a7b36dcb2a599495073bd3ac9146163530170409073545a87d67374dedde9e97

C:\pipi\dbghelp.dll

MD5 5f9bcab7284a5be1f362e8815d0005c2
SHA1 3ec0f1c7bce67e6d7c09cb30c90b3c3cb0c9b228
SHA256 f4425ea3234eb7d108e829dc299e6533edffaf5bc449816d201af6a77a888c17
SHA512 2ed5f23aa1f987e6a4752693e30c5a30b22a13184547b452950a4367c9bbd3eb1bde2c9d8cf6203fc3615c964ff94b871c48855904078df533a105567c3dc9cd

memory/3964-678-0x0000000000400000-0x00000000004E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IQ813.tmp\topWizardSmallImageFile.bmp

MD5 2bf58dfc87fed4cd136b38eda09b03b5
SHA1 0466c573f89c2311bec15e1892af8bb1981f8e46
SHA256 59bc1f995b1c0989689039de7bdd50201ba75f700e1aba7ac548751629f77ed3
SHA512 f7f82b12cec7b036aae733da6c0639dc193ba979d5662b0c5595ed6e1a8120f314a6f9f4fc74c0f8d44f79884dc66d25129755160ee7dc688e7c9c0e5bc7dfe0

C:\pipi\config\skin.ini

MD5 f33179b59f10498a6ae36f981fb485b8
SHA1 ca724a40aa3c6d62461ead3a6815eececdc71195
SHA256 3407e2ddd689f40f3e8e3c2c8dd87b52a182143acf1ffedcc7608e72fecff9d7
SHA512 4db4cb0471e9fc2bcdffc5ad87375c239ea3ec103cdca57b5376ac530cd2284a2e60730b22017346a53b0adeb768330a3569f1a25ba9e51fb8ff9f0f0b440730

C:\pipi\baidu_logo.JPG

MD5 674b355f4facfe3c02d9a4b2230b59dd
SHA1 e4543a4d01d28ffb184c25d283b0fdff83f6353d
SHA256 2a8053f50ee7658429a06c42282afeea4433307486e00f09d1c4b111fca74c3a
SHA512 c4f77ee544aeb0c4e77f673ec4bb23076dcc2de1595296eb1cb6da40e9651676ea72b4c6f503d663091126fb0fa1cf065b74a6acef48752baa391ace54d53f81

C:\pipi\config\config.ini

MD5 eed2f7590a7321701b1070a1883f6411
SHA1 7d6ccfcfb450861e0933539b6aeae0aa4b164157
SHA256 4222651dd7db6caa911fff7b3ca95561b173d81f16c4eb25cf664374769d5e75
SHA512 1df0b046093e17529836335f70027aabeb697c05f7a2fddfe3d055a7cbef278bda9b82fe65aff6620ec82e9c0e03c212f2025aa1d3ddf7a537a5085c7daeeb60

C:\pipi\config\clienttype.ini

MD5 f838fd895631c25e59c7cdf033c7eca0
SHA1 68b7caf508fe2db5bc7dad588ed3bdbc21c281e4
SHA256 9100f2113f8409387b6e003d9647465b78665c3a6a7194236c79b32c0cc278ee
SHA512 aa2432e6152cfb15b50d6be710d3b82901b6f737f70dab6881fbb7e294fd2430f232329a48b7ce8cfe8573c52c4ec94e8a609c523a6b5e0d466dc33be8d69bd9

memory/3408-681-0x0000000000400000-0x0000000000418000-memory.dmp

C:\pipi\codec\rm\14_43260.dll

MD5 8874d40067c2758aa93261dede1172cc
SHA1 c1af162a19494af3718f59e95201e1fd0d0d5bba
SHA256 3c7da8c08e7d80dc2f96848b99558addde8333bc3fba978e53b4503919f7ec2d
SHA512 e65903556c26e89e208c6e5f97453b6855281519b4a46d699b2e0f3a45ef4617b350019e141d4a2230bccc9601bdc28ee28533d33dda59913cdbe11bb674b018

C:\pipi\codec\rm\hxltcolor.dll

MD5 ba25f69ff1b1d3e18557ed0a94350eb9
SHA1 a6d8a39ad9d1c8584c284c5255102b61701af70c
SHA256 524b6e2cbbd6adfe45ed4d12227651c02780d4c312b55139436db079b5e786a3
SHA512 29a0448d50ce656109255e800018181990afac935fde665f01558338102abe7ec7a9019a09d3a138e0134590ed9f632cf9be219977d6070fb9303eb6eef67329

C:\pipi\codec\rm\drvc.dll

MD5 e9ad4c6feede8ce70a1a21ed1dc0e2ad
SHA1 ec6b32969e43328a177456be63864d004d501fce
SHA256 ef8d7d81cb460db57f2e737ca0de3e0c6c06f78273e49a47b24f0a1eeaa2909f
SHA512 ccd0a54e989b882db33e932fd95d29922dcc3e8608f32beef5882182be0534d809f67ce4d54ac894165f51e237ad39402ca97cf05e933fdd3c01c4f6ae50643c

C:\pipi\codec\rm\drv1.dll

MD5 2f8e3e67cf99d672aec7ca9b95498fc2
SHA1 21f91f28e633f7615d1a15c1c5aa894c624d6a39
SHA256 c82401a0e5765271fab9ed86cbbfc99a137274f045dd90461acab6adf9297d4a
SHA512 f472d37b3b9dba3a21211642395e364f617319812c9e13b492f76c60e9c554ee4034dcd3393195a115003c37041147b94767ed061f6971a5fc006b12f179049e

C:\pipi\codec\rm\dnet3260.dll

MD5 9ca900e5dde1807c42a81871cacfa855
SHA1 f079b1d0f74b0e5b22d4cd5e2b45d875876a0875
SHA256 a5035273193da8fd44668b5b2128d91d2d78f877729d9aa1198c4e27f16d1256
SHA512 bef17c32d7039f0c9fcb4555ce9ad7fc9360682e7c3a87c02c54812687ee58a7b83779bdcf87758fdb86fe9f96088e5ff14a1c76113c142fad3ccd3ea0350fdc

C:\pipi\codec\rm\ddnt3260.dll

MD5 2d2fed2cfdbbd8860fa709f7d83e7df0
SHA1 e596609ba56c0d12e67e58e5d8d7755b1ab1e252
SHA256 c808b57c9518691293bfbccae717e5009c5f210bb8054bb6af0c38c2294a9643
SHA512 5e6e1b3d845802bf537936797e36bc91c932891a922744c63653789cc014d8908a62e38aa3e157726c7bea5bbb946676c7a5ceac66febaee06161a9574d5d526

C:\pipi\codec\rm\atrc.dll

MD5 ed7c402a17a33d428a6d0dad2e7c42d8
SHA1 93a6dcf0abe28a01403da578d685cc5c0b48bb82
SHA256 00cb4ae39a6e18c07e12ae53150ee29ece9ef4561a496920f19813aa431daff2
SHA512 bddc074123d3f144d7903d5f2502f8961ef79e1a06ce05d1769f37314eb276729444647a9f5c9e80fec0512cbd07b5e46be40f6f6015f8b1a255d7daf3ae28f1

C:\pipi\codec\rm\28_83260.dll

MD5 48a6d4103d97329898782f775876cbfb
SHA1 956f7b06f49a88c72705ef230a0e3b16aaf21e7d
SHA256 41b43a4d9f24287a8f6588f25c130597e908f2547a4408a0e8c6e899d2d6d1fa
SHA512 02e32003c5487bdd48006c0dccfe9655c88e9816d626bc8ca1b5a247d863bf9a2419ae7bd080982d7b2f88fc105606e1a31e081b98805e18f196985bc7ecf223

C:\pipi\codec\rm\drv2.dll

MD5 f4988500f9d3e75e6149e0462adf5051
SHA1 8a672c4372f6e427c04037ed6a4e01e1e30ac39e
SHA256 74ae1886586ebd9834a0b9d9079e903892f3eba9864a6cb98735bcd404ea943c
SHA512 233314cab306d31efbcc5d49000506bea303339aebf5ae0bd41fd72031f00baa0245d5c3599c2bd2988facfb6eac7bc2880617a0dc73ad510a69572667b6054d

C:\pipi\codec\rm\cook.dll

MD5 fa220dae3898b8578c34791648321a38
SHA1 12bdd5396e996d071368980d36ef6f6c7b39f936
SHA256 f8b5898569a508e370eb25db27c1cba440c9d559529850c05589e56a93659835
SHA512 9c2ad73fd43de7ca16a1d75b2974a737dfe1478d094783861ff5e3f994e17bc9e36e31f130296b497bb8955849be31db526018c0621cf5b09496fc6e5c3d6f34