egregor | hxxps://www[.]xunlei[.]com/

Analysis

max time kernel
435s
max time network
604s
platform
windows10-1703_x64
resource
win10-20220812-ja
resource tags

arch:x64arch:x86image:win10-20220812-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
13/09/2022, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.xunlei.com/

Score

10^/10

egregor bootkit discovery evasion persistence ransomware trojan

Malware Config

Signatures

Detected Egregor ransomware 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001ae55-1051.dat	family_egregor
behavioral1/files/0x000600000001ae55-1049.dat	family_egregor

Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
ransomware egregor
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
2184	XunLeiWebSetup11.3.14.1952gw.exe
4972	XunLeiWebSetup11.3.14.1952gw.exe
2448	XunLeiWebSetup11.3.14.1952gw.exe
1516	XunLeiWebSetup11.3.14.1952gw.exe
4852	XunLeiWebSetup11.3.14.1952gw.exe
4316	XunLeiSetup11.3.14.1952.exe
2320	DownloadSDKServer.exe
1940	XLWFPSetup.exe
4820	XLServicePlatform.exe
4856	Win7AppId.exe
4896	Win7AppId.exe
2992	Win7AppId.exe
2172	DownloadSDKServer.exe
1432	ThunderBHOPlatform.exe
3232	xl_ext_chrome_setup.exe
4984	APlayerCodecs3Embed.exe

Modifies Windows Firewall 1 TTPs 18 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1824	netsh.exe
2076	netsh.exe
6116	netsh.exe
6040	netsh.exe
4664	netsh.exe
4336	netsh.exe
5224	netsh.exe
5376	netsh.exe
348	netsh.exe
2016	netsh.exe
3844	netsh.exe
4360	netsh.exe
5660	netsh.exe
6012	netsh.exe
496	netsh.exe
4548	netsh.exe
3176	netsh.exe
660	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Control Panel\International\Geo\Nation	XunLeiSetup11.3.14.1952.exe

Loads dropped DLL 20 IoCs

pid	Process
2184	XunLeiWebSetup11.3.14.1952gw.exe
2184	XunLeiWebSetup11.3.14.1952gw.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe
2320	DownloadSDKServer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XunLeiWebSetup11.3.14.1952gw.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XunLeiWebSetup11.3.14.1952gw.exe
File opened for modification	\??\PhysicalDrive0	XunLeiSetup11.3.14.1952.exe
File opened for modification	\??\PhysicalDrive0	DownloadSDKServer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\xluagc_stat.xml	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\P2PCommonObjects.dll	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\locales\te.pak	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\browser\qq.gif	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\groupaccelerate.png	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\startalltask.png	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\plugins\XLGame\1.0.25.asar	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\d3dcompiler_47.dll	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\devtools_resources.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\ta.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\deskicon\vip.ico	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\ThunderHelper.node	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\zlib1.dll	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\cef_extensions.pak	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\locales\fi.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\BHO\xl_plugin_chrome.zip	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\open夹@2x.png	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\swiftshader\libGLESv2.dll	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\抱团@3x.png	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\ThunderCmd.exe	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\activity\img\bg-act.png	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\hr.pak	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\BHO\minixlgeturl.htm	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\BHO\libexpat.dll	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\cs.pak	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\mr.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\open夹@3.5x.png	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\BHO\UserAgent.dll	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\xluagc.dll	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\locales\zh-CN.pak	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\XLTempFile.ico	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\XLReImport.dll	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\抱团@1.75x.png	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\XLWFPSetup.exe	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\es-419.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\locales\cs.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\sl.pak	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\th.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\open夹@1.5x.png	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\locales\bn.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\locales\sw.pak	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\openas.png	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\snapshot_blob.bin	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\ThunderCmd.exe	XunLeiSetup11.3.14.1952.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\statXml.xml	XunLeiSetup11.3.14.1952.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\static\icon\[email protected]	XunLeiSetup11.3.14.1952.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DownloadSDKServer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DownloadSDKServer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DownloadSDKServer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.cda\ = "媒体文件(.cda)"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\magnet	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ram	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ram\Shell	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.tp\DefaultIcon	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.wv\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Xunlei.ThunderSkin.6\Shell\Open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\Thunder.exe\" \"%1\""	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.m4p\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.midi\ = "媒体文件(.midi)"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mkv\Shell\open\DropTarget	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ogg\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ogm\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.pva\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.hmp4\Shell\open\DropTarget	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.hlv\Shell\open	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.wma\Shell\open\DropTarget\ = "{8F556DA3-987D-47b0-AA88-EB8D52FE1B99}"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ac3\Shell\open\DropTarget	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mka\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.rm\DefaultIcon	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.sup\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.3gp2\DefaultIcon\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\Res\\video.ico\",0"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.m2v\Shell\open	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mid\Shell	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ts\ = "媒体文件(.ts)"	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.wmv\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.flv\Shell\open	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mod\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.pva\DefaultIcon	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.qt\Shell	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.srt	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.au\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.flac\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.m2ts\DefaultIcon\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\Res\\video.ico\",0"	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mp2\Shell\ = "open"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mpg\Shell	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Xunlei.LSTFile.6\ = "迅雷专有下载文件"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ape\Shell\open\DropTarget	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.ssa\Shell\open	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.f5v\Shell\open\DropTarget\ = "{8F556DA3-987D-47b0-AA88-EB8D52FE1B99}"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.aac\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.asf\Shell\open	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.f4v\Shell\open\ = "使用迅雷影音播放(&P)"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.flv\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.xlmv\Shell\open\DropTarget	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.letv	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.m2p\Shell\open\ = "使用迅雷影音播放(&P)"	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.wmp\Shell\open\command\ = "\"C:\\Program Files (x86)\\Thunder Network\\Thunder\\Program\\XMP\\Program\\Xmp.exe\" /play \"%1\" /sopenfrom WndExplr /sstartfrom LocalFile "	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.pva\Shell\ = "open"	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.acc\Shell\open\ = "使用迅雷影音播放(&P)"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.amv\Shell\open	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.m2v\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mid\ = "媒体文件(.mid)"	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mka\Shell\open	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mkv\Shell\open	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mod\Shell	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.smil\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.sub	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.wav\Shell\open	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.f5v\Shell\open\command	XunLeiSetup11.3.14.1952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mk5	XunLeiSetup11.3.14.1952.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Xunlei.Bittorrent.6\Shell	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.flac\Shell\open\DropTarget\ = "{8F556DA3-987D-47b0-AA88-EB8D52FE1B99}"	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.m2ts\Shell\open\DropTarget\ = "{8F556DA3-987D-47b0-AA88-EB8D52FE1B99}"	XunLeiSetup11.3.14.1952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmp.mkv\Shell\ = "open"	XunLeiSetup11.3.14.1952.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3192	ping.exe
5940	ping.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	502	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	238	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
4692	chrome.exe
4692	chrome.exe
4676	chrome.exe
4676	chrome.exe
4336	chrome.exe
4336	chrome.exe
4880	chrome.exe
4880	chrome.exe
4780	chrome.exe
4780	chrome.exe
212	chrome.exe
212	chrome.exe
3964	chrome.exe
3964	chrome.exe
1576	chrome.exe
1576	chrome.exe
4860	chrome.exe
4860	chrome.exe
748	chrome.exe
748	chrome.exe
748	chrome.exe
748	chrome.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe
4316	XunLeiSetup11.3.14.1952.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4316	XunLeiSetup11.3.14.1952.exe
Token: SeManageVolumePrivilege	2320	DownloadSDKServer.exe
Token: SeManageVolumePrivilege	2320	DownloadSDKServer.exe
Token: SeManageVolumePrivilege	2320	DownloadSDKServer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2184	XunLeiWebSetup11.3.14.1952gw.exe
4972	XunLeiWebSetup11.3.14.1952gw.exe
2448	XunLeiWebSetup11.3.14.1952gw.exe
1516	XunLeiWebSetup11.3.14.1952gw.exe
4852	XunLeiWebSetup11.3.14.1952gw.exe
4316	XunLeiSetup11.3.14.1952.exe
2320	DownloadSDKServer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3772	4692	chrome.exe	67
PID 4692 wrote to memory of 3772	4692	chrome.exe	67
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 2524	4692	chrome.exe	69
PID 4692 wrote to memory of 5116	4692	chrome.exe	70
PID 4692 wrote to memory of 5116	4692	chrome.exe	70
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71
PID 4692 wrote to memory of 3916	4692	chrome.exe	71

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.xunlei.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe22e14f50,0x7ffe22e14f60,0x7ffe22e14f70
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe
  "C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2184
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\SDK\DownloadSDKServer.exe enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:4664
- - C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\XunLeiSetup11.3.14.1952.exe
    "C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\XunLeiSetup11.3.14.1952.exe" /Silent /InstallPath:"C:\Program Files (x86)\Thunder Network\Thunder" /ChannelId:100022 /AutoRun:0
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4316
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="DownloadSDKServer" dir=in program="C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe"
      4⤵
      Modifies Windows Firewall
      PID:496
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe"
      4⤵
      Modifies Windows Firewall
      PID:348
  - - C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe
      "C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe" BDAF7A63-568C-43ab-9406-D145CF03B08C:4316
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2320
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="DownloadSDKServer" dir=in program="C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe"
      4⤵
      Modifies Windows Firewall
      PID:2016
  - - C:\Program Files (x86)\Thunder Network\Thunder\BHO\BHOInstall.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\BHO\BHOInstall.exe" -checkandstat
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="DownloadSDKServer" dir=in program="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\DownloadSDKServer.exe"
      4⤵
      Modifies Windows Firewall
      PID:1824
  - - C:\Program Files (x86)\Thunder Network\Thunder\BHO\xl_ext_chrome_setup.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\BHO\xl_ext_chrome_setup.exe" /S
      4⤵
      Executes dropped EXE
      PID:3232
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\UserAgent.dll"
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\ThunderMyComputerIcon64.dll"
      4⤵
      PID:500
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\ThunderMyComputerIcon64.dll"
        5⤵
        
        PID:4656
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Thunder Network\Thunder\Thunder BHO Platform\np_tdieplat.dll"
      4⤵
      PID:1588
  - - C:\Program Files (x86)\Thunder Network\Thunder\BHO\ThunderBHOPlatform.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\BHO\ThunderBHOPlatform.exe" /S /installpath="C:\Program Files (x86)\Thunder Network\Thunder"
      4⤵
      Executes dropped EXE
      PID:1432
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /S "C:\Program Files (x86)\Thunder Network\Thunder\Thunder BHO Platform\np_tdieplat.dll"
        5⤵
        
        PID:4968
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\XunLeiBHO64.dll"
      4⤵
      PID:4696
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\XunLeiBHO64.dll"
        5⤵
        
        PID:3928
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\ThunderAgent.dll"
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\ThunderAgent64.dll"
      4⤵
      PID:4688
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Thunder Network\Thunder\BHO\ThunderAgent64.dll"
        5⤵
        
        PID:4948
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Win7AppId.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Win7AppId.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\迅雷软件\迅雷\迅雷.lnk" "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe"
      4⤵
      Executes dropped EXE
      PID:2992
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Win7AppId.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Win7AppId.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\迅雷.lnk" "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe"
      4⤵
      Executes dropped EXE
      PID:4896
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Win7AppId.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Win7AppId.exe" "C:\Users\Admin\Desktop\迅雷.lnk" "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe"
      4⤵
      Executes dropped EXE
      PID:4856
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\XLServicePlatform.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\XLServicePlatform.exe" -i
      4⤵
      Executes dropped EXE
      PID:4820
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\XLWFPSetup.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\XLWFPSetup.exe" /S /PeerID=
      4⤵
      Executes dropped EXE
      PID:1940
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLWFP.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLWFP.exe" -u
        5⤵
        
        PID:4624
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLWFP.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLWFP.exe" -i
        5⤵
        
        PID:4552
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLGuard.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLGuard.exe" -u
        5⤵
        
        PID:2224
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLGuard.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\InstallXLGuard.exe" -i
        5⤵
        
        PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\Thunder\APlayerCodecs3Embed.exe
      "C:\Users\Admin\AppData\Local\Temp\Thunder\APlayerCodecs3Embed.exe" -Path="C:\Program Files (x86)\Thunder Network\Thunder\Program\"
      4⤵
      Executes dropped EXE
      PID:4984
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="DownloadSDKServer" dir=in program="C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe"
      4⤵
      Modifies Windows Firewall
      PID:4548
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Thunder" dir=in program="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe"
      4⤵
      Modifies Windows Firewall
      PID:3844
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\DownloadSDKServer.exe"
      4⤵
      Modifies Windows Firewall
      PID:3176
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Thunder" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe"
      4⤵
      Modifies Windows Firewall
      PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\ThunderInstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\ThunderInstallHelper.exe" /type=execute /agentfile="C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\~ExD1D9.tmp"
      4⤵
      PID:4440
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="DownloadSDKServer" dir=in program="C:\Program Files (x86)\Thunder Network\Thunder\Program\XMP\resources\bin\SDK\DownloadSDKServer.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:660
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="APlayer" dir=in program="C:\Program Files (x86)\Thunder Network\Thunder\Program\XMP\APlayer.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:4336
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="XLLiveUD" dir=in program="C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952\XLLiveUD.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:4360
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="XLLiveUD_auto" dir=in program="C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952_auto\XLLiveUD.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:5224
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="XLLiveUD_manaul" dir=in program="C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952_manual\XLLiveUD.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:5376
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="XLLiveUD" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952\XLLiveUD.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:6116
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="XLLiveUD_auto" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952_auto\XLLiveUD.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:5660
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="APlayer" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\Thunder\Program\XMP\APlayer.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:6040
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program="C:\Program Files (x86)\Thunder Network\Thunder\Program\XMP\resources\bin\SDK\DownloadSDKServer.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:6012
- - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
    "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" -StartType:Install
    3⤵
    PID:2940
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=utility --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --lang=ja --service-sandbox-type=network --no-sandbox --mojo-platform-channel-handle=3008 /prefetch:8
      4⤵
      PID:4308
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --webview-tag --no-sandbox --no-zygote --preload="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\out.asar/common-preload.js" --enable-remote-module --background-color=#FFF --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=3176 /prefetch:1
      4⤵
      PID:4668
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\DownloadSDKServer.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\SDK\DownloadSDKServer.exe" BDAF7A63-568C-43ab-9406-D145CF03B08C:4668
        5⤵
        Executes dropped EXE
        
        PID:2172
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" "C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/out.asar/plugin-boot.js" --type=xdas-plugin-process "--xdas-plugin-config=C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/plugins/VipPluginController/config.json" --xdas-plugin-name=VipPluginController
        5⤵
        
        PID:5000
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" "C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/out.asar/plugin-boot.js" --type=xdas-plugin-process "--xdas-plugin-config=C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/plugins/ThunderPanPlugin/config.json" --xdas-plugin-name=ThunderPanPlugin
        5⤵
        
        PID:3948
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" "C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/out.asar/plugin-boot.js" --type=xdas-plugin-process "--xdas-plugin-config=C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/plugins/ThunderIM/config.json" --xdas-plugin-name=ThunderIM
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" "C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/out.asar/plugin-boot.js" --type=xdas-plugin-process "--xdas-plugin-config=C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/plugins/XmpPlugin/config.json" --xdas-plugin-name=XmpPlugin
        5⤵
        
        PID:1572
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" "C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/out.asar/plugin-boot.js" --type=xdas-plugin-process "--xdas-plugin-config=C:/Program Files (x86)/Thunder Network/Thunder/Program/resources/app/plugins/VipDownload/config.json" --xdas-plugin-name=VipDownload
        5⤵
        
        PID:2600
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\xlbrowsershell.exe
        
        --parent_id=4668 --user_agent=Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 TBC/1.3.2.124 Thunder/11.3.14.1952 --data_path=C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\Data --enable_sandbox=0 --product_version=11.3.14.1952 --peer_id=F2590F96060F248Q --flash_allow_list_path=C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\PepperFlash\flash_allow_list.cfg --launch-start-tick=241059171
        5⤵
        
        PID:4772
      - C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\xlbrowsershell.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\xlbrowsershell.exe" --type=gpu-process --field-trial-handle=2536,12017159314335179397,4972886763037442882,131072 --disable-gpu-sandbox --use-gl=disabled --log-file="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\bin\TBC\debug.log" --log-severity=disable --user-agent="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 TBC/1.3.2.124 Thunder/11.3.14.1952" --lang=zh-CN --launch-start-tick=241106234 --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --service-request-channel-token=2469403166362751837 --mojo-platform-channel-handle=2548 /prefetch:2
        6⤵
        
        PID:5904
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\XLLiveUD.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\XLLiveUD.exe" -UpdateMode:a -Source:thunderx
        5⤵
        
        PID:5600
      - C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952_auto\XLLiveUD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952_auto\XLLiveUD.exe" -UpdateMode:a -Source:thunderx -RestartToInstall
        6⤵
        
        PID:5496
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\plugins\XmpPlugin\0.8.0.asar.unpacked\bin\APlayer.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\plugins\XmpPlugin\0.8.0.asar.unpacked\bin\APlayer.exe" --server-id="XmplitePlayer" --client-id="XmpPlayerAplayer" --process-id=4668
        5⤵
        
        PID:6076
    - - C:\Windows\system32\ping.exe
        
        C:\Windows/system32/ping.exe -w 5000 -n 1 hub5u.sandai.net
        5⤵
        Runs ping.exe
        
        PID:5940
    - - C:\Windows\system32\ping.exe
        
        C:\Windows/system32/ping.exe -w 5000 -n 1 hub5pn.sandai.net
        5⤵
        Runs ping.exe
        
        PID:3192
    - - C:\Program Files (x86)\Thunder Network\Thunder\Program\XMP\Program\AssociateHelper.exe
        
        "C:\Program Files (x86)\Thunder Network\Thunder\Program\XMP\Program\AssociateHelper.exe" --associate=.asf;.avi;.wm;.wmp;.wmv;.ram;.rm;.rmvb;.rp;.rpm;.rt;.smil;.scm;.dat;.m1v;.m2v;.m2p;.m2ts;.mp2v;.mpe;.mpeg;.mpeg1;.mpeg2;.mpg;.mpv2;.pss;.pva;.tp;.tpr;.ts;.m4b;.m4r;.m4p;.m4v;.mp4;.mpeg4;.3g2;.3gp;.3gp2;.3gpp;.mov;.qt;.flv;.f4v;.swf;.hlv;.ifo;.vob;.amv;.csf;.divx;.evo;.mkv;.mod;.pmp;.vp6;.bik;.mts;.xlmv;.ogm;.ogv;.ogx;.dvd;.srt;.ass;.ssa;.smi;.idx;.sub;.sup;.psb;.usf;.ssf --xmpdesc=xmp
        5⤵
        
        PID:5620
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#FFF --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3524 /prefetch:1
      4⤵
      PID:4904
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --preload="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\out.asar/common-preload.js" --enable-remote-module --background-color=#0000 --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3644 /prefetch:1
      4⤵
      PID:884
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\XLLiveUD.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\XLLiveUD.exe" -UpdateMode:l -Source:thunderx
      4⤵
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952\XLLiveUD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XLLiveUD\Thunder8_11.3.14.1952\XLLiveUD.exe" -UpdateMode:l -Source:thunderx -RestartToInstall
        5⤵
        
        PID:5444
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4304 /prefetch:1
      4⤵
      PID:3292
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#FFF --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=3984 /prefetch:1
      4⤵
      PID:2816
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --preload="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\out.asar\plugin-boot.js" --enable-remote-module --background-color=#fff --guest-instance-id=6 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4424 /prefetch:1
      4⤵
      PID:5984
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --preload="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\out.asar\plugin-boot.js" --enable-remote-module --background-color=#fff --guest-instance-id=6 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=4440 /prefetch:1
      4⤵
      PID:6020
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --preload="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\out.asar\plugin-boot.js" --enable-remote-module --background-color=#fff --guest-instance-id=7 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=4396 /prefetch:1
      4⤵
      PID:6060
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --preload="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\out.asar\plugin-boot.js" --enable-remote-module --background-color=#fff --guest-instance-id=7 --enable-blink-features --disable-blink-features --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=4448 /prefetch:1
      4⤵
      PID:1892
  - - C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe
      "C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --type=renderer --no-sandbox --field-trial-handle=3000,1011143369496618790,8671095127474676436,131072 --enable-features=WebComponentsV0Enabled --disable-features=SpareRendererForSitePerProcess --disable-gpu-compositing --lang=ja --app-user-model-id="C:\Program Files (x86)\Thunder Network\Thunder\Program\Thunder.exe" --app-path="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app" --node-integration --no-sandbox --no-zygote --preload="C:\Program Files (x86)\Thunder Network\Thunder\Program\resources\app\out.asar\plugin-boot.js" --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4492 /prefetch:1
      4⤵
      PID:3532
- C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe
  "C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:8
  2⤵
  PID:2432
- C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe
  "C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  PID:1588
- C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe
  "C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5464 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:752
- C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe
  "C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3332 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,12168564521519564683,11249370471661864609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -p -s XLServicePlatform
1⤵
PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat

Filesize
121B

MD5
a35a07ba586097762320f06379839d10

SHA1
bc56cfae0ab9ff76f6af68483eb5a37034dbe384

SHA256
c4c9c72294aaf694c59899a78b6a69a3793442c63a8160e8c7dd334f7bb6b770

SHA512
dc69ed6a4c71f4e70bdddfeb33fdad96a4acda879ef077dfaaed072f33d23121b14ba9706a9bee79095d74036e7373014abb9bb03ae98540897ae83ba38629c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource.7z

Filesize
854KB

MD5
15cc776a8574bc073382319e4f2b71fa

SHA1
0faabe4b9b7e6fc96671dc52c5fbda593c052110

SHA256
a6b31134999ebab410cd881e7292d0cc82b65aa13a7eeae3de9134523a5d19ff

SHA512
a69cfb0e6b150bbd4b677f330ff617583c3e2f3da4e0c9f19ecd5230175183d9b3a1ed459ca3e14e67c9832a9c05024fb52a669af83a47d81a3387b439557f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource.7z

Filesize
854KB

MD5
15cc776a8574bc073382319e4f2b71fa

SHA1
0faabe4b9b7e6fc96671dc52c5fbda593c052110

SHA256
a6b31134999ebab410cd881e7292d0cc82b65aa13a7eeae3de9134523a5d19ff

SHA512
a69cfb0e6b150bbd4b677f330ff617583c3e2f3da4e0c9f19ecd5230175183d9b3a1ed459ca3e14e67c9832a9c05024fb52a669af83a47d81a3387b439557f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
79ddc83ea2fe545d31debb09c3e40282

SHA1
64920806383bfbf93e487e404d138caa3ee41197

SHA256
6cecadb7948a62ae1dc8e450209938b7904f6743a7dbc5c7968db60c95e14fb2

SHA512
95e42116f303044a0d694888b5454b6129a99b02410ffbb0cb2109f64c717f41cacfff34c25b52256bc9a652aec8eba43dea3a04398889ca71c04186f0a0639d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
79ddc83ea2fe545d31debb09c3e40282

SHA1
64920806383bfbf93e487e404d138caa3ee41197

SHA256
6cecadb7948a62ae1dc8e450209938b7904f6743a7dbc5c7968db60c95e14fb2

SHA512
95e42116f303044a0d694888b5454b6129a99b02410ffbb0cb2109f64c717f41cacfff34c25b52256bc9a652aec8eba43dea3a04398889ca71c04186f0a0639d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
2d035ece232bead1c94542a44e283705

SHA1
dd23bbdbcca03d4a2f579da9e3daf9d0adf7b121

SHA256
baaeedcec5cdf87cbbca096ed8c2b50f73ba62ef2472b5e2959206e6014525b6

SHA512
a849b1657ad1aed846dc2b0c970805770d2d3383d8d13594f146a5ea94e2a719257428ed3f265a2c6a02634e62a3fb5f8ab093b00cbf56bf2a9ecf9a4820c0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
2d035ece232bead1c94542a44e283705

SHA1
dd23bbdbcca03d4a2f579da9e3daf9d0adf7b121

SHA256
baaeedcec5cdf87cbbca096ed8c2b50f73ba62ef2472b5e2959206e6014525b6

SHA512
a849b1657ad1aed846dc2b0c970805770d2d3383d8d13594f146a5ea94e2a719257428ed3f265a2c6a02634e62a3fb5f8ab093b00cbf56bf2a9ecf9a4820c0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
2d035ece232bead1c94542a44e283705

SHA1
dd23bbdbcca03d4a2f579da9e3daf9d0adf7b121

SHA256
baaeedcec5cdf87cbbca096ed8c2b50f73ba62ef2472b5e2959206e6014525b6

SHA512
a849b1657ad1aed846dc2b0c970805770d2d3383d8d13594f146a5ea94e2a719257428ed3f265a2c6a02634e62a3fb5f8ab093b00cbf56bf2a9ecf9a4820c0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\XunLeiSetup11.3.14.1952.exe

Filesize
135.3MB

MD5
3f70ef3a330e9134fb737b48f494d236

SHA1
4123430207cf1afa1cc72a9434ec88a67fea0c2e

SHA256
179b9cc9ba0318122d493c30674ffa819c26eae55d2d9e34aa4a7d367352f238

SHA512
b2841e5bf3ebf4d62a3aa4836c1a5c6396947e991f44dbdc21b3bb2a341d0ac35b5aba4c3c7c1ff3270cdf36df4523fa06d2f72c7ef87cf9db171c64e74ed578

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\XunLeiSetup11.3.14.1952.exe

Filesize
135.3MB

MD5
3f70ef3a330e9134fb737b48f494d236

SHA1
4123430207cf1afa1cc72a9434ec88a67fea0c2e

SHA256
179b9cc9ba0318122d493c30674ffa819c26eae55d2d9e34aa4a7d367352f238

SHA512
b2841e5bf3ebf4d62a3aa4836c1a5c6396947e991f44dbdc21b3bb2a341d0ac35b5aba4c3c7c1ff3270cdf36df4523fa06d2f72c7ef87cf9db171c64e74ed578

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDK.dll

Filesize
2.6MB

MD5
d33a02955e13047f3b39391ace85c31c

SHA1
0be22f458a340e662ff5227831409240d1c5e51a

SHA256
11aa7b1a071ac3caccd072eb58165f7a73fc1500aa4ac645ab461e9136196c87

SHA512
9770872ae33e44d9c2d42b405f8e63b1eb5caf23acd34a5dc3ff4c07782c394e77ffd3716a5bdf4c42fc655eefe2cd65c4c7639945861a872c53074d38eb5d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe

Filesize
157KB

MD5
5f0b998aac81419b0bf962098b5eb741

SHA1
ccc605b5ce27626508eadaff0357e5cb12c164c2

SHA256
f37c3ec776a076e030a94d73a1ecaa51ae683df9cb0a393085d67851062318f6

SHA512
1374993e38626ae8ca9320c10e9cc5be86f1e3d107ac6163af39d9b816f12bc180221fec9380cdfab49edd4e9358c796f19fd93ce700092b1c7bd6fc1b78c49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKServer.exe

Filesize
157KB

MD5
5f0b998aac81419b0bf962098b5eb741

SHA1
ccc605b5ce27626508eadaff0357e5cb12c164c2

SHA256
f37c3ec776a076e030a94d73a1ecaa51ae683df9cb0a393085d67851062318f6

SHA512
1374993e38626ae8ca9320c10e9cc5be86f1e3d107ac6163af39d9b816f12bc180221fec9380cdfab49edd4e9358c796f19fd93ce700092b1c7bd6fc1b78c49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\XLBugHandler.dll

Filesize
575KB

MD5
e4f1e6ae71919ea2c042b72898e03f75

SHA1
a646d10b9e8aa802996c3db213dde856287d2769

SHA256
796393c5133327d4f171701ac9da18a73b7b03208aa957b4df6c69d96b34a287

SHA512
ac69b0711ef047e51de7d965835099306ed17381331d4a3908e40e55968a9a39c860d7218b29a821a584fde5814045adda61e071a1f93b39dbeb0f2743af05aa

Download Submit
C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe

Filesize
5.2MB

MD5
9b1416d46fd7a9de1fc7ada5a73934cc

SHA1
81e71dd5ed95df6fc639c924ff16f85ff2511bd9

SHA256
9dc8e49284c2d466813af108617a3aeca57f51b6fb3efd7ec4afbb72611adfa9

SHA512
b0a9981bf276039a222c6c8f92a0da2cbaa0982aa5a44fdcf957f140567fe17ed4f7c854d2840563a2cd278107f50ae95e33906d4b84f101e6197cbf81c90354

Download Submit
C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe

Filesize
5.2MB

MD5
9b1416d46fd7a9de1fc7ada5a73934cc

SHA1
81e71dd5ed95df6fc639c924ff16f85ff2511bd9

SHA256
9dc8e49284c2d466813af108617a3aeca57f51b6fb3efd7ec4afbb72611adfa9

SHA512
b0a9981bf276039a222c6c8f92a0da2cbaa0982aa5a44fdcf957f140567fe17ed4f7c854d2840563a2cd278107f50ae95e33906d4b84f101e6197cbf81c90354

Download Submit
C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe

Filesize
5.2MB

MD5
9b1416d46fd7a9de1fc7ada5a73934cc

SHA1
81e71dd5ed95df6fc639c924ff16f85ff2511bd9

SHA256
9dc8e49284c2d466813af108617a3aeca57f51b6fb3efd7ec4afbb72611adfa9

SHA512
b0a9981bf276039a222c6c8f92a0da2cbaa0982aa5a44fdcf957f140567fe17ed4f7c854d2840563a2cd278107f50ae95e33906d4b84f101e6197cbf81c90354

Download Submit
C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe

Filesize
5.2MB

MD5
9b1416d46fd7a9de1fc7ada5a73934cc

SHA1
81e71dd5ed95df6fc639c924ff16f85ff2511bd9

SHA256
9dc8e49284c2d466813af108617a3aeca57f51b6fb3efd7ec4afbb72611adfa9

SHA512
b0a9981bf276039a222c6c8f92a0da2cbaa0982aa5a44fdcf957f140567fe17ed4f7c854d2840563a2cd278107f50ae95e33906d4b84f101e6197cbf81c90354

Download Submit
C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe

Filesize
5.2MB

MD5
9b1416d46fd7a9de1fc7ada5a73934cc

SHA1
81e71dd5ed95df6fc639c924ff16f85ff2511bd9

SHA256
9dc8e49284c2d466813af108617a3aeca57f51b6fb3efd7ec4afbb72611adfa9

SHA512
b0a9981bf276039a222c6c8f92a0da2cbaa0982aa5a44fdcf957f140567fe17ed4f7c854d2840563a2cd278107f50ae95e33906d4b84f101e6197cbf81c90354

Download Submit
C:\Users\Admin\Downloads\XunLeiWebSetup11.3.14.1952gw.exe

Filesize
5.2MB

MD5
9b1416d46fd7a9de1fc7ada5a73934cc

SHA1
81e71dd5ed95df6fc639c924ff16f85ff2511bd9

SHA256
9dc8e49284c2d466813af108617a3aeca57f51b6fb3efd7ec4afbb72611adfa9

SHA512
b0a9981bf276039a222c6c8f92a0da2cbaa0982aa5a44fdcf957f140567fe17ed4f7c854d2840563a2cd278107f50ae95e33906d4b84f101e6197cbf81c90354

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\OnlineResource\InstallEntry.dll

Filesize
1.0MB

MD5
23319954fb4751072c9135a718364b02

SHA1
3fe7847a0b9f787df0b45906624d8b1a94a98037

SHA256
0a32d51726f8b8159bffe9a755eaededf5ea913c11f232e3e2ac484a659f6d14

SHA512
65a87f60b6204b4ee2fcefe4cf3ebad0a507b418bd4c8d61947e2d2a5f9f2d4bf54428e5ad2ee9721793c06b6e82a40e3a37c795109ddb0bc4446946ba39a37c

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineInstall\11.3.14.1952\sdk\DownloadSDKProxy.dll

Filesize
96KB

MD5
7cd8ddda1c88a0006ccf99ea1e288ee2

SHA1
baa01e91ab8164f1014e0fad4114c795bf0cf0ee

SHA256
089df650cd191a5516cabc75e8aa0f52be0fccbc63d088be5c19c5a617fe8f6e

SHA512
b3a35197b7e62bf14b07242b2266364a1ff4966eb43caedcb5d549736550a9681296cc687bf96d4109f4d3d571ea9de0fe7946333f02d6353b7fc15e647bd46e

Download Submit
\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDK.dll

Filesize
2.6MB

MD5
d33a02955e13047f3b39391ace85c31c

SHA1
0be22f458a340e662ff5227831409240d1c5e51a

SHA256
11aa7b1a071ac3caccd072eb58165f7a73fc1500aa4ac645ab461e9136196c87

SHA512
9770872ae33e44d9c2d42b405f8e63b1eb5caf23acd34a5dc3ff4c07782c394e77ffd3716a5bdf4c42fc655eefe2cd65c4c7639945861a872c53074d38eb5d4d

Download Submit
\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\DownloadSDKProxy.dll

Filesize
102KB

MD5
c8aa239a142fad68f0cbddb964c37b65

SHA1
7d89af167a0a0745e29c364a3b3a79ce3ec546d4

SHA256
22d9f450fe5effef479f131698d61f6ff538e4e2813e2278040438a22cd94373

SHA512
d054bc4594ad044c58a902f6eeab5850527d21692c788edddd3fcdc983b110ebedd8d3f2e48f3a435d4779fde1585259787c3ce49913cdd7c402f40a6c6cd322

Download Submit
\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\SDK\XLBugHandler.dll

Filesize
575KB

MD5
e4f1e6ae71919ea2c042b72898e03f75

SHA1
a646d10b9e8aa802996c3db213dde856287d2769

SHA256
796393c5133327d4f171701ac9da18a73b7b03208aa957b4df6c69d96b34a287

SHA512
ac69b0711ef047e51de7d965835099306ed17381331d4a3908e40e55968a9a39c860d7218b29a821a584fde5814045adda61e071a1f93b39dbeb0f2743af05aa

Download Submit
\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\ThunderInstallReal.dll

Filesize
679KB

MD5
a243eb08f7ba5c691300452b6ce042e8

SHA1
7c2b318973505b9709a91c14995ea461cd903ea9

SHA256
5ea5fcd45a52f4c50513afbdb1a222471e54fda43e8c00e5f04aa5f3f552d01e

SHA512
f7fe6e339e045762004865087eeb3ebee2e2356b12dced11e66c3795d04a1304f3924b0d1f8ca22aff6c41f9a035f9561886eb0e8eb0a6fe576dba6a1c21baa5

Download Submit
\Users\Admin\AppData\Local\Temp\ThunderInstall\11.3.14.1952\XLBugHandler.dll

Filesize
519KB

MD5
fd9401380122ee622a1948df2c3d7c5d

SHA1
acd7ea499c20e42d690970b6345ff868ab06a7fe

SHA256
53ba4c685cb79d020ce792384b75ef35d16b55468d31674e626d691564cf0d44

SHA512
1122ee47a5efbf349bd8b0134af8ae44950b8a41a1a307858084feabd6a42d88e8d237f5ba75c38130bb1aa85e0e09fe8ca5bc2d559775218ea23564dc290235

Download Submit
memory/2184-159-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-137-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-166-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-165-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-167-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-168-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-169-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-170-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-171-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-172-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-173-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-174-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-175-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-176-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-177-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-178-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-179-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-180-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-181-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-182-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-183-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-184-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-185-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-186-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-122-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-123-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-163-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-162-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-161-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-160-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-124-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-157-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-156-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-155-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-154-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-153-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-152-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-125-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-151-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-150-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-149-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-148-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-126-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-147-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-146-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-145-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-143-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-144-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-142-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-140-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-127-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-141-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-139-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-138-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-164-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-136-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-135-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-134-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-133-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-132-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-129-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-130-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/2184-131-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4664-188-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download