Analysis Overview
SHA256
78007a8d9ab75cb5ff4039a9627925a0eb5a32f137148a2c3dd4e1a8dc7f2be9
Threat Level: Shows suspicious behavior
The file JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of SendNotifyMessage
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-20 12:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:06
Platform
win7-20240903-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| N/A | N/A | C:\pipi\PIPIStartSvr.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\ = "PIPI Link Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\mcckmplayervod.ini | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\pncrt.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pncrt.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\PIPI_Update.job | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| File opened for modification | C:\Windows\Tasks\PIPI_Update.job | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\pipi\PIPIStartSvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\pipi\jfCacheMgr.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{1E315374-71A5-471A-B683-4C4ADB5C588B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\TypeLib\ = "{DDB55E8E-A844-4558-8D7D-8511352BE59F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.flv\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09571A4B-F1FE-4C60-9760-DE6D310C7C31}\ = "CoreAVC Video Decoder" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\TypeLib\ = "{F6887547-369E-42FB-9921-85DBD895FF76}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E315374-71A5-471A-B683-4C4ADB5C588B}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wav\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mp3\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.3gp\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6AC7C19E-8CA0-4E3D-9A9F-2881DE29E0AC}\FriendlyName = "CoreAAC Audio Decoder" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ram\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mpeg\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\MiscStatus\1 | C:\pipi\jfCacheMgr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E315374-71A5-471A-B683-4C4ADB5C588B}\ProgID\ = "JfCheck.JfURLSearchHook.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C395D46-8B0F-440D-B962-2F4A97355453}\InprocServer32\ = "C:\\pipi\\codec\\MPCVideoDec.ax" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2FA20E2A-496E-4CAC-8D07-B5C227EBD3FA}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wma\shell\pipiopen\command | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mpeg\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook.1\ = "PIPI Link Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.swf\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.3gp\shell | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\ProgID | C:\pipi\jfCacheMgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CC10D1C-1032-4570-9BAA-607466123845}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\MiscStatus\1\ = "721297" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIPIWEBPLAYER.PIPIWebPlayerCtrl.1\Insertable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ram\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51C2E23D-3022-4A1F-AD4F-AFFE2812F8FC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\TypeLib\ = "{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.ram\shell | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C395D46-8B0F-440D-B962-2F4A97355453}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.Jfchk.1\ = "Jfchk Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook.1\CLSID\ = "{1E315374-71A5-471A-B683-4C4ADB5C588B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amr\shell\pipiopen\command\ = "\"C:\\pipi\\PIPIPlayer.exe\" \"%L\"" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asx\shell\pipiopen\command | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mp3\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mkv\shell | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DF8601-815A-475D-990A-8916C7F03D5B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.amr\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3gp\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer\shell\open | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2CC10D1C-1032-4570-9BAA-607466123845}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FA20E2A-496E-4CAC-8D07-B5C227EBD3FA} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ = "_IMCCKMPlayerXCEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer\shell\open\command | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{632C6705-17AB-4407-9281-F60D0A7726BE}\ToolboxBitmap32\ = "C:\\pipi\\JfCheck.dll, 101" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv\shell | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.ram\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe"
C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
"C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe"
C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe /verysilent
C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp" /SL5="$90216,6213687,71168,C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe" /verysilent
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\JfCheck.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\MCCKMPlayerX.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\PIPIWebPlayer.ocx"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAAC.ax"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAVC.ax"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\MPCVideoDec.ax"
C:\pipi\PIPIStartSvr.exe
"C:\pipi\PIPIStartSvr.exe" -i
C:\pipi\jfCacheMgr.exe
"C:\pipi\jfCacheMgr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | recommend.pipi.cn | udp |
| US | 8.8.8.8:53 | query.pipisite.com | udp |
Files
\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
| MD5 | e209b3e6154589c34b7ebdad8d73980b |
| SHA1 | b0be9c6dc0d8627b754a3c2ff1044b191e3a9052 |
| SHA256 | 883184254d9e4abde6311df166143a5ff1c6845cdc86fc3dc6dcf3859f343d38 |
| SHA512 | 01be02ab5de0df44abf60434e9cf72ffc199fb9ea8e7df4e83b86581558cc8e0776262a164f172bc020add351261822dce57755287f92fb6f1fde1f0936e25cc |
\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
| MD5 | cc3bba23d59e99c1bbd3727d77392518 |
| SHA1 | cd779107009e75ae256dcd93d472cb715dfa472e |
| SHA256 | 3303531c4370dab0b019c82f3ddb1294ac053bb9ce2b91cacc6370bbb3d20bf0 |
| SHA512 | 661fa143987313bcf0bd29409358b80f1261af3589382c6e639cefa3a54ac14bc0d45f3555a031456dd57fe41736171b0b147ab23dda495110452f4dd70f26da |
\Users\Admin\AppData\Local\Temp\is-IVMGS.tmp\pipi_setup_392.tmp
| MD5 | fb111f1c53146bc0e04b2103f7a4d4a3 |
| SHA1 | f3abb93fd2f3520929744075336acf0c33e4d544 |
| SHA256 | 03cfea10a4f72c59389fdc2f9cb465a3bf2baeddb074aa2cde711e622e4a5d78 |
| SHA512 | 03c4dc797737f7fdf66d5998c8c36a3c1b154398f0664f65a0c9b9485bd635698e6333d7bf756f9251f9512554c33817ce15942b38a55fe6bcd6e6bfdbb80855 |
memory/2752-28-0x0000000000400000-0x0000000000418000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\jpg2bmp.dll
| MD5 | df1fd0bed631d245485deeb4cfdc29f1 |
| SHA1 | 739579e6460091e567d53a2d0179bc3a2abeb038 |
| SHA256 | 2607f1f086472678f15e9fa6e0f21e91e816d8c4015d2ff3359e69263311d240 |
| SHA512 | 9c2e73ecefc9b5b1f1691bdcc9fb457fb387f83f8a8e466eba4a985392a9fdb9fd2d8799e65f65e4f54de6e8c7199196be82c8525633bbff9ec3f10fad05bd8c |
memory/2732-48-0x0000000000310000-0x0000000000338000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\PIPIRecommend.dll
| MD5 | 1ce3ea602274c3cc2e6037933e2b8bb2 |
| SHA1 | 9a6137688fec60e6247085beba8a5aa064069bc0 |
| SHA256 | c56af8733c25963a17abb24e7340e2cb98abdd37232741391b6771bcf2a3821b |
| SHA512 | d98070fec53eaa0ad39c72b38e493f828971864db2844e2c225b1ba1e803e9960f2d2b23610b569fe31875a05049d336e6932c6b5184dc5c8f78b01f36ad3b55 |
C:\pipi\jfCacheMgr.exe
| MD5 | 46f26ea44b601aceffb91595b949ff63 |
| SHA1 | 0a5e49443eb64e7e3395d578d852a2d61a8a2923 |
| SHA256 | c481592291afeea322c440d0b03323f2920cfb619e326e93f36dc28b52e2312e |
| SHA512 | b1edd7f979937669ae5e811b75d2114866307f03f258880f8d2c43aab76e1bea87c668cce2be6de7e019564c3354fdede508798a13cf41e8b5d5fa3507888610 |
memory/2752-217-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2732-218-0x0000000000400000-0x00000000004E1000-memory.dmp
\pipi\PIPIPlayer.exe
| MD5 | 19abe9404a640fb9d492e7432c123804 |
| SHA1 | fb06a19b30378cb9fb4dd72b62d1f3557658102e |
| SHA256 | 77eec39e9633cc07fb6fbdee6748c6c6be3003152a3cbdb07c3ae313ab65bd53 |
| SHA512 | 139b392e30c3b503d2fed0e6058b869fd653ae76530be050d8314daf12b0aa4e9a148b998ba6275d858c22da40fc9a96785787207236c839dad7fb6b5785f7bb |
\pipi\KmFileTypeSetting.exe
| MD5 | 773504a6e1b891dbda9e7cd906393df8 |
| SHA1 | 3dcda41aa9b14b9572870f3a961e8572c3dea4f2 |
| SHA256 | 5ed50ab0bfd7f3a0e7f7b7cb1b3a2a366c05e9630f8bf1b0435513f24fe1bdf2 |
| SHA512 | 36a5bc03a4fe7e219b18f6a1d90ff9611d304952ffe855f8a4b28f1459a5c7c8b306d4ecde3f49e79cdfbbf1007c026a2d8ed709eaf6f34de507c5f4caacce63 |
\pipi\unins000.exe
| MD5 | 2c6d392a649e15f0218a8c888ed85b8b |
| SHA1 | d823c2dd56b4d7b761a136b261d315e958d20b3e |
| SHA256 | 58cd2fddcac89292d5332b401cf61cab57cce5220352e9344b668874d00fc337 |
| SHA512 | 382417dd1f9a8f70b93644157a56ae473e74c371f95d269c5e99963c5096bec90d70f6efc24ec1fc598cf50fcbfc909f94a340d3cb05215810f04f063d6c3f87 |
C:\pipi\JfCheck.dll
| MD5 | 1657afe7575729742c65193390623784 |
| SHA1 | 27c648287b0400c2344fbc335bc78010b751efe3 |
| SHA256 | 7f3baae263dd7f486f83270b6ab241d5fa79610fa171eedbb320bdc6a74aa623 |
| SHA512 | b3aa8a4e4eac6b3bf9193c43a446c50a187c07f3d9c823ea83da131254928f8ef1a6a7c30ee1b667efb9a2521477bea5eb26cb5f282ce3c5672a33d3b7d3ce59 |
C:\pipi\MCCKMPlayerX.dll
| MD5 | 51ac0e8d96e644a5ac1c670b37269a9f |
| SHA1 | ef761c6b88b2ed9174184b364d9ef472bfb85ecb |
| SHA256 | 1f50f6ee5b6f2e0fbaed1fdd47c20bff5f7099d6b07a5cde23ba8e24120324f9 |
| SHA512 | ab9d57b2e5b18af3760f3b811ae2286101ac9ea948fa042073acdd543dca3b1bf8b8c758e2e4ab5696eaf0181d5e6824d2e6a0f78153bdc2b7f6eba0e78718ca |
C:\pipi\MFC71.DLL
| MD5 | f35a584e947a5b401feb0fe01db4a0d7 |
| SHA1 | 664dc99e78261a43d876311931694b6ef87cc8b9 |
| SHA256 | 4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32 |
| SHA512 | b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4 |
C:\pipi\MSVCR71.dll
| MD5 | 86f1895ae8c5e8b17d99ece768a70732 |
| SHA1 | d5502a1d00787d68f548ddeebbde1eca5e2b38ca |
| SHA256 | 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe |
| SHA512 | 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da |
C:\pipi\MSVCP71.dll
| MD5 | 561fa2abb31dfa8fab762145f81667c2 |
| SHA1 | c8ccb04eedac821a13fae314a2435192860c72b8 |
| SHA256 | df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b |
| SHA512 | 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43 |
C:\Windows\SysWOW64\config\mcckmplayervod.ini
| MD5 | 5378f5b11a7f76e5363bd9246670d2f4 |
| SHA1 | 58377e3e0763caca75e84dcf6595ed620e72430f |
| SHA256 | 352c88b52b5e831263ed4486ef774c38c5c36fc07375204f4d539a4ce8d756d1 |
| SHA512 | 38175ef3a721595f8204f1be010fbe48e033ba7746d05c6a6b4585c5a20dfbfe4d60d7dd6d3fd4166bc4fcfb7f83ba12e952cb13c31d499bbeb1f62a15e44480 |
memory/2092-338-0x0000000000120000-0x000000000012A000-memory.dmp
memory/2092-329-0x0000000000120000-0x000000000012A000-memory.dmp
C:\Windows\SysWOW64\config\mcckmplayervod.ini
| MD5 | c9fd3c9037f9a4484d0635868ea571e4 |
| SHA1 | 02ac3179b0ac4b6ea91fa861ebcae2bc8072bdb3 |
| SHA256 | e54b124bceed3b3495bb1298cb03276b7505d850f6e3386afaa4668adc41ae4c |
| SHA512 | 776bf5a8f2a6550ad837df16192a64b81decf071633ae130d77e51c509c75f7de9b62975e096366fa4b4361a582224c4ca32f7d75219a6f8614450ac784c266b |
C:\pipi\PIPIWebPlayer.ocx
| MD5 | cb2d2dc09a6e895817462579fbd04f72 |
| SHA1 | dae1d1db8d377e16e14de46b6aba7a343f9ce9c6 |
| SHA256 | 908868ced5007895a97a2bfe28137cfe21dbce7a0a406d4d6d73c733f6d01581 |
| SHA512 | e35c21871ea6b167b0bf01f94e45b352d033a9311052daf09184590e9af6e2ac45f13034d91306276f6c831e5c01cf39da972d670b61403cb6ff4f365ed3e45a |
C:\pipi\jfres_plug.dll
| MD5 | d429f2117ba8d39c28f85a8d7d50a7c6 |
| SHA1 | 042be6a8f49bbdc61b467bb018743ffccaca7262 |
| SHA256 | 896fd2153552f48b47ea98a171720020a09ce0cff5517a9e728a576a942b1c13 |
| SHA512 | 57de255f2d11bba70591f4b64e3f13d4ffac20892afe662adfa61de07ec656bf4c49303d04afbd31195a2447142c4303bde4f6c4b92c1147754fb09719ba165c |
C:\pipi\config\partner.ini
| MD5 | 23a7ec3ae915bf850ac0ca9fa4627efd |
| SHA1 | cf9b332f74bd6583e05ea448e7ca61e0840f46b0 |
| SHA256 | 4380b09b0804ff4910cd84b2231d5a671a7a40e7cb67c3276f9007fb1ef28294 |
| SHA512 | 2ca515e1bc2e64844db065d42b1f6f1b900b669ece1b403c4923ea2747103853b960f86eb6b2a8299afe265fd0827231d27519d69d72bbcf46abfd019d89885d |
C:\pipi\config\config.ini
| MD5 | e4a3f8797262dfaf39aea78e9f5dfc86 |
| SHA1 | f191ba6ed659c02fe025da21d7eeb7341a9c3ce2 |
| SHA256 | 0572dfd01784d4603573f60c8287ec9ec7751b8fe1e1abd96bed391029950c89 |
| SHA512 | dfb6429be8e555d1f0c0422909b929737e5b046e006f1f311e55ade3199a81c8c894b338fda4aeaca5b8d4000e451f8fbb2034c35b461f955c9d55fe1bff73e0 |
C:\pipi\config\enumwindow.ini
| MD5 | 97129f3dad72c31fc0c0522b13d8a8e9 |
| SHA1 | 5746b079d104ebc4ead8e3a1840a72caf9aeedac |
| SHA256 | 39b8d619b336a8edabe2b10ab945e0dbed4dc51dfe6453bdb884f48469e539ab |
| SHA512 | 984b150090134d35bf6172a7c06d98758d9898b8657cb891febf1b69e7e8fdbb27dd05a8e3d3cc148b1b4c7722bd8188941b4b32afae16e428595c9957d4a770 |
C:\pipi\codec\rm\pncrt.dll
| MD5 | 13001eb0a58b4de96126b16ab15fd8cc |
| SHA1 | 4dfe6d2d02e9fa194f4af3d054b458b5a4bafbe6 |
| SHA256 | e983aa97fe1ce6af92f06433a71e03f54d3fc78392e26691cace927094bab8d7 |
| SHA512 | 1a7c052bc1e7c824a3aff5e27c5cbd0720893e341dfb93062021b82c3a6d940c4ea23cbcdfaaeb174d90f51c36f0d8c62f693766f42172f894b6b689d26f49b2 |
C:\pipi\config\config.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\pipi\codec\CoreAAC.ax
| MD5 | b0ffac757be8d6cc41e1131eb2b0d959 |
| SHA1 | 0e41733a050bc2ed53fda6337d6501b9942317c2 |
| SHA256 | 04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597 |
| SHA512 | 356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3 |
C:\pipi\codec\CoreAVC.ax
| MD5 | 40850535fa9d08698e69d2985f1dc20b |
| SHA1 | 670ac35368499b3abe9339b7a9467e31b33b3cad |
| SHA256 | 67b3280ec7a04f686a94f87d7e19220f62b8e28647660fabd08ff57902ec2e9d |
| SHA512 | 52d909dc11f06883ae7c6ab5ef97c989a12838ad8b95681771583546669c3c19fd4a9077ce3c383330a1e9af4155324533ed62b36d70c66224f53a8160106906 |
memory/2960-584-0x0000000010000000-0x0000000010103000-memory.dmp
memory/2960-585-0x0000000010000000-0x0000000010103000-memory.dmp
C:\pipi\codec\MPCVideoDec.ax
| MD5 | b49bb7b63fd5dab01d7be40144da3625 |
| SHA1 | 3c077fba0dd9b382711f8889060d3948c7e6ae95 |
| SHA256 | 919aa595ec2b18b811e3562ba9667c539015d401d3ef53f2c0f8e4b0ea51bebe |
| SHA512 | 461a5766dab7a20d905229116a000d8a0e73ec0a693f46fa7846322770df45fdf7a70aee4dfc77fd3d2dc7e2dd94615efb159497500694ff747c83dd7df78b76 |
\pipi\PIPIStartSvr.exe
| MD5 | ce035202671f9c9dd1d0cd26d4a06adc |
| SHA1 | 34d42b94be4367371a74f5c0db3b760c16a80557 |
| SHA256 | 6bbbc4d67cce170dc3b234c85a136d96e2f4a83cf2001cbb2bc1837bce218b02 |
| SHA512 | 00415034debed0c8a65ab8c96b89828729eb9d2446ae882f363004290aba049369717ac28cd54f0a35a75b3b5183382d01e41c39c13a36297f9d27d7ddb3a7cd |
C:\pipi\topWizardSmallImageFile.jpg
| MD5 | 5ed5fd48c11acc65c88b0954a7224fe1 |
| SHA1 | 5bfe240886fdae4f231671bf46c67d4c1cfe2f27 |
| SHA256 | 51c476f505836fa5a4e5a0331fca86d03ef729aaacd4ba08a4351cd3a933136e |
| SHA512 | dc5ee19db8136c13718a40dbbb65e8bd10932ad8c28e94239d466c1382e0c68ca46ef513b215762e81f2dbfadd9dc67dafe465317963040da36901858d3975da |
C:\pipi\setupwelcome.JPG
| MD5 | 5f2e955342701741fa97750aa5d99487 |
| SHA1 | eb81e74ef78dd94e4da1d041d04afc5bad2b4d47 |
| SHA256 | 8ac83f47e5353f052b1f7c729f4e1b1ae41377010421b71ea034d20850b4efed |
| SHA512 | 6b708d617905902fbad5fa83f16c699240c046d4ed11fdfb963ecc41795a6f2bd014a0ec4450893c62954a62dbfeacdf1132a320b442d993bfd2b27eed986efa |
C:\pipi\wizard_recommand.JPG
| MD5 | 1f03b9d855e4f6044db8d3d9834a5e46 |
| SHA1 | 0b52092d8edc49e57ff48d8e81ddb8f2e8db6fb7 |
| SHA256 | eaf146a8b301d03c0ee4a21d05ede09b7cb6bfd4eca5882014c69701bb6257f5 |
| SHA512 | 050dbf6fa7d6629881be01e81fea412104144da96071497e22019347f28dd49321468bca030f62898247c025e7d108be420d2ca18d46d9b45e7bd18148493d89 |
C:\pipi\google_logo.JPG
| MD5 | 4beef83fec516b37b5219e8433c07498 |
| SHA1 | 8fab8c53263ecbe34109a2e91ef4a739a8735646 |
| SHA256 | f4cf7983c35b8842b356371c557885faf26261ef523d0f9e0d3921e20f165e8c |
| SHA512 | 577009e03ee341b7ad4b0979b6e47df79f64cf9139c4eb4e26696c3b21b74960f61362253363bba8e49537ad039626b9dfad182b6b68b73ddce7bb9ac86b694f |
C:\pipi\config\skin.ini
| MD5 | f33179b59f10498a6ae36f981fb485b8 |
| SHA1 | ca724a40aa3c6d62461ead3a6815eececdc71195 |
| SHA256 | 3407e2ddd689f40f3e8e3c2c8dd87b52a182143acf1ffedcc7608e72fecff9d7 |
| SHA512 | 4db4cb0471e9fc2bcdffc5ad87375c239ea3ec103cdca57b5376ac530cd2284a2e60730b22017346a53b0adeb768330a3569f1a25ba9e51fb8ff9f0f0b440730 |
C:\pipi\baidu_logo.JPG
| MD5 | 674b355f4facfe3c02d9a4b2230b59dd |
| SHA1 | e4543a4d01d28ffb184c25d283b0fdff83f6353d |
| SHA256 | 2a8053f50ee7658429a06c42282afeea4433307486e00f09d1c4b111fca74c3a |
| SHA512 | c4f77ee544aeb0c4e77f673ec4bb23076dcc2de1595296eb1cb6da40e9651676ea72b4c6f503d663091126fb0fa1cf065b74a6acef48752baa391ace54d53f81 |
C:\Users\Admin\AppData\Local\Temp\is-FKEO2.tmp\topWizardSmallImageFile.bmp
| MD5 | 2bf58dfc87fed4cd136b38eda09b03b5 |
| SHA1 | 0466c573f89c2311bec15e1892af8bb1981f8e46 |
| SHA256 | 59bc1f995b1c0989689039de7bdd50201ba75f700e1aba7ac548751629f77ed3 |
| SHA512 | f7f82b12cec7b036aae733da6c0639dc193ba979d5662b0c5595ed6e1a8120f314a6f9f4fc74c0f8d44f79884dc66d25129755160ee7dc688e7c9c0e5bc7dfe0 |
memory/2752-702-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2732-701-0x0000000000400000-0x00000000004E1000-memory.dmp
C:\pipi\config\config.ini
| MD5 | 37e880e056079ca389ea1355298070f9 |
| SHA1 | c2670cfd86411ce33baf3329b14494569cdfffc8 |
| SHA256 | 6af40df9a276648b83b43d1b218e93419b9697ae98ed9b318228d890f98d8f99 |
| SHA512 | 29a6b50c7b46951d7f1eb69e5aa5332b510009709716702dfe097ea6c7f177d28dcc19ef65d6fa0145295fade682116c9328bff6dcb66e603a7e8d434618d2ae |
C:\pipi\config\config.ini
| MD5 | 54e880bd430eff4ae4e9c24b8262b94a |
| SHA1 | 76fe6fbb36277f1730e485013a8260385d422ae8 |
| SHA256 | 37467129443334ef0a740c3081ea83d9eb6d4dcc779583b1f886ab76b646f1d4 |
| SHA512 | 3f46cb49bd4f5044318806bf96eec059d14a65cc3756846fe1b5d4f4c5dab497dcb2cbc015473403b3ccef65cddecb56d245cf80572d9faca698960405c765d1 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-20 12:04
Reported
2025-01-20 12:07
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
146s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| N/A | N/A | C:\pipi\PIPIStartSvr.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\ = "PIPI Link Helper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\mcckmplayervod.ini | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\pncrt.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pncrt.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\PIPI_Update.job | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| File opened for modification | C:\Windows\Tasks\PIPI_Update.job | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\pipi\jfCacheMgr.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\pipi\PIPIStartSvr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\pipi\jfCacheMgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{1E315374-71A5-471A-B683-4C4ADB5C588B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D51BD5A3-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp3\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBFC1A2A-D3A2-4610-847D-26592022F86E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9783F9D-7E56-4205-9CA1-225CD9349BD7}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A1-7548-11CF-A520-0080C77EF58A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.flv\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2745192-8F50-4ACC-AA27-2AC0B85A875F}\ = "PIPIWebPlayer Property Page" | C:\pipi\jfCacheMgr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{632C6705-17AB-4407-9281-F60D0A7726BE}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.MVSearch.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\CLSID = "{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4665E44B-8B9A-4515-A086-E94ECE374608}\ = "CoreAAC Audio Decoder About" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A3440C6-F123-4CAB-84EE-C814E1AE0D8F}\InprocServer32\ = "C:\\pipi\\JfCheck.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CC10D1C-1032-4570-9BAA-607466123845} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\FilterData = 0200000000004000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b717aeb36e44f52ce119f530020af0ba77079eb36e44f52ce119f530020af0ba770 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{187463A0-5BB7-11D3-ACBE-0080C75E246E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\ = "MCCKMPlayerXC" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FilterData = 0200000000006000030000000000000030706933000000000000000001000000000000000000000030747933000000008800000098000000317069330000000000000000010000000000000000000000307479330000000088000000a8000000327069330800000000000000010000000000000000000000307479330000000088000000b80000007669647300001000800000aa00389b71406a9b5a221ad111bad900609744111a416a9b5a221ad111bad900609744111a00000000000000000000000000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8C-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDB55E8E-A844-4558-8D7D-8511352BE59F}\1.0\HELPDIR\ = "C:\\pipi" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.mp3\shell | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAAEA28A-47CA-460B-B13F-D4155E4C9452}\ = "_DPIPIWebPlayerEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BEE3F8D5-2D71-4101-BF11-191A0C46633E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Multi-file Parser" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DDB55E8E-A844-4558-8D7D-8511352BE59F}\1.0\0\win32\ = "C:\\pipi\\PIPIWebPlayer.ocx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5210f8e4-b0bb-47c3-a8d9-7b2282cc79ed}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A74BF134-5213-46B5-AF36-CE1888315DC7}\ToolboxBitmap32\ = "C:\\pipi\\PIPIWE~1.OCX, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.asf\shell | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.Jfchk.1\ = "Jfchk Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{714B097F-80F2-4348-8E2A-7CCA82BAFE41}\TypeLib\ = "{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\CLSID = "{A888DF60-1E90-11CF-AC98-00AA004C0FA9}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5AA0389-D274-48E1-BF50-ACB05A56DDE0}\InprocServer32\ = "C:\\pipi\\codec\\MPCVideoDec.ax" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ppfilm\shell\open\ | C:\pipi\jfCacheMgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories | C:\pipi\jfCacheMgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\file | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.asf\shell\pipiopen\command | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PIPIWEBPLAYER.PIPIWebPlayerCtrl.1 | C:\pipi\jfCacheMgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DF8601-815A-475D-990A-8916C7F03D5B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpeg\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.rmvb\shell\pipiopen\ = "Play With PIPIPlayer" | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC01812C-C71E-40BF-BA2B-57732DF25204}\TypeLib\ = "{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.flv\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B52AEEE2-D8D7-4BB0-AB1E-2E1862F2033B}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b714d4a504700001000800000aa00389b7100000000000000000000000000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mpg\shell\pipiopen | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{09571A4B-F1FE-4C60-9760-DE6D310C7C31}\FilterData = 02000000000280000200000000000000307069330000000000000000090000000000000000000000307479330000000060010000700100003174793300000000600100008001000032747933000000006001000090010000337479330000000060010000a0010000347479330000000060010000b0010000357479330000000060010000c0010000367479330000000060010000d0010000377479330000000060010000e0010000387479330000000060010000f00100003170693308000000000000000900000000000000000000003074793300000000600100000002000031747933000000006001000010020000327479330000000060010000200200003374793300000000600100003002000034747933000000006001000040020000357479330000000060010000500200003674793300000000600100006002000037747933000000006001000070020000387479330000000060010000800200007669647300001000800000aa00389b716176633100001000800000aa00389b714156433100001000800000aa00389b716832363400001000800000aa00389b714832363400001000800000aa00389b717832363400001000800000aa00389b715832363400001000800000aa00389b715653534800001000800000aa00389b71cb712d8d3f24e345b2d85fd7967ec09badd2296f30e1aa45b42ff623ad354a905956313200001000800000aa00389b714934323000001000800000aa00389b714e56313200001000800000aa00389b715955593200001000800000aa00389b715559565900001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba770 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{632C6705-17AB-4407-9281-F60D0A7726BE}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E436EBB7-524F-11CE-9F53-0020AF0BA770} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\JfCheck.JfURLSearchHook | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\KmMediaPlayer.wmv\shell\pipiopen\command | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
| N/A | N/A | C:\pipi\jfCacheMgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e699dbd72ba9dee2511beb9e8f41fbdc.exe"
C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
"C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe"
C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe /verysilent
C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp
"C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp" /SL5="$5026E,6213687,71168,C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe" /verysilent
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\JfCheck.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\MCCKMPlayerX.dll"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\PIPIWebPlayer.ocx"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAAC.ax"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\CoreAVC.ax"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\pipi\codec\MPCVideoDec.ax"
C:\pipi\PIPIStartSvr.exe
"C:\pipi\PIPIStartSvr.exe" -i
C:\pipi\jfCacheMgr.exe
"C:\pipi\jfCacheMgr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3960 -ip 3960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | recommend.pipi.cn | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.72.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.250.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\pipi_dae_392.exe
| MD5 | e209b3e6154589c34b7ebdad8d73980b |
| SHA1 | b0be9c6dc0d8627b754a3c2ff1044b191e3a9052 |
| SHA256 | 883184254d9e4abde6311df166143a5ff1c6845cdc86fc3dc6dcf3859f343d38 |
| SHA512 | 01be02ab5de0df44abf60434e9cf72ffc199fb9ea8e7df4e83b86581558cc8e0776262a164f172bc020add351261822dce57755287f92fb6f1fde1f0936e25cc |
C:\Users\Admin\AppData\Local\Temp\pipi_setup_392.exe
| MD5 | cc3bba23d59e99c1bbd3727d77392518 |
| SHA1 | cd779107009e75ae256dcd93d472cb715dfa472e |
| SHA256 | 3303531c4370dab0b019c82f3ddb1294ac053bb9ce2b91cacc6370bbb3d20bf0 |
| SHA512 | 661fa143987313bcf0bd29409358b80f1261af3589382c6e639cefa3a54ac14bc0d45f3555a031456dd57fe41736171b0b147ab23dda495110452f4dd70f26da |
memory/3408-17-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3408-20-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-63BLS.tmp\pipi_setup_392.tmp
| MD5 | fb111f1c53146bc0e04b2103f7a4d4a3 |
| SHA1 | f3abb93fd2f3520929744075336acf0c33e4d544 |
| SHA256 | 03cfea10a4f72c59389fdc2f9cb465a3bf2baeddb074aa2cde711e622e4a5d78 |
| SHA512 | 03c4dc797737f7fdf66d5998c8c36a3c1b154398f0664f65a0c9b9485bd635698e6333d7bf756f9251f9512554c33817ce15942b38a55fe6bcd6e6bfdbb80855 |
memory/3964-29-0x0000000000400000-0x00000000004E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IQ813.tmp\jpg2bmp.dll
| MD5 | df1fd0bed631d245485deeb4cfdc29f1 |
| SHA1 | 739579e6460091e567d53a2d0179bc3a2abeb038 |
| SHA256 | 2607f1f086472678f15e9fa6e0f21e91e816d8c4015d2ff3359e69263311d240 |
| SHA512 | 9c2e73ecefc9b5b1f1691bdcc9fb457fb387f83f8a8e466eba4a985392a9fdb9fd2d8799e65f65e4f54de6e8c7199196be82c8525633bbff9ec3f10fad05bd8c |
C:\Users\Admin\AppData\Local\Temp\is-IQ813.tmp\PIPIRecommend.dll
| MD5 | 1ce3ea602274c3cc2e6037933e2b8bb2 |
| SHA1 | 9a6137688fec60e6247085beba8a5aa064069bc0 |
| SHA256 | c56af8733c25963a17abb24e7340e2cb98abdd37232741391b6771bcf2a3821b |
| SHA512 | d98070fec53eaa0ad39c72b38e493f828971864db2844e2c225b1ba1e803e9960f2d2b23610b569fe31875a05049d336e6932c6b5184dc5c8f78b01f36ad3b55 |
memory/3964-38-0x0000000003990000-0x00000000039B8000-memory.dmp
memory/3408-60-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3964-61-0x0000000000400000-0x00000000004E1000-memory.dmp
C:\pipi\jfCacheMgr.exe
| MD5 | 46f26ea44b601aceffb91595b949ff63 |
| SHA1 | 0a5e49443eb64e7e3395d578d852a2d61a8a2923 |
| SHA256 | c481592291afeea322c440d0b03323f2920cfb619e326e93f36dc28b52e2312e |
| SHA512 | b1edd7f979937669ae5e811b75d2114866307f03f258880f8d2c43aab76e1bea87c668cce2be6de7e019564c3354fdede508798a13cf41e8b5d5fa3507888610 |
C:\pipi\PIPIPlayer.exe
| MD5 | 19abe9404a640fb9d492e7432c123804 |
| SHA1 | fb06a19b30378cb9fb4dd72b62d1f3557658102e |
| SHA256 | 77eec39e9633cc07fb6fbdee6748c6c6be3003152a3cbdb07c3ae313ab65bd53 |
| SHA512 | 139b392e30c3b503d2fed0e6058b869fd653ae76530be050d8314daf12b0aa4e9a148b998ba6275d858c22da40fc9a96785787207236c839dad7fb6b5785f7bb |
C:\pipi\JfCheck.dll
| MD5 | 1657afe7575729742c65193390623784 |
| SHA1 | 27c648287b0400c2344fbc335bc78010b751efe3 |
| SHA256 | 7f3baae263dd7f486f83270b6ab241d5fa79610fa171eedbb320bdc6a74aa623 |
| SHA512 | b3aa8a4e4eac6b3bf9193c43a446c50a187c07f3d9c823ea83da131254928f8ef1a6a7c30ee1b667efb9a2521477bea5eb26cb5f282ce3c5672a33d3b7d3ce59 |
C:\pipi\MCCKMPlayerX.dll
| MD5 | 51ac0e8d96e644a5ac1c670b37269a9f |
| SHA1 | ef761c6b88b2ed9174184b364d9ef472bfb85ecb |
| SHA256 | 1f50f6ee5b6f2e0fbaed1fdd47c20bff5f7099d6b07a5cde23ba8e24120324f9 |
| SHA512 | ab9d57b2e5b18af3760f3b811ae2286101ac9ea948fa042073acdd543dca3b1bf8b8c758e2e4ab5696eaf0181d5e6824d2e6a0f78153bdc2b7f6eba0e78718ca |
C:\pipi\MSVCP71.dll
| MD5 | 561fa2abb31dfa8fab762145f81667c2 |
| SHA1 | c8ccb04eedac821a13fae314a2435192860c72b8 |
| SHA256 | df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b |
| SHA512 | 7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43 |
C:\pipi\MFC71.dll
| MD5 | f35a584e947a5b401feb0fe01db4a0d7 |
| SHA1 | 664dc99e78261a43d876311931694b6ef87cc8b9 |
| SHA256 | 4da5efdc46d126b45daeee8bc69c0ba2aa243589046b7dfd12a7e21b9bee6a32 |
| SHA512 | b1ced222c3b7e63e22d093c8aa3467f5ea20312fe76a112baed7c63d238bbe8dee94dfe8f42474f7b1de7aa7acb8ba8e2b36fdd0a3cda83ee85ac9a34f859fa4 |
C:\pipi\msvcr71.dll
| MD5 | 86f1895ae8c5e8b17d99ece768a70732 |
| SHA1 | d5502a1d00787d68f548ddeebbde1eca5e2b38ca |
| SHA256 | 8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe |
| SHA512 | 3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da |
C:\Windows\SysWOW64\config\mcckmplayervod.ini
| MD5 | 5378f5b11a7f76e5363bd9246670d2f4 |
| SHA1 | 58377e3e0763caca75e84dcf6595ed620e72430f |
| SHA256 | 352c88b52b5e831263ed4486ef774c38c5c36fc07375204f4d539a4ce8d756d1 |
| SHA512 | 38175ef3a721595f8204f1be010fbe48e033ba7746d05c6a6b4585c5a20dfbfe4d60d7dd6d3fd4166bc4fcfb7f83ba12e952cb13c31d499bbeb1f62a15e44480 |
C:\Windows\SysWOW64\config\mcckmplayervod.ini
| MD5 | bce0add342645081e876fc1b5c493857 |
| SHA1 | 70b95fa92734665acd4f5920443b1a2fcb5c3127 |
| SHA256 | 4e1ae73cb97aac9553eb06b33352ff32f3ff799512d60fb9632eaa76de209492 |
| SHA512 | 8cbbd8142e32a02843156512535ca793083b05fa4b9c3ae48c4ecc5da3e9a9f2b5dc73772239bbaeae5043afbd1b4a2524d8ae60eefec18d3bb715bd714bc0e8 |
C:\Windows\SysWOW64\config\mcckmplayervod.ini
| MD5 | c9fd3c9037f9a4484d0635868ea571e4 |
| SHA1 | 02ac3179b0ac4b6ea91fa861ebcae2bc8072bdb3 |
| SHA256 | e54b124bceed3b3495bb1298cb03276b7505d850f6e3386afaa4668adc41ae4c |
| SHA512 | 776bf5a8f2a6550ad837df16192a64b81decf071633ae130d77e51c509c75f7de9b62975e096366fa4b4361a582224c4ca32f7d75219a6f8614450ac784c266b |
C:\pipi\config\partner.ini
| MD5 | 23a7ec3ae915bf850ac0ca9fa4627efd |
| SHA1 | cf9b332f74bd6583e05ea448e7ca61e0840f46b0 |
| SHA256 | 4380b09b0804ff4910cd84b2231d5a671a7a40e7cb67c3276f9007fb1ef28294 |
| SHA512 | 2ca515e1bc2e64844db065d42b1f6f1b900b669ece1b403c4923ea2747103853b960f86eb6b2a8299afe265fd0827231d27519d69d72bbcf46abfd019d89885d |
C:\pipi\config\config.ini
| MD5 | e4a3f8797262dfaf39aea78e9f5dfc86 |
| SHA1 | f191ba6ed659c02fe025da21d7eeb7341a9c3ce2 |
| SHA256 | 0572dfd01784d4603573f60c8287ec9ec7751b8fe1e1abd96bed391029950c89 |
| SHA512 | dfb6429be8e555d1f0c0422909b929737e5b046e006f1f311e55ade3199a81c8c894b338fda4aeaca5b8d4000e451f8fbb2034c35b461f955c9d55fe1bff73e0 |
C:\pipi\config\enumwindow.ini
| MD5 | 97129f3dad72c31fc0c0522b13d8a8e9 |
| SHA1 | 5746b079d104ebc4ead8e3a1840a72caf9aeedac |
| SHA256 | 39b8d619b336a8edabe2b10ab945e0dbed4dc51dfe6453bdb884f48469e539ab |
| SHA512 | 984b150090134d35bf6172a7c06d98758d9898b8657cb891febf1b69e7e8fdbb27dd05a8e3d3cc148b1b4c7722bd8188941b4b32afae16e428595c9957d4a770 |
C:\pipi\jfres_plug.dll
| MD5 | d429f2117ba8d39c28f85a8d7d50a7c6 |
| SHA1 | 042be6a8f49bbdc61b467bb018743ffccaca7262 |
| SHA256 | 896fd2153552f48b47ea98a171720020a09ce0cff5517a9e728a576a942b1c13 |
| SHA512 | 57de255f2d11bba70591f4b64e3f13d4ffac20892afe662adfa61de07ec656bf4c49303d04afbd31195a2447142c4303bde4f6c4b92c1147754fb09719ba165c |
C:\pipi\PIPIWebPlayer.ocx
| MD5 | cb2d2dc09a6e895817462579fbd04f72 |
| SHA1 | dae1d1db8d377e16e14de46b6aba7a343f9ce9c6 |
| SHA256 | 908868ced5007895a97a2bfe28137cfe21dbce7a0a406d4d6d73c733f6d01581 |
| SHA512 | e35c21871ea6b167b0bf01f94e45b352d033a9311052daf09184590e9af6e2ac45f13034d91306276f6c831e5c01cf39da972d670b61403cb6ff4f365ed3e45a |
C:\pipi\codec\rm\pncrt.dll
| MD5 | 13001eb0a58b4de96126b16ab15fd8cc |
| SHA1 | 4dfe6d2d02e9fa194f4af3d054b458b5a4bafbe6 |
| SHA256 | e983aa97fe1ce6af92f06433a71e03f54d3fc78392e26691cace927094bab8d7 |
| SHA512 | 1a7c052bc1e7c824a3aff5e27c5cbd0720893e341dfb93062021b82c3a6d940c4ea23cbcdfaaeb174d90f51c36f0d8c62f693766f42172f894b6b689d26f49b2 |
C:\pipi\config\config.ini
| MD5 | 6dea98687b555d25b9400b6608a7c3c1 |
| SHA1 | 840775ca8fcc8b3d32289107cad7379f38057144 |
| SHA256 | b3163e59f46029b0be23f91e48fd7ae6f89a59e116033c0fe4afd6ebc6c06b8f |
| SHA512 | 164633e7777326a4bbb32462bbf59b488b7d22d0d040fa9fb5d6c8e6b82de585b9508ae2a3f5ffb6349799b77bd2dde8a7ee93bd07f99b0fb4b1c9af0950ed82 |
C:\pipi\codec\CoreAAC.ax
| MD5 | b0ffac757be8d6cc41e1131eb2b0d959 |
| SHA1 | 0e41733a050bc2ed53fda6337d6501b9942317c2 |
| SHA256 | 04bf38bbd9cb8287582f9a2fb8b06e0ab30f06f676a93f4a56656b576f10e597 |
| SHA512 | 356ecf4902f767f74670e5fcd57f26fb8a43710d0a2b3a995877e6f265119b2f091c6e5e3457dfa1767c6e4043afc470cc7090f43dd997b27c0e94c7e102bee3 |
C:\pipi\codec\CoreAVC.ax
| MD5 | 40850535fa9d08698e69d2985f1dc20b |
| SHA1 | 670ac35368499b3abe9339b7a9467e31b33b3cad |
| SHA256 | 67b3280ec7a04f686a94f87d7e19220f62b8e28647660fabd08ff57902ec2e9d |
| SHA512 | 52d909dc11f06883ae7c6ab5ef97c989a12838ad8b95681771583546669c3c19fd4a9077ce3c383330a1e9af4155324533ed62b36d70c66224f53a8160106906 |
memory/4808-563-0x0000000010000000-0x0000000010103000-memory.dmp
memory/4808-562-0x0000000010000000-0x0000000010103000-memory.dmp
C:\pipi\codec\MPCVideoDec.ax
| MD5 | b49bb7b63fd5dab01d7be40144da3625 |
| SHA1 | 3c077fba0dd9b382711f8889060d3948c7e6ae95 |
| SHA256 | 919aa595ec2b18b811e3562ba9667c539015d401d3ef53f2c0f8e4b0ea51bebe |
| SHA512 | 461a5766dab7a20d905229116a000d8a0e73ec0a693f46fa7846322770df45fdf7a70aee4dfc77fd3d2dc7e2dd94615efb159497500694ff747c83dd7df78b76 |
C:\pipi\PIPIStartSvr.exe
| MD5 | ce035202671f9c9dd1d0cd26d4a06adc |
| SHA1 | 34d42b94be4367371a74f5c0db3b760c16a80557 |
| SHA256 | 6bbbc4d67cce170dc3b234c85a136d96e2f4a83cf2001cbb2bc1837bce218b02 |
| SHA512 | 00415034debed0c8a65ab8c96b89828729eb9d2446ae882f363004290aba049369717ac28cd54f0a35a75b3b5183382d01e41c39c13a36297f9d27d7ddb3a7cd |
C:\pipi\wizard_recommand.JPG
| MD5 | 1f03b9d855e4f6044db8d3d9834a5e46 |
| SHA1 | 0b52092d8edc49e57ff48d8e81ddb8f2e8db6fb7 |
| SHA256 | eaf146a8b301d03c0ee4a21d05ede09b7cb6bfd4eca5882014c69701bb6257f5 |
| SHA512 | 050dbf6fa7d6629881be01e81fea412104144da96071497e22019347f28dd49321468bca030f62898247c025e7d108be420d2ca18d46d9b45e7bd18148493d89 |
C:\pipi\unins000.exe
| MD5 | 2c6d392a649e15f0218a8c888ed85b8b |
| SHA1 | d823c2dd56b4d7b761a136b261d315e958d20b3e |
| SHA256 | 58cd2fddcac89292d5332b401cf61cab57cce5220352e9344b668874d00fc337 |
| SHA512 | 382417dd1f9a8f70b93644157a56ae473e74c371f95d269c5e99963c5096bec90d70f6efc24ec1fc598cf50fcbfc909f94a340d3cb05215810f04f063d6c3f87 |
C:\pipi\topWizardSmallImageFile.jpg
| MD5 | 5ed5fd48c11acc65c88b0954a7224fe1 |
| SHA1 | 5bfe240886fdae4f231671bf46c67d4c1cfe2f27 |
| SHA256 | 51c476f505836fa5a4e5a0331fca86d03ef729aaacd4ba08a4351cd3a933136e |
| SHA512 | dc5ee19db8136c13718a40dbbb65e8bd10932ad8c28e94239d466c1382e0c68ca46ef513b215762e81f2dbfadd9dc67dafe465317963040da36901858d3975da |
C:\pipi\setupwelcome.JPG
| MD5 | 5f2e955342701741fa97750aa5d99487 |
| SHA1 | eb81e74ef78dd94e4da1d041d04afc5bad2b4d47 |
| SHA256 | 8ac83f47e5353f052b1f7c729f4e1b1ae41377010421b71ea034d20850b4efed |
| SHA512 | 6b708d617905902fbad5fa83f16c699240c046d4ed11fdfb963ecc41795a6f2bd014a0ec4450893c62954a62dbfeacdf1132a320b442d993bfd2b27eed986efa |
C:\pipi\KmFileTypeSetting.exe
| MD5 | 773504a6e1b891dbda9e7cd906393df8 |
| SHA1 | 3dcda41aa9b14b9572870f3a961e8572c3dea4f2 |
| SHA256 | 5ed50ab0bfd7f3a0e7f7b7cb1b3a2a366c05e9630f8bf1b0435513f24fe1bdf2 |
| SHA512 | 36a5bc03a4fe7e219b18f6a1d90ff9611d304952ffe855f8a4b28f1459a5c7c8b306d4ecde3f49e79cdfbbf1007c026a2d8ed709eaf6f34de507c5f4caacce63 |
C:\pipi\google_logo.JPG
| MD5 | 4beef83fec516b37b5219e8433c07498 |
| SHA1 | 8fab8c53263ecbe34109a2e91ef4a739a8735646 |
| SHA256 | f4cf7983c35b8842b356371c557885faf26261ef523d0f9e0d3921e20f165e8c |
| SHA512 | 577009e03ee341b7ad4b0979b6e47df79f64cf9139c4eb4e26696c3b21b74960f61362253363bba8e49537ad039626b9dfad182b6b68b73ddce7bb9ac86b694f |
C:\pipi\KmBugslayerUtil.dll
| MD5 | b81c426c5cf1e529cbe740237a87f33f |
| SHA1 | eeae32c6916e18a15f33df4820684818c74ffa55 |
| SHA256 | e2c8764c4b352f4d33674b0e86208833bb8e8b86bc2980d844472d8420105922 |
| SHA512 | 05f75ec8ec8d20a6588c85036e475b4cdf7ba94b0ec9456a2e20d5f833c9cbdd77f668f5b2bc88abcdc4deae6c2b45bccb6573fb0e11ab87050b7b56cb41f2a6 |
C:\pipi\libdb43.dll
| MD5 | 2d5a45f9b7c32a3612a120ee66608d95 |
| SHA1 | 78335a698b4500a1348c1c5ffd5015ea56a9987a |
| SHA256 | 7394c140e21c8dc95790d30eaec28d2c3807b8a63813de4252db874c938eb2c2 |
| SHA512 | 9ad364d6d810caa8a5c0162a3b1a2f79bcebf30864f3ba12a87e1a3ced0a7f60a7b36dcb2a599495073bd3ac9146163530170409073545a87d67374dedde9e97 |
C:\pipi\dbghelp.dll
| MD5 | 5f9bcab7284a5be1f362e8815d0005c2 |
| SHA1 | 3ec0f1c7bce67e6d7c09cb30c90b3c3cb0c9b228 |
| SHA256 | f4425ea3234eb7d108e829dc299e6533edffaf5bc449816d201af6a77a888c17 |
| SHA512 | 2ed5f23aa1f987e6a4752693e30c5a30b22a13184547b452950a4367c9bbd3eb1bde2c9d8cf6203fc3615c964ff94b871c48855904078df533a105567c3dc9cd |
memory/3964-678-0x0000000000400000-0x00000000004E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IQ813.tmp\topWizardSmallImageFile.bmp
| MD5 | 2bf58dfc87fed4cd136b38eda09b03b5 |
| SHA1 | 0466c573f89c2311bec15e1892af8bb1981f8e46 |
| SHA256 | 59bc1f995b1c0989689039de7bdd50201ba75f700e1aba7ac548751629f77ed3 |
| SHA512 | f7f82b12cec7b036aae733da6c0639dc193ba979d5662b0c5595ed6e1a8120f314a6f9f4fc74c0f8d44f79884dc66d25129755160ee7dc688e7c9c0e5bc7dfe0 |
C:\pipi\config\skin.ini
| MD5 | f33179b59f10498a6ae36f981fb485b8 |
| SHA1 | ca724a40aa3c6d62461ead3a6815eececdc71195 |
| SHA256 | 3407e2ddd689f40f3e8e3c2c8dd87b52a182143acf1ffedcc7608e72fecff9d7 |
| SHA512 | 4db4cb0471e9fc2bcdffc5ad87375c239ea3ec103cdca57b5376ac530cd2284a2e60730b22017346a53b0adeb768330a3569f1a25ba9e51fb8ff9f0f0b440730 |
C:\pipi\baidu_logo.JPG
| MD5 | 674b355f4facfe3c02d9a4b2230b59dd |
| SHA1 | e4543a4d01d28ffb184c25d283b0fdff83f6353d |
| SHA256 | 2a8053f50ee7658429a06c42282afeea4433307486e00f09d1c4b111fca74c3a |
| SHA512 | c4f77ee544aeb0c4e77f673ec4bb23076dcc2de1595296eb1cb6da40e9651676ea72b4c6f503d663091126fb0fa1cf065b74a6acef48752baa391ace54d53f81 |
C:\pipi\config\config.ini
| MD5 | eed2f7590a7321701b1070a1883f6411 |
| SHA1 | 7d6ccfcfb450861e0933539b6aeae0aa4b164157 |
| SHA256 | 4222651dd7db6caa911fff7b3ca95561b173d81f16c4eb25cf664374769d5e75 |
| SHA512 | 1df0b046093e17529836335f70027aabeb697c05f7a2fddfe3d055a7cbef278bda9b82fe65aff6620ec82e9c0e03c212f2025aa1d3ddf7a537a5085c7daeeb60 |
C:\pipi\config\clienttype.ini
| MD5 | f838fd895631c25e59c7cdf033c7eca0 |
| SHA1 | 68b7caf508fe2db5bc7dad588ed3bdbc21c281e4 |
| SHA256 | 9100f2113f8409387b6e003d9647465b78665c3a6a7194236c79b32c0cc278ee |
| SHA512 | aa2432e6152cfb15b50d6be710d3b82901b6f737f70dab6881fbb7e294fd2430f232329a48b7ce8cfe8573c52c4ec94e8a609c523a6b5e0d466dc33be8d69bd9 |
memory/3408-681-0x0000000000400000-0x0000000000418000-memory.dmp
C:\pipi\codec\rm\14_43260.dll
| MD5 | 8874d40067c2758aa93261dede1172cc |
| SHA1 | c1af162a19494af3718f59e95201e1fd0d0d5bba |
| SHA256 | 3c7da8c08e7d80dc2f96848b99558addde8333bc3fba978e53b4503919f7ec2d |
| SHA512 | e65903556c26e89e208c6e5f97453b6855281519b4a46d699b2e0f3a45ef4617b350019e141d4a2230bccc9601bdc28ee28533d33dda59913cdbe11bb674b018 |
C:\pipi\codec\rm\hxltcolor.dll
| MD5 | ba25f69ff1b1d3e18557ed0a94350eb9 |
| SHA1 | a6d8a39ad9d1c8584c284c5255102b61701af70c |
| SHA256 | 524b6e2cbbd6adfe45ed4d12227651c02780d4c312b55139436db079b5e786a3 |
| SHA512 | 29a0448d50ce656109255e800018181990afac935fde665f01558338102abe7ec7a9019a09d3a138e0134590ed9f632cf9be219977d6070fb9303eb6eef67329 |
C:\pipi\codec\rm\drvc.dll
| MD5 | e9ad4c6feede8ce70a1a21ed1dc0e2ad |
| SHA1 | ec6b32969e43328a177456be63864d004d501fce |
| SHA256 | ef8d7d81cb460db57f2e737ca0de3e0c6c06f78273e49a47b24f0a1eeaa2909f |
| SHA512 | ccd0a54e989b882db33e932fd95d29922dcc3e8608f32beef5882182be0534d809f67ce4d54ac894165f51e237ad39402ca97cf05e933fdd3c01c4f6ae50643c |
C:\pipi\codec\rm\drv1.dll
| MD5 | 2f8e3e67cf99d672aec7ca9b95498fc2 |
| SHA1 | 21f91f28e633f7615d1a15c1c5aa894c624d6a39 |
| SHA256 | c82401a0e5765271fab9ed86cbbfc99a137274f045dd90461acab6adf9297d4a |
| SHA512 | f472d37b3b9dba3a21211642395e364f617319812c9e13b492f76c60e9c554ee4034dcd3393195a115003c37041147b94767ed061f6971a5fc006b12f179049e |
C:\pipi\codec\rm\dnet3260.dll
| MD5 | 9ca900e5dde1807c42a81871cacfa855 |
| SHA1 | f079b1d0f74b0e5b22d4cd5e2b45d875876a0875 |
| SHA256 | a5035273193da8fd44668b5b2128d91d2d78f877729d9aa1198c4e27f16d1256 |
| SHA512 | bef17c32d7039f0c9fcb4555ce9ad7fc9360682e7c3a87c02c54812687ee58a7b83779bdcf87758fdb86fe9f96088e5ff14a1c76113c142fad3ccd3ea0350fdc |
C:\pipi\codec\rm\ddnt3260.dll
| MD5 | 2d2fed2cfdbbd8860fa709f7d83e7df0 |
| SHA1 | e596609ba56c0d12e67e58e5d8d7755b1ab1e252 |
| SHA256 | c808b57c9518691293bfbccae717e5009c5f210bb8054bb6af0c38c2294a9643 |
| SHA512 | 5e6e1b3d845802bf537936797e36bc91c932891a922744c63653789cc014d8908a62e38aa3e157726c7bea5bbb946676c7a5ceac66febaee06161a9574d5d526 |
C:\pipi\codec\rm\atrc.dll
| MD5 | ed7c402a17a33d428a6d0dad2e7c42d8 |
| SHA1 | 93a6dcf0abe28a01403da578d685cc5c0b48bb82 |
| SHA256 | 00cb4ae39a6e18c07e12ae53150ee29ece9ef4561a496920f19813aa431daff2 |
| SHA512 | bddc074123d3f144d7903d5f2502f8961ef79e1a06ce05d1769f37314eb276729444647a9f5c9e80fec0512cbd07b5e46be40f6f6015f8b1a255d7daf3ae28f1 |
C:\pipi\codec\rm\28_83260.dll
| MD5 | 48a6d4103d97329898782f775876cbfb |
| SHA1 | 956f7b06f49a88c72705ef230a0e3b16aaf21e7d |
| SHA256 | 41b43a4d9f24287a8f6588f25c130597e908f2547a4408a0e8c6e899d2d6d1fa |
| SHA512 | 02e32003c5487bdd48006c0dccfe9655c88e9816d626bc8ca1b5a247d863bf9a2419ae7bd080982d7b2f88fc105606e1a31e081b98805e18f196985bc7ecf223 |
C:\pipi\codec\rm\drv2.dll
| MD5 | f4988500f9d3e75e6149e0462adf5051 |
| SHA1 | 8a672c4372f6e427c04037ed6a4e01e1e30ac39e |
| SHA256 | 74ae1886586ebd9834a0b9d9079e903892f3eba9864a6cb98735bcd404ea943c |
| SHA512 | 233314cab306d31efbcc5d49000506bea303339aebf5ae0bd41fd72031f00baa0245d5c3599c2bd2988facfb6eac7bc2880617a0dc73ad510a69572667b6054d |
C:\pipi\codec\rm\cook.dll
| MD5 | fa220dae3898b8578c34791648321a38 |
| SHA1 | 12bdd5396e996d071368980d36ef6f6c7b39f936 |
| SHA256 | f8b5898569a508e370eb25db27c1cba440c9d559529850c05589e56a93659835 |
| SHA512 | 9c2ad73fd43de7ca16a1d75b2974a737dfe1478d094783861ff5e3f994e17bc9e36e31f130296b497bb8955849be31db526018c0621cf5b09496fc6e5c3d6f34 |