737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Size

27.5MB
MD5

0fc445b628172eed2d0837e123f6bc21
SHA1

2cdeb35d3590b28ba62531ee64054fd2995d07a8
SHA256

737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c
SHA512

86c8be809d4684956ea298a61212ca16bf71e09f784ec27ad618a631155b7b2ae41be68b459a72ebdb75a24919370c72e611dce9dfd36cbc3ab9f226a8331338
SSDEEP

786432:6Ak9boAhksWVn+WRcGrzCmhfTUIIUfEmP5oU:+bon+WuGa8cwWU

Score

8^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
90	3268	rundll32.exe
107	3268	rundll32.exe
199	3268	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

pid	Process
1308	QiyiService.exe
788	QiyiDACL.exe
3340	QyClient.exe
1920	QiyiService.exe
1156	QiyiService.exe
2412	QiyiService.exe
1836	QiyiDACL.exe
4800	QiyiUpdate.exe
4756	QyClient.exe
1664	QiyiService.exe
3452	QyClient.exe
4384	QyFragment.exe
4836	QyClient.exe
3672	QyKernel.exe
2916	AndroidService.exe
3500	QiyiService.exe
2236	qiyiupdate.exe
536	QiyiUpdate.exe
1040	QyClient.exe
4472	AndroidService.exe
4876	QiyiService.exe
3636	AndroidService.exe
2028	QyFragment.exe
4716	QyPlayer.exe
1624	QyFragment.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4436	netsh.exe
4612	netsh.exe
2084	netsh.exe
3524	netsh.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A921A80-9845-45C0-80FD-810079240272}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A921A80-9845-45C0-80FD-810079240272}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\IconExtension64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\PROGRA~2\\IQIYIV~1\\PStyle\\QYPLUG~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}\InprocServer32	QiyiDACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}\InprocServer32\ = "shdocvw.dll"	QiyiDACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}\InprocServer32\ThreadingModel = "Apartment"	QiyiDACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A921A80-9845-45C0-80FD-810079240272}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\PROGRA~2\\IQIYIV~1\\PStyle\\QYPLUG~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	QyClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	QiyiUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	QyClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	qiyiupdate.exe

Loads dropped DLL 64 IoCs

pid	Process
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
216	regsvr32.exe
2300	regsvr32.exe
2756	regsvr32.exe
3340	QyClient.exe
3340	QyClient.exe
3340	QyClient.exe
3340	QyClient.exe
3340	QyClient.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
1944	regsvr32.exe
2972	regsvr32.exe
4800	QiyiUpdate.exe
4800	QiyiUpdate.exe
4800	QiyiUpdate.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
3452	QyClient.exe
3452	QyClient.exe
3452	QyClient.exe
3452	QyClient.exe
3452	QyClient.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4836	QyClient.exe
4836	QyClient.exe
4836	QyClient.exe
4836	QyClient.exe
4836	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4756	QyClient.exe
4384	QyFragment.exe
2916	AndroidService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QyClient = "\"C:\\Program Files (x86)\\IQIYI Video\\PStyle\\QyClient.exe\" autostart"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QiyiUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qiyiupdate.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	QyPlayer.exe
File opened for modification	\??\PhysicalDrive0	QyClient.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	QyClient.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IQIYI Video\PStyle\skin\homepageRes.zip	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\updateUI.swf	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\LocalHtmlPage\yingyin-pop-fail.html	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\1\movieLib_pstyle.css	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\local.inf	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\libfontconfig-1.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\skia_core.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\CodeImage\code.gif	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\27\WebPage.html	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\pingback.ini	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\QyClientbaselib.log	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\HCDNClientNet.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\MobileProxy.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.config	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\AndroidService.exe	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\pthreadVC2.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\strategy.ini	QyClient.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\debug.log	QyClient.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\115\WebPage.html	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\PinItem.vbs	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\AdbWinApi.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\fp2x.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin64.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\QyClientbaselib.log	QyClient.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\log.txt	qiyiupdate.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\log_network.txt	QyPlayer.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\skin\Logo\qsv.ico	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\ServProvider.log	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\AndroidService.exe	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\QyPlayer.exe	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\ServProvider.log	QyFragment.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\skin\Logo\LogoNetworkVideo.ico	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\filters.xml	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\ChannelWebPage.xml	QyClient.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\skin\QiyiPlayer.zip	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\22\WebPage.html	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\Common\Keys\pcclient-cert.pem	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\ClientID.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\libexpat-1.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\QServProvider.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\skin\VideoLibrary.zip	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\5\movieLib_pstyle.css	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\CrashReport.exe	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\QiyiKernel.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\22\WebPage.html	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\debug.log	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\mfc100u.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\QiyiHomepage.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\win7feature.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\skin\downloadRes.zip	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\QiyiUpdate.exe	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\appPluginBase.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\QyPlayerbaselib.log	QyPlayer.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\Common\popWnd.json	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\NDKTest.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\NDKTest.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\QiyiInstaller.exe	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\8\WebPage.html	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\QyClientbaselib.old.log	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\Common\pthreadGC2.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File opened for modification	C:\Program Files (x86)\IQIYI Video\PStyle\log.txt	QiyiUpdate.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\appdata\webcache\27\movieLib_pstyle.css	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
File created	C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\AdbWinUsbApi.dll	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	QyFragment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	QyFragment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	QyFragment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	QyFragment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	QyFragment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	QyFragment.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LocationInformation	QyFragment.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	QyFragment.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QyPlayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	QyPlayer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QyClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	QyClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QyClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	QyClient.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyClient.exe = "9000"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.iqiyi.com	QyFragment.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.iqiyi.com\ = "0"	QyFragment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\iqiyi.com\Total = "9"	QyFragment.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\iqiyi.com\Total = "0"	QyFragment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\iqiyi.com\NumberOfSubdomains = "1"	QyFragment.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	QyFragment.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyFragment.exe = "9000"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\iqiyi.com	QyFragment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	QyFragment.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.iqiyi.com\ = "9"	QyFragment.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	QyFragment.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	QyFragment.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyPlayer.exe = "9000"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DOMStorage\iqiyi.com	QyFragment.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\TypeLib\ = "{f5078f18-c551-11d3-89b9-0000f81fe221}"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InProcServer32\ = "%ProgramFiles(x86)%\\IQIYI Video\\PStyle\\msxml4.dll"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\HELPDIR	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\ = "QYPlugin ActiveX ¿Ø¼þÄ£¿é"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ = "_DQYPluginEvents"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID\ = "QYPlugin.QYPluginCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InProcServer32\ThreadingModel = "Both"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InProcServer32\ = "%ProgramFiles(x86)%\\IQIYI Video\\PStyle\\msxml4.dll"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\TypeLib	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InProcServer32	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QISU\shell\open\command	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.SAXXMLReader.4.0	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.MXXMLWriter.4.0\CLSID	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A921A80-9845-45C0-80FD-810079240272}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\ProgID	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\FLAGS	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\0	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\HELPDIR\	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.QSK\ = "QSKFile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.DSOControl.4.0	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\ProgID	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ProxyStubClsid32	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}\Instance\InitPropertyBag	QiyiDACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A921A80-9845-45C0-80FD-810079240272}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\PStyle\\IconExtension64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InProcServer32	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InProcServer32	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ProxyStubClsid32	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}\Shell	QiyiDACL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\Version	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1\CLSID	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}\Instance\InitPropertyBag\Target = "C:\\Users\\Admin\\Documents\\QiyiVideoLibrary"	QiyiDACL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InProcServer32	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InProcServer32\ThreadingModel = "Both"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InProcServer32\ThreadingModel = "Both"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\MiscStatus\1\ = "132497"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}\InprocServer32\ThreadingModel = "Apartment"	QiyiDACL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InProcServer32	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.XSLTemplate.4.0\CLSID\ = "{88d969c3-f192-11d4-a65f-0040963251e5}"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\ProgID	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	QiyiDACL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\ProgID\ = "Msxml2.FreeThreadedDOMDocument.4.0"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Msxml2.XMLHTTP.4.0	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InProcServer32\ThreadingModel = "Both"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\TypeLib\ = "{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\ProgID\ = "Msxml2.XMLSchemaCache.4.0"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\ProgID	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ = "_DQYPlugin"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QSKFile	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\Version\ = "4.0"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\TypeLib\ = "{f5078f18-c551-11d3-89b9-0000f81fe221}"	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4384	QyFragment.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4756	QyClient.exe
1040	QyClient.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
1040	QyClient.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4756	QyClient.exe
1040	QyClient.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
1040	QyClient.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
3340	QyClient.exe
4800	QiyiUpdate.exe
4756	QyClient.exe
4800	QiyiUpdate.exe
3452	QyClient.exe
4836	QyClient.exe
2236	qiyiupdate.exe
536	QiyiUpdate.exe
1040	QyClient.exe
2236	qiyiupdate.exe
1040	QyClient.exe
4716	QyPlayer.exe
4716	QyPlayer.exe
4384	QyFragment.exe
4384	QyFragment.exe
4384	QyFragment.exe
4716	QyPlayer.exe
4716	QyPlayer.exe
1040	QyClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1308	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	82
PID 4856 wrote to memory of 1308	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	82
PID 4856 wrote to memory of 1308	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	82
PID 4856 wrote to memory of 788	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	84
PID 4856 wrote to memory of 788	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	84
PID 4856 wrote to memory of 788	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	84
PID 4856 wrote to memory of 216	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	87
PID 4856 wrote to memory of 216	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	87
PID 4856 wrote to memory of 216	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	87
PID 4856 wrote to memory of 2300	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	88
PID 4856 wrote to memory of 2300	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	88
PID 4856 wrote to memory of 2300	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	88
PID 2300 wrote to memory of 2756	2300	regsvr32.exe	91
PID 2300 wrote to memory of 2756	2300	regsvr32.exe	91
PID 4856 wrote to memory of 3340	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	93
PID 4856 wrote to memory of 3340	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	93
PID 4856 wrote to memory of 3340	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	93
PID 4856 wrote to memory of 1920	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	94
PID 4856 wrote to memory of 1920	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	94
PID 4856 wrote to memory of 1920	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	94
PID 4856 wrote to memory of 2084	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	96
PID 4856 wrote to memory of 2084	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	96
PID 4856 wrote to memory of 2084	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	96
PID 4856 wrote to memory of 3524	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	97
PID 4856 wrote to memory of 3524	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	97
PID 4856 wrote to memory of 3524	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	97
PID 3340 wrote to memory of 2412	3340	QyClient.exe	98
PID 3340 wrote to memory of 2412	3340	QyClient.exe	98
PID 3340 wrote to memory of 2412	3340	QyClient.exe	98
PID 4856 wrote to memory of 4436	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	101
PID 4856 wrote to memory of 4436	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	101
PID 4856 wrote to memory of 4436	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	101
PID 4856 wrote to memory of 4612	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	103
PID 4856 wrote to memory of 4612	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	103
PID 4856 wrote to memory of 4612	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	103
PID 4856 wrote to memory of 1944	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	105
PID 4856 wrote to memory of 1944	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	105
PID 4856 wrote to memory of 1944	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	105
PID 4856 wrote to memory of 1836	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	106
PID 4856 wrote to memory of 1836	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	106
PID 4856 wrote to memory of 1836	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	106
PID 1944 wrote to memory of 2972	1944	regsvr32.exe	107
PID 1944 wrote to memory of 2972	1944	regsvr32.exe	107
PID 3340 wrote to memory of 4800	3340	QyClient.exe	108
PID 3340 wrote to memory of 4800	3340	QyClient.exe	108
PID 3340 wrote to memory of 4800	3340	QyClient.exe	108
PID 4800 wrote to memory of 4756	4800	QiyiUpdate.exe	111
PID 4800 wrote to memory of 4756	4800	QiyiUpdate.exe	111
PID 4800 wrote to memory of 4756	4800	QiyiUpdate.exe	111
PID 4800 wrote to memory of 1664	4800	QiyiUpdate.exe	113
PID 4800 wrote to memory of 1664	4800	QiyiUpdate.exe	113
PID 4800 wrote to memory of 1664	4800	QiyiUpdate.exe	113
PID 4856 wrote to memory of 3452	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	119
PID 4856 wrote to memory of 3452	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	119
PID 4856 wrote to memory of 3452	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	119
PID 4856 wrote to memory of 4384	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	117
PID 4856 wrote to memory of 4384	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	117
PID 4856 wrote to memory of 4384	4856	737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe	117
PID 4384 wrote to memory of 4836	4384	QyFragment.exe	116
PID 4384 wrote to memory of 4836	4384	QyFragment.exe	116
PID 4384 wrote to memory of 4836	4384	QyFragment.exe	116
PID 4756 wrote to memory of 3672	4756	QyClient.exe	120
PID 4756 wrote to memory of 3672	4756	QyClient.exe	120
PID 4756 wrote to memory of 3672	4756	QyClient.exe	120

C:\Users\Admin\AppData\Local\Temp\737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe
"C:\Users\Admin\AppData\Local\Temp\737f74204761c5eef06ed8ddf513922313a984d28dcfd87656dff7c93880f07c.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe" -u
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDACL.exe" QiyiUpdate "C:\Users\Admin\AppData\Roaming\IQIYI Video" true
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin.dll"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:216
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2756
- C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe
    -c sender=client&mark=qiyi&dacl=high&cmd=startupdate&args=NOUSE%2C%2CQyClient%2C%2C
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Program Files (x86)\IQIYI Video\PStyle\QiyiUpdate.exe
    "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiUpdate.exe" NOUSE,,QyClient,,
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe
      "C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe" update
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4756
    - - C:\Program Files (x86)\IQIYI Video\PStyle\Common\QyKernel.exe
        
        "C:\Program Files (x86)\IQIYI Video\PStyle\Common\QyKernel.exe"
        5⤵
        Executes dropped EXE
        
        PID:3672
  - - C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe
      "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe" -i
      4⤵
      Executes dropped EXE
      PID:1664
- C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name = "QYCLIENT" dir=in program = "C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe" action=allow description = "C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe"
  2⤵
  - Modifies Windows Firewall
  PID:2084
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name = "QYKernel" dir=in program = "C:\Program Files (x86)\IQIYI Video\PStyle\PStyle\Common\QyKernel.exe" action=allow description = "C:\Program Files (x86)\IQIYI Video\PStyle\PStyle\Common\QyKernel.exe"
  2⤵
  - Modifies Windows Firewall
  PID:3524
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name = "QIYIPLAYER" dir=in program = "C:\Program Files (x86)\IQIYI Video\PStyle\QyPlayer.exe" action=allow description = "C:\Program Files (x86)\IQIYI Video\PStyle\QyPlayer.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4436
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name = "HCDNCLIENT" dir=in program = "C:\Program Files (x86)\IQIYI Video\PStyle\PStyle\Common\HCDNClient.exe" action=allow description = "C:\Program Files (x86)\IQIYI Video\PStyle\PStyle\Common\HCDNClient.exe"
  2⤵
  - Modifies Windows Firewall
  PID:4612
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\PStyle\IconExtension64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\IQIYI Video\PStyle\IconExtension64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Modifies registry class
    PID:2972
- C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDACL.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDACL.exe" videolibrary=install_setup_noicon
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Modifies registry class
  PID:1836
- C:\Program Files (x86)\IQIYI Video\PStyle\QyFragment.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QyFragment.exe" UpdateVideoLibrary
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\AndroidService.exe
    kill-server
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2916
- - C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\AndroidService.exe
    start-server
    3⤵
    - Executes dropped EXE
    PID:4472
  - - C:\Program Files (x86)\IQIYI Video\PStyle\Mobile\AndroidService.exe
      adb fork-server server
      4⤵
      Executes dropped EXE
      PID:3636
- C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3452
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\\masRepair.dll",RunRepair 2
  2⤵
  - Blocklisted process makes network request
  - Writes to the Master Boot Record (MBR)
  PID:3268

C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe
"C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe"
1⤵
- Executes dropped EXE
PID:1156
- C:\Program Files (x86)\IQIYI Video\PStyle\qiyiupdate.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\qiyiupdate.exe" NOUSE,,QyClient,,PipeName=QyFragment.exe::QyClient.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2236
- - C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe
    "C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe" update,,PipeName=QyFragment.exe::QyClient.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1040
  - - C:\Program Files (x86)\IQIYI Video\PStyle\QyFragment.exe
      C:\Program Files (x86)\IQIYI Video\PStyle\QyFragment.exe PipeName=QyClient.exe::QyFragment.exe
      4⤵
      Executes dropped EXE
      PID:2028
  - - C:\Program Files (x86)\IQIYI Video\PStyle\QyPlayer.exe
      C:\Program Files (x86)\IQIYI Video\PStyle\QyPlayer.exe PipeName=QyClient.exe::QyPlayer.exe
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Checks processor information in registry
      Suspicious use of SetWindowsHookEx
      PID:4716
    - - C:\Program Files (x86)\IQIYI Video\PStyle\QyFragment.exe
        
        C:\Program Files (x86)\IQIYI Video\PStyle\QyFragment.exe PipeName=QyPlayer.exe::QyFragment.exe
        5⤵
        Executes dropped EXE
        
        PID:1624
- - C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe
    "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4876

C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe
C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe PipeName=QyFragment.exe::QyClient.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4836
- C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe
  -c sender=client&mark=qiyi&dacl=high&cmd=startupdate&args=NOUSE%2C%2CQyClient%2C%2CPipeName%3DQyFragment%2Eexe%3A%3AQyClient%2Eexe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Program Files (x86)\IQIYI Video\PStyle\QiyiUpdate.exe
  "C:\Program Files (x86)\IQIYI Video\PStyle\QiyiUpdate.exe" NOUSE,,QyClient,,PipeName=QyFragment.exe::QyClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IQIYI Video\PStyle\GBase.dll

Filesize
1.1MB

MD5
dd1421365054ce71b7cadda309c8d3dd

SHA1
f3c29ab18c9bfc0051376624af6a6d1026b7e016

SHA256
f642dd578f4fe2e6711000d86aefeece3e2f4cdca9df95b447efd304fbc5c8d6

SHA512
4635845832b88219e926f125c66315588fd4763f9230df7b4b5688b4663456ce6c55b637acbbecc88583ec2277daaa9e07eca2135adfa79682d610598bb46e5d

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\GBase.dll

Filesize
1.1MB

MD5
dd1421365054ce71b7cadda309c8d3dd

SHA1
f3c29ab18c9bfc0051376624af6a6d1026b7e016

SHA256
f642dd578f4fe2e6711000d86aefeece3e2f4cdca9df95b447efd304fbc5c8d6

SHA512
4635845832b88219e926f125c66315588fd4763f9230df7b4b5688b4663456ce6c55b637acbbecc88583ec2277daaa9e07eca2135adfa79682d610598bb46e5d

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\GBase.dll

Filesize
1.1MB

MD5
dd1421365054ce71b7cadda309c8d3dd

SHA1
f3c29ab18c9bfc0051376624af6a6d1026b7e016

SHA256
f642dd578f4fe2e6711000d86aefeece3e2f4cdca9df95b447efd304fbc5c8d6

SHA512
4635845832b88219e926f125c66315588fd4763f9230df7b4b5688b4663456ce6c55b637acbbecc88583ec2277daaa9e07eca2135adfa79682d610598bb46e5d

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\IconExtension64.dll

Filesize
91KB

MD5
5658346cf42d76939f19136a2c2c4d24

SHA1
af955efa9209a68ec7f631991f1011e515eae6d1

SHA256
8bdb6de4a1095488eb61cf8676beb2237a0257764d4f18645a0dcc29cf039f05

SHA512
badc5f84b3aad6b429662c3d858235add37f3989a0d14f06b995cce2749c89a4b8ac55d052d268ce8c7281c19a44921c5c941d47019b8a211fb89e7e2e7a8545

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\IconExtension64.dll

Filesize
91KB

MD5
5658346cf42d76939f19136a2c2c4d24

SHA1
af955efa9209a68ec7f631991f1011e515eae6d1

SHA256
8bdb6de4a1095488eb61cf8676beb2237a0257764d4f18645a0dcc29cf039f05

SHA512
badc5f84b3aad6b429662c3d858235add37f3989a0d14f06b995cce2749c89a4b8ac55d052d268ce8c7281c19a44921c5c941d47019b8a211fb89e7e2e7a8545

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\IconExtension64.dll

Filesize
91KB

MD5
5658346cf42d76939f19136a2c2c4d24

SHA1
af955efa9209a68ec7f631991f1011e515eae6d1

SHA256
8bdb6de4a1095488eb61cf8676beb2237a0257764d4f18645a0dcc29cf039f05

SHA512
badc5f84b3aad6b429662c3d858235add37f3989a0d14f06b995cce2749c89a4b8ac55d052d268ce8c7281c19a44921c5c941d47019b8a211fb89e7e2e7a8545

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\IconExtension64.dll

Filesize
91KB

MD5
5658346cf42d76939f19136a2c2c4d24

SHA1
af955efa9209a68ec7f631991f1011e515eae6d1

SHA256
8bdb6de4a1095488eb61cf8676beb2237a0257764d4f18645a0dcc29cf039f05

SHA512
badc5f84b3aad6b429662c3d858235add37f3989a0d14f06b995cce2749c89a4b8ac55d052d268ce8c7281c19a44921c5c941d47019b8a211fb89e7e2e7a8545

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlayer.ini

Filesize
923B

MD5
94bed60a0496e5dd0083c65828e2adf5

SHA1
032fc5cb8fadd22157090c600a33b63fd10f8909

SHA256
54b473467b1f7b81409225959596ddf9e3bee2b867a778018484fb495b06a790

SHA512
bf2d8a9f974927c15a81ce92d007abf18bca141cd4765b19e97a63da1ee08a6c19336c9f0085d479988983e58b70d9f5f0ee39987390096316ee2a148a5fc63b

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin.dll

Filesize
596KB

MD5
1091ad983d3c5110c8d2b0a3cd6c1121

SHA1
73c16a1c9e65f14a4c8694fc1de576191076cb29

SHA256
73ab572d1d4ba87f4075e462cce1b7b5c48fcbaed913f245a3312b923ae77263

SHA512
724ec275233845391b41ba69431451b96c9ae03c07d52f71de25a64f1ed1021385ddbb4bd64e5af16908421e98666ccc8216b73e3f88e9b01eebc9599b063869

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin.dll

Filesize
596KB

MD5
1091ad983d3c5110c8d2b0a3cd6c1121

SHA1
73c16a1c9e65f14a4c8694fc1de576191076cb29

SHA256
73ab572d1d4ba87f4075e462cce1b7b5c48fcbaed913f245a3312b923ae77263

SHA512
724ec275233845391b41ba69431451b96c9ae03c07d52f71de25a64f1ed1021385ddbb4bd64e5af16908421e98666ccc8216b73e3f88e9b01eebc9599b063869

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin.dll

Filesize
596KB

MD5
1091ad983d3c5110c8d2b0a3cd6c1121

SHA1
73c16a1c9e65f14a4c8694fc1de576191076cb29

SHA256
73ab572d1d4ba87f4075e462cce1b7b5c48fcbaed913f245a3312b923ae77263

SHA512
724ec275233845391b41ba69431451b96c9ae03c07d52f71de25a64f1ed1021385ddbb4bd64e5af16908421e98666ccc8216b73e3f88e9b01eebc9599b063869

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin64.dll

Filesize
800KB

MD5
d6b27ac6c799e689513a38d749548821

SHA1
bde4497e4d960e6b54ac84dbfca94f20cba00f64

SHA256
5a110113d927cea60358f1d3f2ee40d3247f300f2d2a38cf8fd77e691e0df96e

SHA512
a13771f675c72d0686ccd06a4b70088a4e1e1aed8de38106211897d24611bac6fb3c69f2f3a8b227e0a77b1e9334d5f2b25432ae9ce86681277fd1b8af1bda73

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin64.dll

Filesize
800KB

MD5
d6b27ac6c799e689513a38d749548821

SHA1
bde4497e4d960e6b54ac84dbfca94f20cba00f64

SHA256
5a110113d927cea60358f1d3f2ee40d3247f300f2d2a38cf8fd77e691e0df96e

SHA512
a13771f675c72d0686ccd06a4b70088a4e1e1aed8de38106211897d24611bac6fb3c69f2f3a8b227e0a77b1e9334d5f2b25432ae9ce86681277fd1b8af1bda73

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin64.dll

Filesize
800KB

MD5
d6b27ac6c799e689513a38d749548821

SHA1
bde4497e4d960e6b54ac84dbfca94f20cba00f64

SHA256
5a110113d927cea60358f1d3f2ee40d3247f300f2d2a38cf8fd77e691e0df96e

SHA512
a13771f675c72d0686ccd06a4b70088a4e1e1aed8de38106211897d24611bac6fb3c69f2f3a8b227e0a77b1e9334d5f2b25432ae9ce86681277fd1b8af1bda73

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QYPlugin64.dll

Filesize
800KB

MD5
d6b27ac6c799e689513a38d749548821

SHA1
bde4497e4d960e6b54ac84dbfca94f20cba00f64

SHA256
5a110113d927cea60358f1d3f2ee40d3247f300f2d2a38cf8fd77e691e0df96e

SHA512
a13771f675c72d0686ccd06a4b70088a4e1e1aed8de38106211897d24611bac6fb3c69f2f3a8b227e0a77b1e9334d5f2b25432ae9ce86681277fd1b8af1bda73

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDACL.exe

Filesize
103KB

MD5
95f4d1d372da1ac1108ae1b9cffb9ae0

SHA1
801f9037c0361709f3b8bbaa6f19d927916cf54a

SHA256
d79d3dd7940ed8b8685e5b4521601b427affe0571e7a86bfaae403d8e46d1ecf

SHA512
6c6bd9c2184dd0e7b82aa665292a34d9de1ec43a90072f1fbe71dc412a9fb62d35ba10743b3b42d3c1e8c3127e87f065033263b18cdf87efb367fb634280f96c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDACL.exe

Filesize
103KB

MD5
95f4d1d372da1ac1108ae1b9cffb9ae0

SHA1
801f9037c0361709f3b8bbaa6f19d927916cf54a

SHA256
d79d3dd7940ed8b8685e5b4521601b427affe0571e7a86bfaae403d8e46d1ecf

SHA512
6c6bd9c2184dd0e7b82aa665292a34d9de1ec43a90072f1fbe71dc412a9fb62d35ba10743b3b42d3c1e8c3127e87f065033263b18cdf87efb367fb634280f96c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDACL.exe

Filesize
103KB

MD5
95f4d1d372da1ac1108ae1b9cffb9ae0

SHA1
801f9037c0361709f3b8bbaa6f19d927916cf54a

SHA256
d79d3dd7940ed8b8685e5b4521601b427affe0571e7a86bfaae403d8e46d1ecf

SHA512
6c6bd9c2184dd0e7b82aa665292a34d9de1ec43a90072f1fbe71dc412a9fb62d35ba10743b3b42d3c1e8c3127e87f065033263b18cdf87efb367fb634280f96c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDownload.dll

Filesize
2.0MB

MD5
165aa25f17ddfd3205a4a9dd35622f07

SHA1
6532924ea8dca2e7a31ab6560149f4bfa144175e

SHA256
5417ffe14d09eb2794ec3cd560422f4026382ee224a75ad09e2acc5c87e3cfbc

SHA512
9177e8b3c30c1510bd63ec7944888ea3fb2b3105c7b6684f845e7cc898021961f0422a2693d525f3af396a8f121f495a1395920b080137490de2db46eaa42451

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiDownload.dll

Filesize
2.0MB

MD5
165aa25f17ddfd3205a4a9dd35622f07

SHA1
6532924ea8dca2e7a31ab6560149f4bfa144175e

SHA256
5417ffe14d09eb2794ec3cd560422f4026382ee224a75ad09e2acc5c87e3cfbc

SHA512
9177e8b3c30c1510bd63ec7944888ea3fb2b3105c7b6684f845e7cc898021961f0422a2693d525f3af396a8f121f495a1395920b080137490de2db46eaa42451

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiMainPlugin.dll

Filesize
4.0MB

MD5
0bc8604d3468885c011cc571f219eaba

SHA1
6603b83336c77e8510f8f89d49ae507297aea3d3

SHA256
2248f4f8820e151e18bbc32abb9a6635101db8b21fb955541750abbd76fbe37e

SHA512
b522fc26fe1215914c4192794c7c8af4e65036e54ab3bbf54d3559db6ca79402a87a955e04b278508939c57fc29733c2f287bc0e5882931aee7ec4ee45db06da

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiMainPlugin.dll

Filesize
4.0MB

MD5
0bc8604d3468885c011cc571f219eaba

SHA1
6603b83336c77e8510f8f89d49ae507297aea3d3

SHA256
2248f4f8820e151e18bbc32abb9a6635101db8b21fb955541750abbd76fbe37e

SHA512
b522fc26fe1215914c4192794c7c8af4e65036e54ab3bbf54d3559db6ca79402a87a955e04b278508939c57fc29733c2f287bc0e5882931aee7ec4ee45db06da

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.config

Filesize
144B

MD5
fa9ef5b7a1f9c0d54a0b3692ff557d29

SHA1
11eb6a33d7b003989a5d93a0860bb78b30f84abd

SHA256
86e4b14e5a8fcb9d5323461623c643cb501058dbaac04c2b3cbdfb45f4375982

SHA512
c46bf4491c526bef2cd7d06599d228c8555c35893252d9f64ca6d0a5212f678994256de7ee04cfe1921228eed7eb4ddeb1ef8bbeed7c0f6c9b9aff77ccda616c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe

Filesize
449KB

MD5
40cc039dfd9f587d209244bd99bfd4c5

SHA1
100488f1a9f60cafb8bf281ba33c97d31de57a02

SHA256
9945c059104266e6bb7c19fc44a17cef3a97025147eb102ef9d226770f4708dd

SHA512
3cbde32680d310773c84786101bd45b99f71f75584309ced6ed43b0e1037ff55b19e4dd78a764c1736a3b4ca7f8c11c4b157af46509c715846a4142df9cb8b38

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe

Filesize
449KB

MD5
40cc039dfd9f587d209244bd99bfd4c5

SHA1
100488f1a9f60cafb8bf281ba33c97d31de57a02

SHA256
9945c059104266e6bb7c19fc44a17cef3a97025147eb102ef9d226770f4708dd

SHA512
3cbde32680d310773c84786101bd45b99f71f75584309ced6ed43b0e1037ff55b19e4dd78a764c1736a3b4ca7f8c11c4b157af46509c715846a4142df9cb8b38

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe

Filesize
449KB

MD5
40cc039dfd9f587d209244bd99bfd4c5

SHA1
100488f1a9f60cafb8bf281ba33c97d31de57a02

SHA256
9945c059104266e6bb7c19fc44a17cef3a97025147eb102ef9d226770f4708dd

SHA512
3cbde32680d310773c84786101bd45b99f71f75584309ced6ed43b0e1037ff55b19e4dd78a764c1736a3b4ca7f8c11c4b157af46509c715846a4142df9cb8b38

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe

Filesize
449KB

MD5
40cc039dfd9f587d209244bd99bfd4c5

SHA1
100488f1a9f60cafb8bf281ba33c97d31de57a02

SHA256
9945c059104266e6bb7c19fc44a17cef3a97025147eb102ef9d226770f4708dd

SHA512
3cbde32680d310773c84786101bd45b99f71f75584309ced6ed43b0e1037ff55b19e4dd78a764c1736a3b4ca7f8c11c4b157af46509c715846a4142df9cb8b38

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiService.exe

Filesize
449KB

MD5
40cc039dfd9f587d209244bd99bfd4c5

SHA1
100488f1a9f60cafb8bf281ba33c97d31de57a02

SHA256
9945c059104266e6bb7c19fc44a17cef3a97025147eb102ef9d226770f4708dd

SHA512
3cbde32680d310773c84786101bd45b99f71f75584309ced6ed43b0e1037ff55b19e4dd78a764c1736a3b4ca7f8c11c4b157af46509c715846a4142df9cb8b38

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiUpdate.exe

Filesize
564KB

MD5
8550a3891616b733cf0456a2f6071a73

SHA1
a86553988095ff173420273c27de6f5d84922cd8

SHA256
1eb39e1e1e1fae3571795b772fc22315a2c4dcb9dd445f63800f474c83cb5abf

SHA512
3838b66d7f9a2fad7cf285125099e4202b56ba68b93abdb75d00c6257c3c1cf646435a852fd5a1284b2ab82c7ac2f15800764a86ce2d1a1fa788e24483eff73c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QiyiUpdate.exe

Filesize
564KB

MD5
8550a3891616b733cf0456a2f6071a73

SHA1
a86553988095ff173420273c27de6f5d84922cd8

SHA256
1eb39e1e1e1fae3571795b772fc22315a2c4dcb9dd445f63800f474c83cb5abf

SHA512
3838b66d7f9a2fad7cf285125099e4202b56ba68b93abdb75d00c6257c3c1cf646435a852fd5a1284b2ab82c7ac2f15800764a86ce2d1a1fa788e24483eff73c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QuiLib.dll

Filesize
742KB

MD5
7708b68bfdb5f87ee2aa44b66f10f196

SHA1
a7697a7efd9821c037b14e8d72c44a677ca545e0

SHA256
84fcfc682eeeb95e892b717cb55fad87bd658f2e72cfd356771fa2301efd95f8

SHA512
72d4055067851533e84d7443ce1f76b2e3426d84d9c5eeff50eb20cf733bc6f09938b53d4cb5e8807de4101ed324166056296fba754e69bf63797ec44b0b8020

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QuiLib.dll

Filesize
742KB

MD5
7708b68bfdb5f87ee2aa44b66f10f196

SHA1
a7697a7efd9821c037b14e8d72c44a677ca545e0

SHA256
84fcfc682eeeb95e892b717cb55fad87bd658f2e72cfd356771fa2301efd95f8

SHA512
72d4055067851533e84d7443ce1f76b2e3426d84d9c5eeff50eb20cf733bc6f09938b53d4cb5e8807de4101ed324166056296fba754e69bf63797ec44b0b8020

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe

Filesize
129KB

MD5
53e247983faa81d7b6300c97068bd5cf

SHA1
d60dde17dcf935516d5c442237513ed93a89552f

SHA256
5b5b4e53cfe1b99d5cc1c2ce1b9c992978648cde8f246ae0a0e23576115e3d7f

SHA512
277cbc57b7a0c17ba3b226914f7243a6e250f5fccd3c3988d498a6e7c0715f055760dcd612b1ad69875b38c8c6479af72dd0545c0ff00a8ad87f0acfb246d607

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe

Filesize
129KB

MD5
53e247983faa81d7b6300c97068bd5cf

SHA1
d60dde17dcf935516d5c442237513ed93a89552f

SHA256
5b5b4e53cfe1b99d5cc1c2ce1b9c992978648cde8f246ae0a0e23576115e3d7f

SHA512
277cbc57b7a0c17ba3b226914f7243a6e250f5fccd3c3988d498a6e7c0715f055760dcd612b1ad69875b38c8c6479af72dd0545c0ff00a8ad87f0acfb246d607

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\QyClient.exe

Filesize
129KB

MD5
53e247983faa81d7b6300c97068bd5cf

SHA1
d60dde17dcf935516d5c442237513ed93a89552f

SHA256
5b5b4e53cfe1b99d5cc1c2ce1b9c992978648cde8f246ae0a0e23576115e3d7f

SHA512
277cbc57b7a0c17ba3b226914f7243a6e250f5fccd3c3988d498a6e7c0715f055760dcd612b1ad69875b38c8c6479af72dd0545c0ff00a8ad87f0acfb246d607

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\appPluginBase.dll

Filesize
870KB

MD5
02a741234c53d16058472bd70b2999cc

SHA1
68b68f169d0175f6acffb84971e63a3b9c02a36a

SHA256
eb5e90228186901972e84d0d769d137ba3baf2516ca322eed36e1f991011db90

SHA512
fb6d5c13c6ef022c58dc6475d76b543009f884306a93e10a795993d4ec4967ad2e712fca8be4a290e39524b120f9dba962d974f0733d7d693716e105c1fdf94b

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\appPluginBase.dll

Filesize
870KB

MD5
02a741234c53d16058472bd70b2999cc

SHA1
68b68f169d0175f6acffb84971e63a3b9c02a36a

SHA256
eb5e90228186901972e84d0d769d137ba3baf2516ca322eed36e1f991011db90

SHA512
fb6d5c13c6ef022c58dc6475d76b543009f884306a93e10a795993d4ec4967ad2e712fca8be4a290e39524b120f9dba962d974f0733d7d693716e105c1fdf94b

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\appPluginBase.dll

Filesize
870KB

MD5
02a741234c53d16058472bd70b2999cc

SHA1
68b68f169d0175f6acffb84971e63a3b9c02a36a

SHA256
eb5e90228186901972e84d0d769d137ba3baf2516ca322eed36e1f991011db90

SHA512
fb6d5c13c6ef022c58dc6475d76b543009f884306a93e10a795993d4ec4967ad2e712fca8be4a290e39524b120f9dba962d974f0733d7d693716e105c1fdf94b

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\debug.log

Filesize
510KB

MD5
a7d1b2be79d995bdf07d708906030115

SHA1
551cf43e4a58343854eb234ccb9b250a132be138

SHA256
a8596a21495ac3cc9e416d6bee569ad9afda5db30b7df1cb2096cf57103cef77

SHA512
a43e7818d692bf4b296309af8e68471a7112f72e7fbe08c65172725a2c704b1fe95363a52f71e6487ae19e7fd7931f29374e44c2167f1da0cdd2d932211dcb76

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\debug.log

Filesize
511KB

MD5
05d5bf6d30198f283544f387cf55adcd

SHA1
a8b43382768c8fd96e88a67055cc779add332745

SHA256
eee43f726405028b5b481240cf7b6c76626a8b201e6e7ea9c95c8f9ed3beb397

SHA512
378d076e9561687f8fb53299165355424a99d132c4d483544aa2b3b1cf657dce7ef347a27cae782b5eb9b5fed7a151105641d6ca014e233614bb5a7353f9cd5c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\mfc100u.dll

Filesize
4.2MB

MD5
f32077df74efd435a1dcdf415e189df1

SHA1
2771393d56ff167275bf03170377c43c28ee14e1

SHA256
24bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71

SHA512
fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\mfc100u.dll

Filesize
4.2MB

MD5
f32077df74efd435a1dcdf415e189df1

SHA1
2771393d56ff167275bf03170377c43c28ee14e1

SHA256
24bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71

SHA512
fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\mfc100u.dll

Filesize
4.2MB

MD5
f32077df74efd435a1dcdf415e189df1

SHA1
2771393d56ff167275bf03170377c43c28ee14e1

SHA256
24bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71

SHA512
fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\mfc100u.dll

Filesize
4.2MB

MD5
f32077df74efd435a1dcdf415e189df1

SHA1
2771393d56ff167275bf03170377c43c28ee14e1

SHA256
24bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71

SHA512
fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msxml4.dll

Filesize
1.2MB

MD5
a6b8503687a268bfd620a12271816e36

SHA1
a77f8237f37733efa7adf3ad77c68c30acff43a0

SHA256
599c8890ff671c9b9289da816100d0ae2d8113be59bf4466cc224e52ba4c31b1

SHA512
522f6ed708cf5240e51f4b62d1fdc5e7ff6763069e271e0fdaa4c0e161ad402a57a5ec9f6d944f3d5506062455bfcfa9705890be5c0df502f97e5503d517d5bf

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msxml4.dll

Filesize
1.2MB

MD5
a6b8503687a268bfd620a12271816e36

SHA1
a77f8237f37733efa7adf3ad77c68c30acff43a0

SHA256
599c8890ff671c9b9289da816100d0ae2d8113be59bf4466cc224e52ba4c31b1

SHA512
522f6ed708cf5240e51f4b62d1fdc5e7ff6763069e271e0fdaa4c0e161ad402a57a5ec9f6d944f3d5506062455bfcfa9705890be5c0df502f97e5503d517d5bf

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msxml4.dll

Filesize
1.2MB

MD5
a6b8503687a268bfd620a12271816e36

SHA1
a77f8237f37733efa7adf3ad77c68c30acff43a0

SHA256
599c8890ff671c9b9289da816100d0ae2d8113be59bf4466cc224e52ba4c31b1

SHA512
522f6ed708cf5240e51f4b62d1fdc5e7ff6763069e271e0fdaa4c0e161ad402a57a5ec9f6d944f3d5506062455bfcfa9705890be5c0df502f97e5503d517d5bf

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\msxml4r.dll

Filesize
89KB

MD5
a7b6765208ec57cda8c5d3593a95812b

SHA1
495d3831927edf515efcfa3636ee7e643b80f70b

SHA256
874348d266feccb7c2b6cf9c94de1fb4f025ae1aba6e50b44831c4751df68ad8

SHA512
d9dc7095586246cf614cd6663095f181983ea45d95c5f7c00cb7177db88d5bab288a10c88cb6ed3f01057db7c9cda770345973f52833aea6cf09ff6a28939d7c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\pluginConfig.xml

Filesize
1KB

MD5
cc20ca22b94c00ec41879f8c0c2f2e58

SHA1
6d534e62a40f659392e073e50cd2a1534cbbc5c3

SHA256
bce4798bffbd7824db9816be4118cd5a37e63112062672c046538766249bb42b

SHA512
c182b9f2b2707b6762e6ea25fc7c4be0d1ae2bb56274c6818e4bca8a3ff1aabc950f85eb403cd3856549dc3faefb96d31af105d9d56974470d1a6f4bf3332d8c

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\pluginRepository.xml

Filesize
1KB

MD5
178ecc9f812f868cd9afdfe0f5818f6f

SHA1
08e1cbc032c3b3853311db68d9b5e0c263af9708

SHA256
99f2cfe662ee732f88ddfd8d43cbc04feef6cb221362335f63ef40e985ba793f

SHA512
ca518c66d791a8253ccb932831128a3f17077a6ec6bb43161f83cc4f9a3edd36f456c5c4d867169022da9d82a0cd19b44b85d159b0804d0c01b42130e536ba60

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\server.ini

Filesize
137B

MD5
930833ff5db2e498e4ad3288dcafd2cb

SHA1
2e14bb33a64aa099b8cd1538f347142a46a36d25

SHA256
aeab9d771293a2722b5d223c29ed1d1bb5288ef6eef9c5a165928f6369b4349b

SHA512
d524589bf468219326a3447f6d8431a91b884d07e4fae9e75b13fcbabd06ae3b587894df39606a7c70a0d4cd13a58c5196c08a66654bb1a76658a70239d7cbc3

Download Submit
C:\Program Files (x86)\IQIYI Video\PStyle\skin\mainpluginRes.zip

Filesize
1.6MB

MD5
f55ed45899de5f1083596fc0cbe4b2d6

SHA1
17e77673764db8bc0649834bfb2010a4555be30d

SHA256
48632d228bf9b3457651c6e2ec01b9e744da65550705c26e1c20a65a123651d7

SHA512
a84801cd00201ad253ad2218931b2a6aadc7583f32042534b7a8c0fbb5cc11451ff368448e244d60e122e253db0f158819a1dd3b83006ae83d13003400b0f1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYanti\acclient.dll

Filesize
352KB

MD5
e62d6172e4115e3d9dbe3e8c5e0b4eac

SHA1
fadc48c432f2bc22046694acc2fc6a7210200b46

SHA256
89424e80bfddc815f9f3e461c9181bb4aa6c800f7e65172240b737ba20a9671a

SHA512
1570837189f41fb1421484cf795699fba05c186fade0d597e36d32812f173199ac4e98e1141a598d0e79ef29e6ac72f49a102dff5e82e424d68824df45100197

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYanti\edtool.dll

Filesize
319KB

MD5
dd9a05981d3bcd06b44d0979a6a917c7

SHA1
41379aae06dead45955a1d4e6d65561b9cad1727

SHA256
35e76b1be97318bc439dcd8a33b4b495da5ef4451fddc6b34f983d57d58f87d1

SHA512
a1583219bf0bbfdb89cbee630c8676dbbbab678bf536cf131b9970882031c91ce8f72948830ad45ade7422deff7644dc874ef07683c370547b6c05ef54b22c1d

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\PStyle\NetConfig.ini

Filesize
45B

MD5
52aa79db37e8b532f4a9d0f63cfd622f

SHA1
d27230dca25c7980ab6038f0d08b5ac35371668a

SHA256
6e36db0bce33dc0c75008d56b900b7c25ea7fc93bd5f4eccd88ec1fd1c51fd7e

SHA512
6a2976f97634ea072553297bccab7c78c53e38636efde64793d08b6590dfed7fb01eabb953c5675f670b36888808d2688c45fd8771db241acd1bb2db8add3759

Download Submit
C:\Users\Admin\AppData\Roaming\IQIYI Video\PStyle\QiyiInstaller.log

Filesize
11KB

MD5
78df18e390afdca223f57ed137401a48

SHA1
3ec85857c57c9c74528a55926e45e6aeaec3cb58

SHA256
75280cff73333b01983a4731819aa262273bf8d034065ed699296650e96261ee

SHA512
66419e4079d2c092cac8b84cb935bd0d5b507f7dd056b63af3d81c0112d1c06b58bb4bc68237a3e3d13a95449192b1716f31c7255673d7bdd63a7a992e4175f9

Download Submit
memory/216-141-0x0000000000000000-mapping.dmp

Download
memory/536-250-0x0000000000000000-mapping.dmp

Download
memory/788-135-0x0000000000000000-mapping.dmp

Download
memory/1040-261-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-280-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-290-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-284-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-283-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-282-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-278-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-276-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-275-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-274-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-273-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-272-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-268-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-271-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-270-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-269-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-267-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-266-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-265-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/1040-264-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-262-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-260-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-259-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-258-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-256-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-255-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-254-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/1040-252-0x0000000000000000-mapping.dmp

Download
memory/1308-132-0x0000000000000000-mapping.dmp

Download
memory/1624-287-0x0000000000000000-mapping.dmp

Download
memory/1664-213-0x0000000000000000-mapping.dmp

Download
memory/1836-175-0x0000000000000000-mapping.dmp

Download
memory/1920-163-0x0000000000000000-mapping.dmp

Download
memory/1944-174-0x0000000000000000-mapping.dmp

Download
memory/2028-285-0x0000000000000000-mapping.dmp

Download
memory/2084-166-0x0000000000000000-mapping.dmp

Download
memory/2236-249-0x0000000000000000-mapping.dmp

Download
memory/2300-143-0x0000000000000000-mapping.dmp

Download
memory/2412-169-0x0000000000000000-mapping.dmp

Download
memory/2756-148-0x0000000000000000-mapping.dmp

Download
memory/2916-246-0x0000000000000000-mapping.dmp

Download
memory/2972-178-0x0000000000000000-mapping.dmp

Download
memory/3268-251-0x0000000000000000-mapping.dmp

Download
memory/3340-150-0x0000000000000000-mapping.dmp

Download
memory/3452-230-0x0000000000000000-mapping.dmp

Download
memory/3500-247-0x0000000000000000-mapping.dmp

Download
memory/3524-167-0x0000000000000000-mapping.dmp

Download
memory/3636-263-0x0000000000000000-mapping.dmp

Download
memory/3672-245-0x0000000000000000-mapping.dmp

Download
memory/4384-235-0x0000000000000000-mapping.dmp

Download
memory/4436-171-0x0000000000000000-mapping.dmp

Download
memory/4472-253-0x0000000000000000-mapping.dmp

Download
memory/4612-172-0x0000000000000000-mapping.dmp

Download
memory/4716-286-0x0000000000000000-mapping.dmp

Download
memory/4716-288-0x0000000005710000-0x0000000005738000-memory.dmp

Filesize
160KB

Download
memory/4716-315-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-314-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-300-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-306-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-305-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-304-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-303-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-302-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-301-0x00000000715E0000-0x00000000716D9000-memory.dmp

Filesize
996KB

Download
memory/4716-299-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-298-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-297-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-296-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-295-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-294-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-293-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-292-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4716-291-0x000000006F5E0000-0x0000000070059000-memory.dmp

Filesize
10.5MB

Download
memory/4756-214-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-223-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-239-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-189-0x0000000000000000-mapping.dmp

Download
memory/4756-238-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-225-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-236-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-234-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-232-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-233-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-242-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-224-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-229-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-228-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-243-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-240-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-244-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-248-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-221-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-215-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-216-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-217-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-218-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-219-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-231-0x000000006F780000-0x000000006F879000-memory.dmp

Filesize
996KB

Download
memory/4756-226-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4756-220-0x000000006F880000-0x00000000702F9000-memory.dmp

Filesize
10.5MB

Download
memory/4800-182-0x0000000000000000-mapping.dmp

Download
memory/4836-237-0x0000000000000000-mapping.dmp

Download
memory/4876-257-0x0000000000000000-mapping.dmp

Download