5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526

Processes:

QQBrowser.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQBrowser.exe	QQBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQBrowser.exe\DisableExceptionChainValidation = "0"	QQBrowser.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2488-293-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral2/memory/2488-328-0x0000000000400000-0x000000000044D000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

QQBrowser.exeV8._85416_20150820204011.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	QQBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	V8._85416_20150820204011.exe

Loads dropped DLL 64 IoCs

Processes:

5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exeV8._85416_20150820204011.exeregsvr32.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exe

pid	process
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
1308	regsvr32.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
2876	QQBrowser.exe
3516	QQBrowser.exe
4804	V8._85416_20150820204011.exe
3516	QQBrowser.exe
2876	QQBrowser.exe
900	QQBrowser.exe
900	QQBrowser.exe
3580	QQBrowser.exe
3580	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
900	QQBrowser.exe
3164	QQBrowser.exe
3164	QQBrowser.exe
1396	QQBrowser.exe
1396	QQBrowser.exe
3164	QQBrowser.exe
4884	QQBrowser.exe
1396	QQBrowser.exe
4884	QQBrowser.exe
4536	QQBrowser.exe
4536	QQBrowser.exe
4680	QQBrowser.exe
4680	QQBrowser.exe
4680	QQBrowser.exe
4680	QQBrowser.exe
3676	QQBrowser.exe
3676	QQBrowser.exe
4680	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
504	QQBrowser.exe
504	QQBrowser.exe
1196	QQBrowser.exe
504	QQBrowser.exe
1196	QQBrowser.exe
1936	QQBrowser.exe
1936	QQBrowser.exe
3504	QQBrowser.exe
3504	QQBrowser.exe
1936	QQBrowser.exe
4820	QQBrowser.exe
4820	QQBrowser.exe
3504	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3676	QQBrowser.exe
4804	V8._85416_20150820204011.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

PlayerApp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BDPlayer_AutoRun = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\BDPlayerTray.exe"	PlayerApp.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

BFVCenter-y4bd[[AB005]].exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Launcher	BFVCenter-y4bd[[AB005]].exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	BFVCenter-y4bd[[AB005]].exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AhnLab\V3IS80	BFVCenter-y4bd[[AB005]].exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Launcher	BFVCenter-y4bd[[AB005]].exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 15 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

QQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exekinst_1_568.exeBFVCenter-y4bd[[AB005]].exeQQBrowser.exeQQBrowser.exeQQBrowser.exeQQBrowser.exeuni1795887c.exeQQBrowser.exeQQBrowser.exeQQBrowser.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	kinst_1_568.exe
File opened for modification	\??\PhysicalDrive0	BFVCenter-y4bd[[AB005]].exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	uni1795887c.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe
File opened for modification	\??\PhysicalDrive0	QQBrowser.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

BFVCenter-y4bd[[AB005]].exe

pid	process
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe
2884	BFVCenter-y4bd[[AB005]].exe

Drops file in Program Files directory 64 IoCs

Processes:

BaiduPlayer5SetupSilent_359.exeV8._85416_20150820204011.exeBFVCenter-y4bd[[AB005]].exe

description	ioc	process
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.player.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\f4v.ico	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\IntelQuickSyncDecoder.dll	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\QQBrowserSecurityCenter.exe	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\skin\ThirdParty.gt	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\app\sliderman.1.3.7.js	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\img\grid\lock_hover.png	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\js\api.js	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.tools.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.imageadjust.option.select.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.imageadjust.option.unselect.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\menu_player.xml	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\slider.playcontroller.thumb.png	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\update\title_bk.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\mkv.ico	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\MPEG4.ico	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\SSA.ico	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\xReport.exe	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Resource.dll	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\img\grid\arrowdown.png	V8._85416_20150820204011.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.thumbnail.timebk.png	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\MTS.ico	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\TPS.ico	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\window_add_url.xml	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\Baofeng\BFVKanDianYing\ApplicationData\Profiles\Skin\winter.png	BFVCenter-y4bd[[AB005]].exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\skin\LightStripes.gt	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\img\grid\quicklink_toast_locked.png	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.setting.2.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.playlist.delete.png	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.setting.ok.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\tab_setting_play.xml	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\bugreport_Update.ini	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\service\7z.exe	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\images\Private-icon.png	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\css\style.css	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.setting.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.setting.tab.png	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\update\close.png	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\imglist.setting.checkbox.partselect.png	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\bsed.ico	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\SRT.ico	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\color.xml	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\tab_setting_basic.xml	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\BDPlayerTray.exe	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\Baofeng\BFVKanDianYing\ApplicationData\temp\360.jpg	BFVCenter-y4bd[[AB005]].exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\images\bkg.gif	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.playlist.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.thumbnail.highlight.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.playcontroller.play.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.playcontroller.volume.open.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\MediaUrlHelp\images\yes.png	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\WebpDecodeFilter.dll	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\img\history_hover.png	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\bg.thumbnail.arrow.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\images\btn.messagebox.close.png	BaiduPlayer5SetupSilent_359.exe
File opened for modification	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\themes\default\window_tools.xml	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\bugreport_BDPlayer.ini	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\msvcr120.dll	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\images\icon_not_recommended.png	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\app\css\	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\manage\img\history.png	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\Tencent\QQBrowser\Html\quickaccess\img\grid\lock_hover_ie.png	V8._85416_20150820204011.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\res\icon\WEBM.ico	BaiduPlayer5SetupSilent_359.exe
File created	C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\codecs\MpaDec.ax	BaiduPlayer5SetupSilent_359.exe

Drops file in Windows directory 2 IoCs

Processes:

QQBrowser.exe

description	ioc	process
File created	C:\Windows\Tasks\QQBrowser Udpater Task.job	QQBrowser.exe
File created	C:\Windows\Tasks\QQBrowser Udpater Task(Core).job	QQBrowser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

QQBrowser.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QQBrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QQBrowser.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

Processes:

QQBrowser.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	QQBrowser.exe

Modifies registry class 64 IoCs

Processes:

PlayerApp.exeQQBrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\.m4a\BDPlayer.bak = "VLC.m4a"	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.rp\shell\open	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpe\shell	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpeg\DefaultIcon	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpeg\shell\open\command\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\BDPlayer.exe --from=shell --url=\"%1\""	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.pss\DefaultIcon\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\res\\icon\\Player.ico"	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.csf\OpenWithProgids\BDPlayer.exe	PlayerApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\.avi\ = "BDPlayer.avi"	PlayerApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\.m2t\OpenWithProgids\BDPlayer.exe	PlayerApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\.3gp	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.flic\shell\open\command	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mod\	PlayerApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\.tod\OpenWithProgids	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpg\shell	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mp4\shell\open\command	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.smk\shell\open\command	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.wav\DefaultIcon\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\res\\icon\\Player.ico"	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ape	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.rmi	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.asf\shell	PlayerApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\.m2ts	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.m2v\DefaultIcon\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\res\\icon\\Player.ico"	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bik	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.scm\shell\open\command	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.ape\DefaultIcon	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.divx\shell\open	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mod\shell\open\command	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.m2ts\shell\open\command	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpv2\shell	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.m4p	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.amv\shell\open	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.asm\shell	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.divx	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.ac3\shell\open\command\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\BDPlayer.exe --from=shell --url=\"%1\""	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.ivf\DefaultIcon	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.ra\DefaultIcon	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.tak\	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.rpm\DefaultIcon\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\res\\icon\\Player.ico"	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.rt\DefaultIcon\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\res\\icon\\Player.ico"	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpv2	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mod\DefaultIcon\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\res\\icon\\MOD.ico"	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.ogm\shell\open\command\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\BDPlayer.exe --from=shell --url=\"%1\""	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.m2a\shell	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.xlmv\shell\open\ = "用百度影音5 打开(&P)"	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mids\OpenWithProgids\BDPlayer.exe	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQBrowser.Protocol\shell\ = "open"	QQBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpv2\shell\open	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.m4v\shell\open\ = "用百度影音5 打开(&P)"	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpeg4\shell\open	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mts\	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.vp7\DefaultIcon\ = "C:\\Program Files (x86)\\baidu\\BDPlayer\\5.1.1.9\\res\\icon\\Player.ico"	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tp\OpenWithProgids\BDPlayer.exe	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.hlv\shell\open\ = "用百度影音5 打开(&P)"	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.avsts\shell	PlayerApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\.webm\OpenWithProgids	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mp5\shell\open\command	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mpe	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mp4\shell\open	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.ogv\shell	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.smil\DefaultIcon	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.mp5\shell\open\ = "用百度影音5 打开(&P)"	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.ogg\shell	PlayerApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\OpenWithProgids\BDPlayer.exe	PlayerApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDPlayer.smil	PlayerApp.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

QQBrowser.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	QQBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	QQBrowser.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

V8._85416_20150820204011.exeQQBrowser.exeQQBrowser.exeQQBrowser.exe

pid	process
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
4884	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
4804	V8._85416_20150820204011.exe
4804	V8._85416_20150820204011.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
3396	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe
1196	QQBrowser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2716 msedge.exe
2716 msedge.exe

pid	process
2716	msedge.exe
2716	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

QQBrowser.exeBFVCenter-y4bd[[AB005]].exe

description	pid	process
Token: SeSecurityPrivilege	3516	QQBrowser.exe
Token: SeSecurityPrivilege	3516	QQBrowser.exe
Token: SeSecurityPrivilege	3516	QQBrowser.exe
Token: SeSecurityPrivilege	3516	QQBrowser.exe
Token: SeSecurityPrivilege	3516	QQBrowser.exe
Token: SeDebugPrivilege	2884	BFVCenter-y4bd[[AB005]].exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

QQBrowser.exeBDPlayerTray.exemsedge.exe

pid	process
4680	QQBrowser.exe
4680	QQBrowser.exe
4680	QQBrowser.exe
4680	QQBrowser.exe
4680	QQBrowser.exe
4460	BDPlayerTray.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

BDPlayerTray.exe

pid process

4460 BDPlayerTray.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

QQBrowser.exeQQBrowser.exe

pid process

3676 QQBrowser.exe
3676 QQBrowser.exe
1308 QQBrowser.exe

pid	process
4460	BDPlayerTray.exe

pid	process
3676	QQBrowser.exe
3676	QQBrowser.exe
1308	QQBrowser.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exeV8._85416_20150820204011.exeQQBrowser.exeQQBrowser.exe

description	pid	process	target process
PID 4496 wrote to memory of 4804	4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe	V8._85416_20150820204011.exe
PID 4496 wrote to memory of 4804	4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe	V8._85416_20150820204011.exe
PID 4496 wrote to memory of 4804	4496	5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe	V8._85416_20150820204011.exe
PID 4804 wrote to memory of 2528	4804	V8._85416_20150820204011.exe	PerfTraceService.exe
PID 4804 wrote to memory of 2528	4804	V8._85416_20150820204011.exe	PerfTraceService.exe
PID 4804 wrote to memory of 2528	4804	V8._85416_20150820204011.exe	PerfTraceService.exe
PID 4804 wrote to memory of 1308	4804	V8._85416_20150820204011.exe	regsvr32.exe
PID 4804 wrote to memory of 1308	4804	V8._85416_20150820204011.exe	regsvr32.exe
PID 4804 wrote to memory of 1308	4804	V8._85416_20150820204011.exe	regsvr32.exe
PID 4804 wrote to memory of 2876	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 2876	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 2876	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3516	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3516	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3516	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 900	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 900	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 900	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3580	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3580	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3580	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4884	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4884	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4884	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3164	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3164	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3164	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 1396	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 1396	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 1396	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 3516 wrote to memory of 2324	3516	QQBrowser.exe	regsvr32.exe
PID 3516 wrote to memory of 2324	3516	QQBrowser.exe	regsvr32.exe
PID 3516 wrote to memory of 2324	3516	QQBrowser.exe	regsvr32.exe
PID 3516 wrote to memory of 2552	3516	QQBrowser.exe	regsvr32.exe
PID 3516 wrote to memory of 2552	3516	QQBrowser.exe	regsvr32.exe
PID 3516 wrote to memory of 2552	3516	QQBrowser.exe	regsvr32.exe
PID 4804 wrote to memory of 4536	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4536	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4536	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4680	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4680	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 4680	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4680 wrote to memory of 3676	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 3676	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 3676	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 1936	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 1936	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 1936	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 1196	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 1196	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 1196	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 504	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 504	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 504	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 3504	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 3504	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 3504	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 4820	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 4820	4680	QQBrowser.exe	QQBrowser.exe
PID 4680 wrote to memory of 4820	4680	QQBrowser.exe	QQBrowser.exe
PID 4804 wrote to memory of 3396	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3396	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 3396	4804	V8._85416_20150820204011.exe	QQBrowser.exe
PID 4804 wrote to memory of 1308	4804	V8._85416_20150820204011.exe	QQBrowser.exe

C:\Users\Admin\AppData\Local\Temp\5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe
"C:\Users\Admin\AppData\Local\Temp\5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\V8._85416_20150820204011.exe
V8._85416_20150820204011.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804

C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe
"C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe" -installAndRun "QQBrowser Performance Service"
3⤵
- Executes dropped EXE
PID:2528

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQBrowser\WebpDecodeFilter.dll"
3⤵
- Loads dropped DLL
PID:1308

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=update -source=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2876

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -install
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /u MetroLauncher64.dll
4⤵
PID:2552

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /u MetroLauncher32.dll
4⤵
PID:2324

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installscheduletask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
PID:900

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -Module=QQBrowserFrame.dll -skinzipfactory
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3580

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -homepageimport
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1396

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -resetopenpage
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:3164

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installcoexistreport -installmode=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=QQBrowserFrame.dll -updatejumplist
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4536

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -sc=quicklaunchpinedshortcut -fixlaunch=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4680

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=extension -scope=4680 /prefetch:5
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" "-host=tab" -scope=4680 -Cred=800 -group=0 -core=5 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" "-host=tab" -scope=4680 -Cred=800 -group=0 -tid=1 -core=5 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:504

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host= -Cred=2048 -scope=4680 -sc=quicklaunchpinedshortcut /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=net /prefetch:4
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:3504

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -host=net /prefetch:4
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4820

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installtxservice
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -setdefaultbrowser
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe
"C:\Program Files (x86)\Tencent\QQBrowser\QQBrowser.exe" -module=Assistant.dll -installreport -name=QQBrowser_Setup_Hk_85416_3638.exe -parent=5660b555743a8b474992340e7e1e5c2baac9660da8a26c147bc2461bb1763526.exe -occupy= -occupyparent= -method=3 -result=0 -type=1 -changedir=0 -fstartup=1 -deskicon=1 -default=1 -directopen=3953 -userplan=1 -r1= -r2=
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\BaiduPlayer5SetupSilent_359.exe" + "C:\Windows\Fonts\mingliu.ttc" "C:\Users\Admin\AppData\Local\Temp\BaiduPlayer5SetupSilent_359.exe"
2⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\BaiduPlayer5SetupSilent_359.exe
BaiduPlayer5SetupSilent_359.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2084

C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\PlayerApp.exe
"C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\PlayerApp.exe" --action=install --desktop=1 --taskbar=1
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:1600

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="xUpdate" dir=in program="C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\xUpdate.exe" action=allow description="C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\xUpdate.exe"
4⤵
- Modifies Windows Firewall
PID:1852

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="BDPlayer" dir=in program="C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\BDPlayer.exe" action=allow description="C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\BDPlayer.exe"
4⤵
- Modifies Windows Firewall
PID:2324

C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\xReport.exe
"C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\xReport.exe" pv &r=133032015314720000&op=install&ver=5.1.1.9&ch=359&module=BaiduPlayer5SetupSilent_359
3⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\BDPlayerTray.exe
"C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\BDPlayerTray.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460

C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\xReport.exe
"C:\Program Files (x86)\baidu\BDPlayer\5.1.1.9\xReport.exe" pv &r=133032015415970000&op=lauch&ext=toolbar&ver=5.1.1.9&ch=359&module=BDPlayerTray
4⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C copy /b "C:\Users\Admin\AppData\Local\Temp\BFVCenter-y4bd[[AB005]].exe" + "C:\Windows\Fonts\mingliu.ttc" "C:\Users\Admin\AppData\Local\Temp\BFVCenter-y4bd[[AB005]].exe"
2⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\BFVCenter-y4bd[[AB005]].exe
BFVCenter-y4bd[[AB005]].exe
2⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVKanDianYing.exe
"C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVKanDianYing.exe" /taskbar
3⤵
PID:1684

C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVServer.exe
"C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVServer.exe" /Module="AllTask"
4⤵
PID:456

C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVServer.exe
"C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVServer.exe" /Module="YiLanStartup"
4⤵
PID:2032

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVShellIcon64.dll"
3⤵
PID:988

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Baofeng\BFVKanDianYing\BFVShellIcon64.dll"
4⤵
PID:4584

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Baofeng\BFVKanDianYing\UGCFlash.dll"
3⤵
PID:4280

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Baofeng\BFVKanDianYing\npBFVWebPlugin64.dll"
3⤵
PID:1156

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Baofeng\BFVKanDianYing\npBFVWebPlugin.dll"
3⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\uni1795887c.exe
uni1795887c.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2488

C:\Users\Admin\AppData\Local\Temp\kinst_1_568.exe
kinst_1_568.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://120.55.106.224/NTY2MGI1NTU3NDNhOGI0NzQ5OTIzNDBlN2UxZTVjMmJhYWM5NjYwZGE4YTI2YzE0N2JjMjQ2MWJiMTc2MzUyNi5leGU=/40.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff227046f8,0x7fff22704708,0x7fff22704718
3⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
3⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
3⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
3⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
3⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
3⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3056 /prefetch:8
3⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 /prefetch:8
3⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
3⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8247486948618414912,17039949380023935961,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
3⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws56.exe
XMPSetupLite-SIjhaqws56.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws56\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws56\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMPFB77.tmp"
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws56\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws56\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMPCBE.tmp"
3⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws56\5.2.18.5894\XmpSetupAgent.exe
"C:\Users\Admin\AppData\Local\Temp\XMPSetupLite-SIjhaqws56\5.2.18.5894\XmpSetupAgent.exe" /installdir "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894" /userdata "C:\Users\Public\Thunder Network\XMP5\V5.2.18.5894" /version "5.2.18.5894" /cmdfile "C:\Users\Admin\AppData\Local\Temp\XMPCCE.tmp"
3⤵
PID:4284

C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe
"C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\ThunderFW.exe" "迅雷影音" "C:\Program Files (x86)\Thunder Network\XMP\V5.2.18.5894\Bin\XMP.exe"
3⤵
PID:4688

C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe
"C:\Program Files (x86)\Tencent\QQBrowser\Service\PerfTraceService.exe"
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Baofeng\BFVKanDianYing\npBFVWebPlugin64.dll"
1⤵
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

System Information Discovery