0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
29-05-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
Size

1.3MB
MD5

7f94158af84fc598cc1bbf121dc7da8a
SHA1

1438707bdb4e4945d25fcc6728bf8899dd94a0ca
SHA256

0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568
SHA512

4c0a154aebb43bb2d6bc2d8a9f231289c0cdcd5ec305739b40cfb8a06229baac43c4418b2afc35542f4e714c5c0c19e318cc77b80acbdb2ca020740c3ab06c37

Score

10^/10

adware bootkit discovery evasion persistence stealer suricata upx

Malware Config

Signatures

suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
suricata
Downloads MZ/PE file

Executes dropped EXE 46 IoCs

Processes:

V8._85296_20150814221218.exePerfTraceService.exePerfTraceService.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeSoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exeuni1795887c.exekinst_1_523.exeFileAssociationsTool.exeSHPlayer.exeSohuVA.exeSHlive.exeFileAssociationsTool.exeConhost.exeXMPSetupLite-SIjhaqws57.exeFileAssociationsTool.exeFileAssociationsTool.exeFileAssociationsTool.exeSHRes.exeFileAssociationsTool.exeFileAssociationsTool.exeXmpSetupAgent.exenetsh.exeThunderFW.exeSHUpdate.exeSHRes.exeSHPlayer.exeSHPlayer.exeSohuVA.exeRising.dat

pid	process
1536	V8._85296_20150814221218.exe
1372	PerfTraceService.exe
176	PerfTraceService.exe
2208	QQBrowser.exe
3532	QQBrowser.exe
4876	QQBrowser.exe
4896	QQBrowser.exe
4536	QQBrowser.exe
4020	QQBrowser.exe
3060	QQBrowser.exe
1920	QQBrowser.exe
3160	QQBrowser.exe
1908	QQBrowser.exe
4548	QQBrowser.exe
2800	QQBrowser.exe
3196	QQBrowser.exe
2424	QQBrowser.exe
3820	QQBrowser.exe
2148	QQBrowser.exe
4856	QQBrowser.exe
1284	QQBrowser.exe
1640	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
2004	uni1795887c.exe
5112	kinst_1_523.exe
2064	FileAssociationsTool.exe
2644	SHPlayer.exe
436	SohuVA.exe
2748	SHlive.exe
4272	FileAssociationsTool.exe
3584	Conhost.exe
4408	XMPSetupLite-SIjhaqws57.exe
5016	FileAssociationsTool.exe
5168	FileAssociationsTool.exe
5272	FileAssociationsTool.exe
1032	SHRes.exe
5348	FileAssociationsTool.exe
5372	FileAssociationsTool.exe
5392	XmpSetupAgent.exe
5424	netsh.exe
5448	ThunderFW.exe
5144	SHUpdate.exe
5516	SHRes.exe
5764	SHPlayer.exe
5944	SHPlayer.exe
6020	SohuVA.exe
6104	Rising.dat

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2004-293-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/2004-328-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/5112-393-0x0000000010000000-0x000000001019D000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SHPlayer.exeSHUpdate.exeQQBrowser.exeV8._85296_20150814221218.exeSoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	SHPlayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	SHUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	QQBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	V8._85296_20150814221218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe

Loads dropped DLL 64 IoCs

Processes:

0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exeV8._85296_20150814221218.exeregsvr32.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exe

pid	process
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
1500	regsvr32.exe
1536	V8._85296_20150814221218.exe
2208	QQBrowser.exe
2208	QQBrowser.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
3532	QQBrowser.exe
3532	QQBrowser.exe
4876	QQBrowser.exe
4876	QQBrowser.exe
4876	QQBrowser.exe
4896	QQBrowser.exe
4896	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4020	QQBrowser.exe
4020	QQBrowser.exe
4020	QQBrowser.exe
4536	QQBrowser.exe
3060	QQBrowser.exe
3060	QQBrowser.exe
3060	QQBrowser.exe
1920	QQBrowser.exe
1920	QQBrowser.exe
3160	QQBrowser.exe
3160	QQBrowser.exe
3160	QQBrowser.exe
3160	QQBrowser.exe
1908	QQBrowser.exe
1908	QQBrowser.exe
3160	QQBrowser.exe
2800	QQBrowser.exe
3196	QQBrowser.exe
3196	QQBrowser.exe
2800	QQBrowser.exe
3196	QQBrowser.exe
2800	QQBrowser.exe
4548	QQBrowser.exe
4548	QQBrowser.exe
2800	QQBrowser.exe
4548	QQBrowser.exe
2424	QQBrowser.exe
3820	QQBrowser.exe
3820	QQBrowser.exe
2424	QQBrowser.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uni1795887c.exeConhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RavDown = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\nspD518.tmp\\uni1795887c.exe\" /session 282D310FF2B34498B4B8921B9BA16221 /subkey RAV"	uni1795887c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SohuVA = "\"C:\\Program Files (x86)\\????\\SHPlayer.exe\" /auto"	Conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Writes to the Master Boot Record (MBR) 1 TTPs 15 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

QQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exekinst_1_523.exeXMPSetupLite-SIjhaqws57.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeuni1795887c.exeQQBrowser.exeQQBrowser.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	kinst_1_523.exe
File opened for modification	\??\PhysicalDrive0	XMPSetupLite-SIjhaqws57.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	uni1795887c.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe

Drops file in Program Files directory 64 IoCs

Processes:

SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exeV8._85296_20150814221218.exe

description	ioc	process
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_set_disable.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_share_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\codecs\coreaac.ax	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\codecs\Real\drvc.dll	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\app\images\qblogo.png	V8._85296_20150814221218.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\img\dock_video_hover.png	V8._85296_20150814221218.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\btn_close_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_home_pre_down.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\btn_gk_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\upload\btn_upload_nor.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\i_no_link.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\scroll_arrowup_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\img\account\down.png	V8._85296_20150814221218.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\img\grid\lock_hover.png	V8._85296_20150814221218.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\upload\btn_afv_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CenterConsole\btn_exnode_disable.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\tips_btnclose_press.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\codecs\ogm.dll	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\dlna_btn_open_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\dlna_connected.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\img\grid\delete_hover.png	V8._85296_20150814221218.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CenterConsole\btn_font_smart_disable.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_resotre_pressed_top.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_tool_cutprint_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\upload\us_network_err.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\img\skin\	V8._85296_20150814221218.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_episode_disable.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\cs_yuan.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\menu\top_left.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\SHUploader.dll	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\js\global.js	V8._85296_20150814221218.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\btn_frametap_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\tips_bgVipSuccess.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\精选台.ico	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\upload\btn_play_hover.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CenterConsole\btn_treecycle_hover.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_TVSeries_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\loading\skin\images\ico-1.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\img\skin\skin_selected_blank_ie.png	V8._85296_20150814221218.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\img\skin\tab_bg_blank.png	V8._85296_20150814221218.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_home_next_down.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_pause_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\tab_line_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\window\win_normal_rt.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\TaskBarBt\搜狐影音.lnk	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\SoHuAutoDetector.dll	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_minishow_hover.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\upload\btn_upload_hover.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\loading\skin\images\videoloading.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\window\warning_black.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\btn_soundadd_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\window\r_min-pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\window\warning_black.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\window\win_normal_lb.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_detail_hover.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_previous_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_showconsole_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\player\Frames\btn_showtree_hover.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\SohuTool.dll	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CenterConsole\btn_treedelete_pressed.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\CommonCtl\scroll_sliderbg_normal.png	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File created	C:\Program Files (x86)\搜狐影音\Skin\Default\logo\logo.ico	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
File opened for modification	C:\Program Files (x86)\搜狐影音\Skin\Default\player\icon\wmv.ico	SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe

Drops file in Windows directory 2 IoCs

Processes:

QQBrowser.exe

description	ioc	process
File created	C:\Windows\Tasks\QQBrowser Udpater Task.job	QQBrowser.exe
File created	C:\Windows\Tasks\QQBrowser Udpater Task(Core).job	QQBrowser.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QQBrowser.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QQBrowser.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QQBrowser.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

QQBrowser.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	QQBrowser.exe

Modifies registry class 64 IoCs

Processes:

FileAssociationsTool.exeregsvr32.exeConhost.exeFileAssociationsTool.exenetsh.exeSHRes.exeregsvr32.exeQQBrowser.exeregsvr32.exeThunderFW.exeFileAssociationsTool.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.m2v\DefaultIcon	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.vob\shell\ = "open"	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.ts\DefaultIcon\ = "C:\\Program Files (x86)\\搜狐影音\\Skin\\Default\\player\\icon\\logo.ico"	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.amr\shell\open\command\ = "\"C:\\Program Files (x86)\\搜狐影音\\SHPlayer.exe\" \"%1\""	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQBrowser\\WebpDecodeFilter.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\SHPlayer.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\搜狐影音\\SHPlayer.exe\" \"%1\""	Conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\.3gpp\	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.rm\shell\open\ = "使用搜狐影音播放"	FileAssociationsTool.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8776860F-30C7-41B9-BDF4-360A6B55E51F}\Programmable	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.m2t\shell\open\command\ = "\"C:\\Program Files (x86)\\搜狐影音\\SHPlayer.exe\" \"%1\""	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SHRes.EXE\AppID = "{BAA32EF9-F2A7-4790-9CD1-5C52B0CBB18A}"	SHRes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64C4F5C-1147-42BC-B120-3FA8DA5D898F}\TypeLib\ = "{}"	SHRes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SohuBHO.SohuDetector.1\CLSID\ = "{452ADB5B-00BE-469D-A65F-3046146B2ED5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.m2ts\DefaultIcon\ = "C:\\Program Files (x86)\\搜狐影音\\Skin\\Default\\player\\icon\\logo.ico"	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SohuBHO.SohuDetector	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.rmvb\shell\open\command	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.rmvb\DefaultIcon	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EC39817-8A2F-4960-98CB-DB601C17D941}\TypeLib	SHRes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.File\DefaultIcon\ = "C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe,0"	QQBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.wmv\ = "媒体文件(.wmv)"	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93A75914-F6D0-45CA-90D9-5259203F89B3}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.mp3\shell\open	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.ogg\shell\open	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHRes.SHFlashWnd.1\CLSID\ = "{F64C4F5C-1147-42BC-B120-3FA8DA5D898F}"	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.3gp\DefaultIcon\ = "C:\\Program Files (x86)\\搜狐影音\\Skin\\Default\\player\\icon\\3gp.ico"	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.mpg	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.f4v\shell\open\command	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoHuVA.SoHuDector.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93A75914-F6D0-45CA-90D9-5259203F89B3}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93A75914-F6D0-45CA-90D9-5259203F89B3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.m2v\shell	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.vob\shell	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{3BE2B2ED-C7C2-49F5-BB14-13CD5C55F07F}	ThunderFW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.amr\shell\ = "open"	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{452ADB5B-00BE-469D-A65F-3046146B2ED5}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebpDecodeFilter.WebpImageDecodeFilter\CurVer\ = "WebpDecodeFilter.WebpImageDecodeFilt.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.qt\DefaultIcon	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.wav\shell	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.wmv\shell\open	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.vob	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8381A5DF-B3FB-4AB6-A62F-1FE9D78A31E5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\SHPlayer.exe\shell\open\command	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.rmvb\shell\open	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\SHPlayer.exe\shell\open\command\ = "\"C:\\Program Files (x86)\\搜狐影音\\SHPlayer.exe\" \"%1\""	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.3gpp\shell\ = "open"	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.amr\shell\open	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3A15D5A-2F39-4E1D-B4C4-DE8E2875128A}\ProgID	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\open\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQBrowser\\QQBrowser.exe\" -- \"%1\""	QQBrowser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.3gpp\shell\open\command\ = "\"C:\\Program Files (x86)\\搜狐影音\\SHPlayer.exe\" \"%1\""	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.mp3\shell	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2223FA33-C710-4F45-929B-2F3721D75188}\1.0\ = "SHGameRes 1.0 Type Library"	ThunderFW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8381A5DF-B3FB-4AB6-A62F-1FE9D78A31E5}\TypeLib\ = "{EB10A985-FAED-4612-85D1-DAD997C2FBED}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.ram\ = "媒体文件(.ram)"	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8776860F-30C7-41B9-BDF4-360A6B55E51F}\LocalServer32\ = "\"C:\\Program Files (x86)\\搜狐影音\\SHRes.exe\""	SHRes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BF34E9D-3A08-4F88-A0F6-1E114F204BF2}\TypeLib\ = "{2223FA33-C710-4F45-929B-2F3721D75188}"	ThunderFW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WEBPFilter.CoWEBPFilter	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9D56DC9-AFC4-4A04-8084-6463B047CD26}\TypeLib\Version = "1.0"	SHRes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8776860F-30C7-41B9-BDF4-360A6B55E51F}\LocalServer32	netsh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.m2t	FileAssociationsTool.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHPlayer.wma	FileAssociationsTool.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64C4F5C-1147-42BC-B120-3FA8DA5D898F}\VersionIndependentProgID\ = "SHRes.SHFlashWnd"	netsh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F64C4F5C-1147-42BC-B120-3FA8DA5D898F}\Programmable	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

V8._85296_20150814221218.exeQQBrowser.exeQQBrowser.exeQQBrowser.exe

pid	process
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
1536	V8._85296_20150814221218.exe
1536	V8._85296_20150814221218.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2148	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe
2800	QQBrowser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4196 msedge.exe
4196 msedge.exe
4196 msedge.exe
4196 msedge.exe
4196 msedge.exe

pid	process
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

QQBrowser.exeSHPlayer.exe

description	pid	process
Token: SeSecurityPrivilege	3532	QQBrowser.exe
Token: SeSecurityPrivilege	3532	QQBrowser.exe
Token: SeSecurityPrivilege	3532	QQBrowser.exe
Token: SeSecurityPrivilege	3532	QQBrowser.exe
Token: SeSecurityPrivilege	3532	QQBrowser.exe
Token: SeDebugPrivilege	2644	SHPlayer.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

QQBrowser.exemsedge.exe

pid process

3160 QQBrowser.exe
3160 QQBrowser.exe
3160 QQBrowser.exe
3160 QQBrowser.exe
3160 QQBrowser.exe
4196 msedge.exe
4196 msedge.exe
4196 msedge.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

QQBrowser.exeQQBrowser.exeSHRes.exeSHUpdate.exe

pid process

1908 QQBrowser.exe
1908 QQBrowser.exe
4856 QQBrowser.exe
5516 SHRes.exe
5144 SHUpdate.exe

pid	process
3160	QQBrowser.exe
3160	QQBrowser.exe
3160	QQBrowser.exe
3160	QQBrowser.exe
3160	QQBrowser.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe

pid	process
1908	QQBrowser.exe
1908	QQBrowser.exe
4856	QQBrowser.exe
5516	SHRes.exe
5144	SHUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exeV8._85296_20150814221218.exeQQBrowser.exeQQBrowser.exe

description	pid	process	target process
PID 4144 wrote to memory of 1536	4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe	V8._85296_20150814221218.exe
PID 4144 wrote to memory of 1536	4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe	V8._85296_20150814221218.exe
PID 4144 wrote to memory of 1536	4144	0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe	V8._85296_20150814221218.exe
PID 1536 wrote to memory of 1372	1536	V8._85296_20150814221218.exe	PerfTraceService.exe
PID 1536 wrote to memory of 1372	1536	V8._85296_20150814221218.exe	PerfTraceService.exe
PID 1536 wrote to memory of 1372	1536	V8._85296_20150814221218.exe	PerfTraceService.exe
PID 1536 wrote to memory of 1500	1536	V8._85296_20150814221218.exe	regsvr32.exe
PID 1536 wrote to memory of 1500	1536	V8._85296_20150814221218.exe	regsvr32.exe
PID 1536 wrote to memory of 1500	1536	V8._85296_20150814221218.exe	regsvr32.exe
PID 1536 wrote to memory of 2208	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 2208	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 2208	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3532	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3532	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3532	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4876	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4876	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4876	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4896	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4896	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4896	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4536	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4536	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4536	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4020	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4020	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4020	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3060	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3060	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3060	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 3532 wrote to memory of 888	3532	QQBrowser.exe	regsvr32.exe
PID 3532 wrote to memory of 888	3532	QQBrowser.exe	regsvr32.exe
PID 3532 wrote to memory of 888	3532	QQBrowser.exe	regsvr32.exe
PID 3532 wrote to memory of 700	3532	QQBrowser.exe	regsvr32.exe
PID 3532 wrote to memory of 700	3532	QQBrowser.exe	regsvr32.exe
PID 3532 wrote to memory of 700	3532	QQBrowser.exe	regsvr32.exe
PID 1536 wrote to memory of 1920	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 1920	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 1920	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3160	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3160	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 3160	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 3160 wrote to memory of 1908	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 1908	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 1908	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 4548	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 4548	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 4548	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 3196	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 3196	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 3196	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 2800	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 2800	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 2800	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 2424	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 2424	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 2424	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 3820	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 3820	3160	QQBrowser.exe	QQBrowser.exe
PID 3160 wrote to memory of 3820	3160	QQBrowser.exe	QQBrowser.exe
PID 1536 wrote to memory of 2148	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 2148	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 2148	1536	V8._85296_20150814221218.exe	QQBrowser.exe
PID 1536 wrote to memory of 4856	1536	V8._85296_20150814221218.exe	QQBrowser.exe

C:\Users\Admin\AppData\Local\Temp\0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe
"C:\Users\Admin\AppData\Local\Temp\0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\V8._85296_20150814221218.exe
V8._85296_20150814221218.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536

C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe
"C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe" -installAndRun "QQBrowser Performance Service"
3⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQBrowser\WebpDecodeFilter.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1500

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=update -source=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2208

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -install
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /u MetroLauncher32.dll
4⤵
PID:888

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /u MetroLauncher64.dll
4⤵
PID:700

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installscheduletask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
PID:4876

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -Module=QQBrowserFrame.dll -skinzipfactory
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4896

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installcoexistreport -installmode=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -resetopenpage
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4020

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -homepageimport
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:3060

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=QQBrowserFrame.dll -updatejumplist
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -sc=quicklaunchpinedshortcut -fixlaunch=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3160

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=extension -scope=3160 /prefetch:5
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" "-host=tab" -scope=3160 -Cred=932 -group=0 -core=5 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4548

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host= -Cred=2048 -scope=3160 -sc=quicklaunchpinedshortcut /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" "-host=tab" -scope=3160 -Cred=932 -group=0 -tid=1 -core=5 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3196

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=net /prefetch:4
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=net /prefetch:4
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:3820

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installtxservice
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -setdefaultbrowser
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installreport -name=QQBrowser_Setup_Hk_85296_3638.exe -parent=0cf0eb64c6fac3c08a47aa75a0263f46a226e81f02db8aa14298280ceb73f568.exe -occupy= -occupyparent= -method=3 -result=0 -type=1 -changedir=0 -fstartup=1 -deskicon=1 -default=1 -directopen=5062 -userplan=1 -r1= -r2=
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe"
2⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
SoHuVA_4.5.77.0-c204900003-nti-ng-tp-s.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:1640

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /PreventPinning "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\搜狐影音\卸载搜狐影音.lnk"
3⤵
- Executes dropped EXE
PID:2064

C:\Program Files (x86)\搜狐影音\SHPlayer.exe
"C:\Program Files (x86)\搜狐影音\SHPlayer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files (x86)\搜狐影音\SohuVA.exe
"C:\Program Files (x86)\搜狐影音\SohuVA.exe"
4⤵
- Executes dropped EXE
PID:436

C:\Program Files (x86)\搜狐影音\SHlive.exe
"C:\Program Files (x86)\搜狐影音\SHlive.exe"
4⤵
- Executes dropped EXE
PID:2748

C:\Program Files (x86)\搜狐影音\SHUpdate.exe
"C:\Program Files (x86)\搜狐影音\SHUpdate.exe" /RegBHO
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5144

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Program Files (x86)\搜狐影音\SohuDetector.dll /s
5⤵
PID:6064

C:\Program Files (x86)\搜狐影音\SHRes.exe
"C:\Program Files (x86)\搜狐影音\SHRes.exe" /regserver
4⤵
- Executes dropped EXE
- Modifies registry class
PID:1032

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /ModifyTaskbar "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\搜狐影音.lnk"
3⤵
- Executes dropped EXE
PID:4272

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /EnableAutoRun
3⤵
PID:3584

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /ModifyMainShortcut
3⤵
- Executes dropped EXE
PID:5016

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /F
3⤵
- Executes dropped EXE
- Modifies registry class
PID:5168

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /TIFOX
3⤵
- Executes dropped EXE
- Modifies registry class
PID:5272

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /ChangeSohuVARunToSHplayerRun
3⤵
- Executes dropped EXE
PID:5348

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /ReleaseSWF
3⤵
- Executes dropped EXE
- Modifies registry class
PID:5372

C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe
"C:\Program Files (x86)\搜狐影音\FileAssociationsTool.exe" /InstallSuccess 0
3⤵
PID:5392

C:\Program Files (x86)\搜狐影音\SHRes.exe
"C:\Program Files (x86)\搜狐影音\SHRes.exe" /RegServer
3⤵
PID:5424

C:\Program Files (x86)\搜狐影音\SHGameRes.exe
"C:\Program Files (x86)\搜狐影音\SHGameRes.exe" /RegServer
3⤵
PID:5448

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\搜狐影音\SoHuAutoDetector.dll"
3⤵
- Modifies registry class
PID:5468

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\搜狐影音\SHUploadFile.dll"
3⤵
PID:5508

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\搜狐影音\SohuDetector.dll"
3⤵
- Modifies registry class
PID:5648

C:\Program Files (x86)\搜狐影音\SHPlayer.exe
"C:\Program Files (x86)\搜狐影音\SHPlayer.exe" /InstallStart
3⤵
- Executes dropped EXE
PID:5764

C:\Program Files (x86)\搜狐影音\SHPlayer.exe
"C:\Program Files (x86)\搜狐影音\SHPlayer.exe" /auto
3⤵
- Executes dropped EXE
PID:5944

C:\Program Files (x86)\搜狐影音\SohuVA.exe
"C:\Program Files (x86)\搜狐影音\SohuVA.exe"
3⤵
- Executes dropped EXE
PID:6020

C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\uni1795887c.exe
uni1795887c.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
PID:2004

C:\Users\Admin\AppData\Local\Temp\RavDown\Rising.dat
"C:\Users\Admin\AppData\Local\Temp\RavDown\Rising.dat" -eo="C:\Users\Admin\AppData\Local\Temp\RAVTmp" /silence
3⤵
- Executes dropped EXE
PID:6104

C:\Users\Admin\AppData\Local\Temp\RAVTmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RAVTmp\setup.exe" /S/RSDOWN
3⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\RAVTmp\rslang\langsel.exe
"C:\Users\Admin\AppData\Local\Temp\RAVTmp\rslang\langsel.exe" /install /936 /950 /1252 /SILENCE
4⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://120.55.104.68/MGNmMGViNjRjNmZhYzNjMDhhNDdhYTc1YTAyNjNmNDZhMjI2ZTgxZjAyZGI4YWExNDI5ODI4MGNlYjczZjU2OC5leGU=/40.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffabcc946f8,0x7ffabcc94708,0x7ffabcc94718
3⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
3⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
3⤵
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
3⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
3⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
3⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5344 /prefetch:8
3⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5488 /prefetch:8
3⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
3⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
3⤵
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
3⤵
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
3⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:6688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff62e4b5460,0x7ff62e4b5470,0x7ff62e4b5480
4⤵
PID:6324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10568257271154955910,13639290296909592894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
3⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\kinst_1_523.exe
kinst_1_523.exe /S
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5112

C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe
"C:\Users\Admin\AppData\Local\Temp\KDbCIHelper.exe" -release
3⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\XMPSetupLite-SIjhaqws57.exe
XMPSetupLite-SIjhaqws57.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4408

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMP33EC.tmp"
3⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMP412C.tmp"
3⤵
PID:3548

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "迅雷影音" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\XMP.exe"
3⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMP41AB.tmp"
3⤵
- Executes dropped EXE
PID:5392

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpPusherSetup.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpPusherSetup.exe" /S /write /xmpsupport "XmpSetupLite"
4⤵
PID:2948

C:\PROGRA~2\THUNDE~1\XMP\V5218~1.589\Bin\ThunderFW.exe
"C:\PROGRA~2\THUNDE~1\XMP\V5218~1.589\Bin\ThunderFW.exe" "XmpTipWnd" "C:\Users\Public\Thunder Network\Pusher\Pusher\XmpTipWnd.1.0.0.99.exe"
5⤵
PID:6840

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Public\Thunder Network\Pusher\Pusher\xappex.1.1.1.99.dll"
5⤵
PID:3640

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Public\Thunder Network\Pusher\Pusher\xappex.1.1.1.99.dll"
6⤵
PID:5760

C:\PROGRA~2\THUNDE~1\XMP\V5218~1.589\Bin\ThunderFW.exe
"C:\PROGRA~2\THUNDE~1\XMP\V5218~1.589\Bin\ThunderFW.exe" "DownloadSDKServer" "C:\Users\Public\Thunder Network\Pusher\Pusher\TP\DownloadSDKServer.exe"
5⤵
PID:5268

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program="C:\Users\Public\Thunder Network\Pusher\Pusher\TP\DownloadSDKServer.exe" enable=yes
5⤵
PID:632

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "XLLiveUD" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\XLLiveUD.exe"
3⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMP41AA.tmp"
3⤵
PID:5596

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ShlExt_x64.dll" /s
4⤵
PID:5160

C:\Windows\system32\regsvr32.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ShlExt_x64.dll" /s
5⤵
PID:2988

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\VideoUrlSniffer.dll" /s
4⤵
PID:6632

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\UserAgent.dll" /s
4⤵
PID:4912

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\xlnpDapCtrl.dll" /s
4⤵
PID:3536

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\DapCtrl.dll" /s
4⤵
PID:6704

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\DapCtrl64.dll" /s
4⤵
PID:6516

C:\Windows\system32\regsvr32.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\DapCtrl64.dll" /s
5⤵
PID:5772

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "XLBugReport" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\XLBugReport.exe"
3⤵
PID:464

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "迅雷下载服务" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\TP\DownloadSDKServer.exe"
3⤵
PID:5376

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "APlayer" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\APlayer.exe"
3⤵
PID:5360

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "XLLiveUD" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\XLLiveUD.exe"
3⤵
PID:5428

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "aapt" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\aapt.exe"
3⤵
PID:1768

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "adb" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\adb.exe"
3⤵
PID:5132

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "DPInstX64" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\DPInstX64.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
PID:5448

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "InstallDriver" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\InstallDriver.exe"
3⤵
PID:4540

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "PreInstall" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\PreInstall.exe"
3⤵
PID:5760

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "DPInst" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\DPInst.exe"
3⤵
PID:1604

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "XLLiveUD" "C:\Users\Admin\AppData\Local\Temp\xlliveud\xmp_5.2.18.5894\XLLiveUD.exe"
3⤵
PID:5920

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="迅雷影音" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\XMP.exe" enable=yes
3⤵
PID:8

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="XLLiveUD" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\XLLiveUD.exe" enable=yes
3⤵
PID:3592

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="XLBugReport" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\XLBugReport.exe" enable=yes
3⤵
PID:4896

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="迅雷下载服务" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\TP\DownloadSDKServer.exe" enable=yes
3⤵
PID:3556

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="XLLiveUD" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\XLLiveUD.exe" enable=yes
3⤵
PID:3128

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="APlayer" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\APlayer.exe" enable=yes
3⤵
PID:5336

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="aapt" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\aapt.exe" enable=yes
3⤵
PID:5052

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="adb" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\adb.exe" enable=yes
3⤵
PID:3340

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="DPInstX64" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\DPInstX64.exe" enable=yes
3⤵
- Executes dropped EXE
- Modifies registry class
PID:5424

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="InstallDriver" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\InstallDriver.exe" enable=yes
3⤵
PID:2604

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="PreInstall" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\PreInstall.exe" enable=yes
3⤵
PID:6112

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="XLLiveUD" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\xlliveud\xmp_5.2.18.5894\XLLiveUD.exe" enable=yes
3⤵
PID:6172

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="DPInst" dir=in action=allow program="C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\DPInst.exe" enable=yes
3⤵
PID:6160

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMP6B7B.tmp"
3⤵
PID:6224

C:\Users\Admin\AppData\Local\Temp\XMPSvc\XMPServiceHelper.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSvc\XMPServiceHelper.exe" /install
3⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMP755F.tmp"
3⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws57\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMP7800.tmp"
3⤵
PID:6772

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\XMediaLibrary64.dll" /s
4⤵
PID:6180

C:\Windows\system32\regsvr32.exe
"C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894\Program\XMediaLibrary64.dll" /s
5⤵
PID:6204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]"
2⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]"
2⤵
PID:5424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]"
2⤵
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]"
2⤵
PID:5600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]"
2⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\[email protected]
[email protected]
2⤵
PID:6788

C:\Windows\SysWOW64\sc.exe
sc stop QiyiService
3⤵
PID:6664

C:\Windows\SysWOW64\sc.exe
sc delete QiyiService
3⤵
PID:5572

C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\QyFragment.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\QyFragment.exe" --runmode=installfileassoc
3⤵
PID:5428

C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\QiyiDACL.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\QiyiDACL.exe" QiyiUpdate "C:\Program Files (x86)\Common Files\IQIYI Video" true
3⤵
PID:6000

C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\QiyiDACL.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\QiyiDACL.exe" QiyiUpdate "C:\Program Files (x86)\IQIYI Video\LStyle" true
3⤵
PID:6304

C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\rndhelper.exe
"C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\rndhelper.exe" GenSnapshot "C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\JsEngine.dll" "C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\rnd.js" "C:\Program Files (x86)\IQIYI Video\LStyle\8.5.136.3066\rnd.spst"
3⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe"
2⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe"
2⤵
PID:6676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe"
2⤵
PID:5476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe"
2⤵
PID:6416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe" + "C:\Windows\Fonts\arial.ttf" "C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe"
2⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ht_Y_ssxaz10_06255.exe
ht_Y_ssxaz10_06255.exe
2⤵
PID:6028

C:\Program Files (x86)\ht\ZWLogger.exe
"C:\Program Files (x86)\ht\ZWLogger.exe" "C:\Program Files (x86)\ht\ZhanWu.dll" 2
3⤵
PID:1424

C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe
"C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe"
1⤵
- Executes dropped EXE
PID:176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Program Files (x86)\搜狐影音\SHRes.exe
"C:\Program Files (x86)\搜狐影音\SHRes.exe" -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:6168

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k XMPService -s XMPService
1⤵
PID:5312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\QQBrowser\Assistant.dll
Filesize
417KB

MD5
e93b5a4fd5050116a84cf52011c516c1

SHA1
38bd7e853618d6fc8438f60715571289c01b0974

SHA256
e5ee45270cd623c9353c05349e7d0049a3f6caaad0a48c64af04d3523e07bc97

SHA512
3520ab6e36a9e44164261d1a6b6c53880b03bb102e6eafec7167f39020ae33462e8f515184704cfcd3df752ee94711b8e185ac15c18056677075c29eadd1c0d7

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\Assistant.dll
Filesize
417KB

MD5
e93b5a4fd5050116a84cf52011c516c1

SHA1
38bd7e853618d6fc8438f60715571289c01b0974

SHA256
e5ee45270cd623c9353c05349e7d0049a3f6caaad0a48c64af04d3523e07bc97

SHA512
3520ab6e36a9e44164261d1a6b6c53880b03bb102e6eafec7167f39020ae33462e8f515184704cfcd3df752ee94711b8e185ac15c18056677075c29eadd1c0d7

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\Assistant.dll
Filesize
417KB

MD5
e93b5a4fd5050116a84cf52011c516c1

SHA1
38bd7e853618d6fc8438f60715571289c01b0974

SHA256
e5ee45270cd623c9353c05349e7d0049a3f6caaad0a48c64af04d3523e07bc97

SHA512
3520ab6e36a9e44164261d1a6b6c53880b03bb102e6eafec7167f39020ae33462e8f515184704cfcd3df752ee94711b8e185ac15c18056677075c29eadd1c0d7

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\Assistant.dll
Filesize
417KB

MD5
e93b5a4fd5050116a84cf52011c516c1

SHA1
38bd7e853618d6fc8438f60715571289c01b0974

SHA256
e5ee45270cd623c9353c05349e7d0049a3f6caaad0a48c64af04d3523e07bc97

SHA512
3520ab6e36a9e44164261d1a6b6c53880b03bb102e6eafec7167f39020ae33462e8f515184704cfcd3df752ee94711b8e185ac15c18056677075c29eadd1c0d7

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\Assistant.dll
Filesize
417KB

MD5
e93b5a4fd5050116a84cf52011c516c1

SHA1
38bd7e853618d6fc8438f60715571289c01b0974

SHA256
e5ee45270cd623c9353c05349e7d0049a3f6caaad0a48c64af04d3523e07bc97

SHA512
3520ab6e36a9e44164261d1a6b6c53880b03bb102e6eafec7167f39020ae33462e8f515184704cfcd3df752ee94711b8e185ac15c18056677075c29eadd1c0d7

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\Assistant.dll
Filesize
417KB

MD5
e93b5a4fd5050116a84cf52011c516c1

SHA1
38bd7e853618d6fc8438f60715571289c01b0974

SHA256
e5ee45270cd623c9353c05349e7d0049a3f6caaad0a48c64af04d3523e07bc97

SHA512
3520ab6e36a9e44164261d1a6b6c53880b03bb102e6eafec7167f39020ae33462e8f515184704cfcd3df752ee94711b8e185ac15c18056677075c29eadd1c0d7

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBExtensionFramework.dll
Filesize
540KB

MD5
88f2d2382cce7ec315ca6860ff0c4075

SHA1
07eea3f61e2fa2d47682217b505d163f7f36fc9d

SHA256
b2c6d93708c33068fe61c0b3733ec697b179d18fba79dfcbc6eacb716fc81d45

SHA512
43bc572f67181ae5fbf26828cfdb82bd1867a69a2f74fb03346bb69cfda8d8fb2b834521bf86918c663df223bd721d1cc3837ebc8e3c164fde3f5dca92d71779

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBSafe.dll
Filesize
443KB

MD5
16ae0a59da95783599969cb2a8cd7b0d

SHA1
993030a80ecf26ebbb723053072a4084ea89d8b1

SHA256
d63ed7d6a3f5b7d5e5e641bccd8e8644493f7bd91b98656ab58d1b893958a2d9

SHA512
4a772c6300ee294aa0b7b86e8de8c88805f9509dcc9467dbe427fb918d1a4d98b597591f4fca2ef24f55bc6e0cdb11ccb8d21449424e622663d935b8005dd1d9

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBSafe.dll
Filesize
443KB

MD5
16ae0a59da95783599969cb2a8cd7b0d

SHA1
993030a80ecf26ebbb723053072a4084ea89d8b1

SHA256
d63ed7d6a3f5b7d5e5e641bccd8e8644493f7bd91b98656ab58d1b893958a2d9

SHA512
4a772c6300ee294aa0b7b86e8de8c88805f9509dcc9467dbe427fb918d1a4d98b597591f4fca2ef24f55bc6e0cdb11ccb8d21449424e622663d935b8005dd1d9

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBSafe.dll
Filesize
443KB

MD5
16ae0a59da95783599969cb2a8cd7b0d

SHA1
993030a80ecf26ebbb723053072a4084ea89d8b1

SHA256
d63ed7d6a3f5b7d5e5e641bccd8e8644493f7bd91b98656ab58d1b893958a2d9

SHA512
4a772c6300ee294aa0b7b86e8de8c88805f9509dcc9467dbe427fb918d1a4d98b597591f4fca2ef24f55bc6e0cdb11ccb8d21449424e622663d935b8005dd1d9

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBSafe.dll
Filesize
443KB

MD5
16ae0a59da95783599969cb2a8cd7b0d

SHA1
993030a80ecf26ebbb723053072a4084ea89d8b1

SHA256
d63ed7d6a3f5b7d5e5e641bccd8e8644493f7bd91b98656ab58d1b893958a2d9

SHA512
4a772c6300ee294aa0b7b86e8de8c88805f9509dcc9467dbe427fb918d1a4d98b597591f4fca2ef24f55bc6e0cdb11ccb8d21449424e622663d935b8005dd1d9

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBSafe.dll
Filesize
443KB

MD5
16ae0a59da95783599969cb2a8cd7b0d

SHA1
993030a80ecf26ebbb723053072a4084ea89d8b1

SHA256
d63ed7d6a3f5b7d5e5e641bccd8e8644493f7bd91b98656ab58d1b893958a2d9

SHA512
4a772c6300ee294aa0b7b86e8de8c88805f9509dcc9467dbe427fb918d1a4d98b597591f4fca2ef24f55bc6e0cdb11ccb8d21449424e622663d935b8005dd1d9

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
Filesize
119KB

MD5
c3e4c6aaedb957ba059b51c1d2403c93

SHA1
949e35c49a4500f872ef84ea01560af4b2868790

SHA256
1415ff8057acbd5cbd24c6bd835df4c600e485009dbb052c635309a88ee69a34

SHA512
46382dc454e0e78624cbd8f0634e6641b208195d03897fcc24bf1115ca9db9628dedc855312cd42c5174d461b8e44a0871f39f99473b2bf8bc0788f65a116755

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowserFrame.dll
Filesize
1.6MB

MD5
68eb386277ed0c2e4a13b6c5731f236e

SHA1
c831285069732bc3578a508052ce5e8723aac582

SHA256
84ef4e2ec7265038cb82c4a4ee149e394c1a66b7f84853130fba167965d09f2a

SHA512
6f9f76da55a863f6c817322b66c658492fc7d01a60673c7d622dc14baf2c6524f4fba4911c8b1419203f8ffc72c757c272001bf0fe67515411eaf2e9df035381

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowserFrame.dll
Filesize
1.6MB

MD5
68eb386277ed0c2e4a13b6c5731f236e

SHA1
c831285069732bc3578a508052ce5e8723aac582

SHA256
84ef4e2ec7265038cb82c4a4ee149e394c1a66b7f84853130fba167965d09f2a

SHA512
6f9f76da55a863f6c817322b66c658492fc7d01a60673c7d622dc14baf2c6524f4fba4911c8b1419203f8ffc72c757c272001bf0fe67515411eaf2e9df035381

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowserFrame.dll
Filesize
1.6MB

MD5
68eb386277ed0c2e4a13b6c5731f236e

SHA1
c831285069732bc3578a508052ce5e8723aac582

SHA256
84ef4e2ec7265038cb82c4a4ee149e394c1a66b7f84853130fba167965d09f2a

SHA512
6f9f76da55a863f6c817322b66c658492fc7d01a60673c7d622dc14baf2c6524f4fba4911c8b1419203f8ffc72c757c272001bf0fe67515411eaf2e9df035381

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\QQBrowserFrame.dll
Filesize
1.6MB

MD5
68eb386277ed0c2e4a13b6c5731f236e

SHA1
c831285069732bc3578a508052ce5e8723aac582

SHA256
84ef4e2ec7265038cb82c4a4ee149e394c1a66b7f84853130fba167965d09f2a

SHA512
6f9f76da55a863f6c817322b66c658492fc7d01a60673c7d622dc14baf2c6524f4fba4911c8b1419203f8ffc72c757c272001bf0fe67515411eaf2e9df035381

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe
Filesize
272KB

MD5
1b47580cce6db40a3f389ebd6250795f

SHA1
951ced03a17e826df41cd2314bb5079ba7fc74e3

SHA256
f2adc20c2fa2e5fa02fda7469b6ac15a623f3cd098343198f54156f219716a7c

SHA512
c864cbce5bbd7cccb8bec1e724fd884b053ff0ba3080d14a0afacc5cd55b9866f37cddc1a1d62cfb6fdca9a068663e2fff5c5ad32c3d55da49cca633606646e5

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\Skin\LightStripes.gt
Filesize
92KB

MD5
3392ddb4180f8142e92da3d58fea803f

SHA1
84735708fa47056106c149407ea12abe27f6a138

SHA256
fe7583042a86428eacb57cc27ad6134610308166995811e0d44de06b7d216b72

SHA512
7212ad691a1b390d81539a28ad87ea3363e0b73b28a74412eab37392a3e0b487d103f557b4768caecc98a35a3281843f92a523b77b92acd01b3ffd6406ad6f3a

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\WebpDecodeFilter.dll
Filesize
135KB

MD5
12650137ef731c4f2967bd670287e357

SHA1
2386ffa665080bea8c36075992a9e236c0e54105

SHA256
7e9320481129c168c87200c1bcbc2d793046bd40d42cd198e3b610a0f08c48f1

SHA512
968b9430b29c6520633cdf91ec3a7773d4da637d53c565db213c0a0f76b4316948457d4567cdecee8b4e96c2e106e167fc9a3c94ceb0a14da2dd442734e89c03

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\WebpDecodeFilter.dll
Filesize
135KB

MD5
12650137ef731c4f2967bd670287e357

SHA1
2386ffa665080bea8c36075992a9e236c0e54105

SHA256
7e9320481129c168c87200c1bcbc2d793046bd40d42cd198e3b610a0f08c48f1

SHA512
968b9430b29c6520633cdf91ec3a7773d4da637d53c565db213c0a0f76b4316948457d4567cdecee8b4e96c2e106e167fc9a3c94ceb0a14da2dd442734e89c03

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\dr.dll
Filesize
81KB

MD5
699f0052d0c959f1a5b7c3926cce11fa

SHA1
1f5084eacdd96553831899771fc433270c852196

SHA256
3e1f7276df5e11b20250186682464782a40f902bcc44b44e0956348921d027c8

SHA512
54d1adf7b8bf0325b10e50d34787cdf3d2cd219c2a19e8ab74f4283a55dd8ebb6910c71141449107494e2ded4452ebf6c973e3ec022b67a2da175691a1d0cc5c

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\dr.dll
Filesize
81KB

MD5
699f0052d0c959f1a5b7c3926cce11fa

SHA1
1f5084eacdd96553831899771fc433270c852196

SHA256
3e1f7276df5e11b20250186682464782a40f902bcc44b44e0956348921d027c8

SHA512
54d1adf7b8bf0325b10e50d34787cdf3d2cd219c2a19e8ab74f4283a55dd8ebb6910c71141449107494e2ded4452ebf6c973e3ec022b67a2da175691a1d0cc5c

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\service\PerfTraceService.exe
Filesize
272KB

MD5
1b47580cce6db40a3f389ebd6250795f

SHA1
951ced03a17e826df41cd2314bb5079ba7fc74e3

SHA256
f2adc20c2fa2e5fa02fda7469b6ac15a623f3cd098343198f54156f219716a7c

SHA512
c864cbce5bbd7cccb8bec1e724fd884b053ff0ba3080d14a0afacc5cd55b9866f37cddc1a1d62cfb6fdca9a068663e2fff5c5ad32c3d55da49cca633606646e5

Download Submit
C:\Program Files (x86)\Tencent\QQBrowser\service\PerfTraceService.exe
Filesize
272KB

MD5
1b47580cce6db40a3f389ebd6250795f

SHA1
951ced03a17e826df41cd2314bb5079ba7fc74e3

SHA256
f2adc20c2fa2e5fa02fda7469b6ac15a623f3cd098343198f54156f219716a7c

SHA512
c864cbce5bbd7cccb8bec1e724fd884b053ff0ba3080d14a0afacc5cd55b9866f37cddc1a1d62cfb6fdca9a068663e2fff5c5ad32c3d55da49cca633606646e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\12aue573827\QBInstaller.dll
Filesize
622KB

MD5
8f2820fc6e2f28c3346cd01e6c8bdb06

SHA1
a52c9e52df1b82da55a98256d4e74ae54c37bb9b

SHA256
9dace09cbd9ed026b75582e3f44af05b1223655aad3fcbbfaeb9f757d62fdeff

SHA512
1aed9a97f49c49847a0f24098dad577c86aeecccd0aa9673566450a07a35a5df9e6b6b1d070bb0b2b230e8078c5d898c8d7e8a597a4212edc9ddd4e1e7d93999

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\Base64.dll
Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\Base64.dll
Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\Inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\Inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\Inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\Inetc.dll
Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\NSISdl.dll
Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\NSISdl.dll
Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\NsRandom.dll
Filesize
39KB

MD5
9b54944ce476591d65288b0701a52c46

SHA1
df1754c7714cbc7a40a281318b726629c348ee23

SHA256
d6ce372acacf988f845b1bd35a876a1c1da19316efca4c6990e0f9ac6f0853e4

SHA512
2f0089aab852dd2a6a2c0602aa80d5dc7b146fa6e662426aadf867da80380611cf1bbd8c14f383e3b127716163e89c030edb28c352578f0a21f4116de0f0828c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\NsRandom.dll
Filesize
39KB

MD5
9b54944ce476591d65288b0701a52c46

SHA1
df1754c7714cbc7a40a281318b726629c348ee23

SHA256
d6ce372acacf988f845b1bd35a876a1c1da19316efca4c6990e0f9ac6f0853e4

SHA512
2f0089aab852dd2a6a2c0602aa80d5dc7b146fa6e662426aadf867da80380611cf1bbd8c14f383e3b127716163e89c030edb28c352578f0a21f4116de0f0828c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\V8._85296_20150814221218.exe
Filesize
4.9MB

MD5
15907c8e335563c313de6d7c86df99e5

SHA1
434b7e23a6b56a954f4a9481892f9dc63b83e47f

SHA256
56d7cf2a8bdc1de0b236c61a52201f473247867f9df5aa417d3178ea1ab57d0a

SHA512
fc4e2a50e659385deb8e19af5abf754e360e72ff542be5f466e28369e828bc45079e2f3e755c2e8647c9d145315cbf8491c4156e4ba7f03c6a45ea48b1cf4059

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\V8._85296_20150814221218.exe
Filesize
4.9MB

MD5
15907c8e335563c313de6d7c86df99e5

SHA1
434b7e23a6b56a954f4a9481892f9dc63b83e47f

SHA256
56d7cf2a8bdc1de0b236c61a52201f473247867f9df5aa417d3178ea1ab57d0a

SHA512
fc4e2a50e659385deb8e19af5abf754e360e72ff542be5f466e28369e828bc45079e2f3e755c2e8647c9d145315cbf8491c4156e4ba7f03c6a45ea48b1cf4059

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspD518.tmp\ZipDLL.dll
Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQBrowser\DB\homepage.db
Filesize
3KB

MD5
d0e7295144a4af0f9ffb401ac44a740e

SHA1
a4d164ace9e1269aa81f17340347050635e04a43

SHA256
e31a32bffc11cbdb3579a1eb3f6794bbd39c5fabd15b0151a5fd4c68d878c328

SHA512
065c79a0de85cc1406879113b9e9a14e31680e1c69a27ae2e8c2719a2fff58c8bf5fb62ae54229ddac417b3abf90fd1c471cbb84330a00506e840bbbf7850358

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQBrowser\InstModules\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQBrowser\InstModules\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQBrowser\InstModules\QBUtils.dll
Filesize
1.7MB

MD5
268905b968aace3dbaf5dd97391071e9

SHA1
3ea52528166806275bf9c6a7aa8d4f359a140889

SHA256
caa9c84d342c14543ddaf861efcc7b8e997f2d8bd270d408ba9764e29fcc88fd

SHA512
1f0483c53bb3901721f90071889036777ae84ea257b8afa98c04b8142bae321732d012484482ea556f6cca65ec1255459a08e4156cc3cd52fbc44541b2fb568b

Download Submit
memory/436-313-0x0000000000000000-mapping.dmp

Download
memory/700-223-0x0000000000000000-mapping.dmp

Download
memory/756-319-0x0000000000000000-mapping.dmp

Download
memory/888-222-0x0000000000000000-mapping.dmp

Download
memory/1032-331-0x0000000000000000-mapping.dmp

Download
memory/1032-283-0x0000000000000000-mapping.dmp

Download
memory/1092-296-0x0000000000000000-mapping.dmp

Download
memory/1284-272-0x0000000000000000-mapping.dmp

Download
memory/1372-159-0x0000000000000000-mapping.dmp

Download
memory/1500-162-0x0000000000000000-mapping.dmp

Download
memory/1536-153-0x0000000000000000-mapping.dmp

Download
memory/1640-286-0x0000000000000000-mapping.dmp

Download
memory/1908-239-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1908-240-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1908-235-0x0000000000000000-mapping.dmp

Download
memory/1908-238-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1920-224-0x0000000000000000-mapping.dmp

Download
memory/1944-301-0x0000000000000000-mapping.dmp

Download
memory/2004-293-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2004-290-0x0000000000000000-mapping.dmp

Download
memory/2004-328-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2064-310-0x0000000000000000-mapping.dmp

Download
memory/2064-284-0x0000000000000000-mapping.dmp

Download
memory/2148-265-0x0000000000000000-mapping.dmp

Download
memory/2152-282-0x0000000000000000-mapping.dmp

Download
memory/2172-294-0x0000000000000000-mapping.dmp

Download
memory/2208-166-0x0000000000000000-mapping.dmp

Download
memory/2208-177-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2208-173-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2424-257-0x0000000000000000-mapping.dmp

Download
memory/2448-303-0x0000000000000000-mapping.dmp

Download
memory/2644-387-0x000000006C6C0000-0x000000006D27E000-memory.dmp

Filesize
11.7MB

Download
memory/2644-510-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-459-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-457-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-455-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-453-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-451-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-449-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-447-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-444-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-441-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-435-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-431-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-429-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-419-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-552-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-549-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-546-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-415-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-417-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-413-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-411-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-536-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-409-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-543-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-407-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-540-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-400-0x000000006C6C0000-0x000000006D27E000-memory.dmp

Filesize
11.7MB

Download
memory/2644-472-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-475-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-385-0x000000006C6C0000-0x000000006D27E000-memory.dmp

Filesize
11.7MB

Download
memory/2644-379-0x000000006C6C0000-0x000000006D27E000-memory.dmp

Filesize
11.7MB

Download
memory/2644-533-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-529-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-374-0x000000006C6C0000-0x000000006D27E000-memory.dmp

Filesize
11.7MB

Download
memory/2644-527-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-525-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-311-0x0000000000000000-mapping.dmp

Download
memory/2644-478-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-438-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-523-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-521-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-500-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-433-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-421-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-513-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-469-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-508-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-480-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-506-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-503-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-498-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-494-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-496-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-492-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-490-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-488-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-486-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2644-483-0x000000006C530000-0x000000006C685000-memory.dmp

Filesize
1.3MB

Download
memory/2748-314-0x0000000000000000-mapping.dmp

Download
memory/2800-243-0x0000000000000000-mapping.dmp

Download
memory/3060-210-0x0000000000000000-mapping.dmp

Download
memory/3160-236-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3160-234-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3160-233-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3160-232-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3160-231-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/3160-229-0x0000000000000000-mapping.dmp

Download
memory/3196-247-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/3196-252-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3196-249-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/3196-250-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/3196-251-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3196-253-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3196-242-0x0000000000000000-mapping.dmp

Download
memory/3196-259-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3196-256-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3196-254-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3196-264-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3196-261-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3252-321-0x0000000000000000-mapping.dmp

Download
memory/3268-281-0x0000000000000000-mapping.dmp

Download
memory/3404-299-0x0000000000000000-mapping.dmp

Download
memory/3512-305-0x0000000000000000-mapping.dmp

Download
memory/3532-176-0x0000000000000000-mapping.dmp

Download
memory/3584-324-0x0000000000000000-mapping.dmp

Download
memory/3676-323-0x0000000000000000-mapping.dmp

Download
memory/3708-297-0x0000000000000000-mapping.dmp

Download
memory/3820-263-0x0000000000000000-mapping.dmp

Download
memory/4020-198-0x0000000000000000-mapping.dmp

Download
memory/4144-138-0x00000000022C0000-0x00000000022CD000-memory.dmp

Filesize
52KB

Download
memory/4144-148-0x00000000022C1000-0x00000000022C4000-memory.dmp

Filesize
12KB

Download
memory/4144-144-0x00000000035C0000-0x00000000035ED000-memory.dmp

Filesize
180KB

Download
memory/4144-278-0x0000000000450000-0x000000000047D000-memory.dmp

Filesize
180KB

Download
memory/4144-133-0x00000000022C1000-0x00000000022C4000-memory.dmp

Filesize
12KB

Download
memory/4144-287-0x0000000000451000-0x0000000000454000-memory.dmp

Filesize
12KB

Download
memory/4196-291-0x0000000000000000-mapping.dmp

Download
memory/4272-315-0x0000000000000000-mapping.dmp

Download
memory/4408-325-0x0000000000000000-mapping.dmp

Download
memory/4408-334-0x0000000019170000-0x000000001925F000-memory.dmp

Filesize
956KB

Download
memory/4408-360-0x0000000019170000-0x000000001925F000-memory.dmp

Filesize
956KB

Download
memory/4468-285-0x0000000000000000-mapping.dmp

Download
memory/4536-190-0x0000000000000000-mapping.dmp

Download
memory/4548-241-0x0000000000000000-mapping.dmp

Download
memory/4856-271-0x0000000000000000-mapping.dmp

Download
memory/4876-184-0x0000000000000000-mapping.dmp

Download
memory/4896-185-0x0000000000000000-mapping.dmp

Download
memory/4912-539-0x0000000019170000-0x000000001925F000-memory.dmp

Filesize
956KB

Download
memory/5016-327-0x0000000000000000-mapping.dmp

Download
memory/5048-317-0x0000000000000000-mapping.dmp

Download
memory/5112-308-0x0000000000000000-mapping.dmp

Download
memory/5112-393-0x0000000010000000-0x000000001019D000-memory.dmp

Filesize
1.6MB

Download
memory/5144-342-0x0000000000000000-mapping.dmp

Download
memory/5168-329-0x0000000000000000-mapping.dmp

Download
memory/5272-330-0x0000000000000000-mapping.dmp

Download
memory/5348-333-0x0000000000000000-mapping.dmp

Download
memory/5372-335-0x0000000000000000-mapping.dmp

Download
memory/5392-336-0x0000000000000000-mapping.dmp

Download
memory/5424-337-0x0000000000000000-mapping.dmp

Download
memory/5448-338-0x0000000000000000-mapping.dmp

Download
memory/5468-340-0x0000000000000000-mapping.dmp

Download
memory/5508-344-0x0000000000000000-mapping.dmp

Download
memory/5648-346-0x0000000000000000-mapping.dmp

Download
memory/5764-347-0x0000000000000000-mapping.dmp

Download