Malware Analysis Report

2025-01-18 22:27

Sample ID 240504-vhtdcabg9w
Target 13a825164b8138ac4c8cfce592798000_JaffaCakes118
SHA256 c6d05fabc939e857c521fd7aedba9d93405b85389b6c4063eac7c90e42d5e4b0
Tags
adware discovery evasion persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6d05fabc939e857c521fd7aedba9d93405b85389b6c4063eac7c90e42d5e4b0

Threat Level: Known bad

The file 13a825164b8138ac4c8cfce592798000_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

adware discovery evasion persistence stealer

Modifies firewall policy service

Adds Run key to start application

Installs/modifies Browser Helper Object

Modifies Windows Firewall

Enumerates connected drives

Downloads MZ/PE file

Checks computer location settings

Registers COM server for autorun

Loads dropped DLL

Executes dropped EXE

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Drops file in Program Files directory

Checks installed software on the system

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 16:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 16:59

Reported

2024-05-04 17:02

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HCDNClient = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyKernel.exe\" -shell_start" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C} C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\FRAME_LINE.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_41.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\listUI_filter.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\register\taos2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinNormal.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\gameexitguide\loading.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\tramsparent.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\Common_Menu.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\UserCheckBoxUNCheck.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\ForceUpdateMsgBox.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\custom_dlg\custom_dlg_without_title.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\dlg_bk.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\SearchRes\searchBoxBk.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\LoginRes\arrow_down.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\xml\t8.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\PSkin\AdvertiseWnd\AdvertiseWnd_PromptCloseNormal.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\titleRes\title_playlist_normal.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\BtnLook.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\ClientID.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\Comment\comment_normal.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\volume_bg.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\btn_search_left.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\downLoad\radiopicture.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\Close2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\HCDNProxy.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\fullScreen_handico.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\MultiAccountsBtn_mov.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\tip_triangle.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\RouterUI\DownloadLocation.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\InsetControls\ic_varietymixture_commonctrl.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\appdata\ C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\CheckVersionUpdate.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\player.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\Guide\SwitchModeGuide.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdInnerPrompt\AdInnerPrompt (16).png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\QuiLib.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\control\mainframe.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list_top_line.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\pstyle\minimode_1.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\uploadRes\upload_advanced_option.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDownload.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\Fragment\MobileAssistant\GuideLayout.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\list\small_point.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\pstyle\navigaterefresh.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxCheck.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\trangle.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\Ctrl\album_state_116_65.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\pstyle\browsermode.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_next2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\PSkin\EmbeddedCheckChannelWnd.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\icon_upload_status.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\logo\logo_refresh_normal.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\Menubar\rcommand_icon.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\FeedBack.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\list\littlepoint.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\feature\content\f_3.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\checkboxpicture.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\favor3_2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\QYProduct\QYProductDailyPosterCtrl.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\set_hover.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\soft_write.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\GoodsCorner\goods_corner_bk (33).png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\homepageRes\cjjy.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\iqiyi_logo.ttf C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Windows\psnetwork.ini C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AUTOCONFIG_BRANDING\iexplore.exe = "1" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyPlayer.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyClient.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyBrowser.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppsrun C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E} C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppName = "QyKernel.exe" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\pps\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AUTOCONFIG_BRANDING C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\New Windows\Allow C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\pps C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qygameclient C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppstream C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qisu C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyClient.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyPlayer.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\magnet2 C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyFragment.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F} C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppName = "QyClient.exe" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppsrun\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qips\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\QyBrowser.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.pps.tv C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppstream\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\magnet2\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\*.ppstream.com C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qips C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qisu\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC} C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qygameclient\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\QyFragment.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pfv\OpenWithProgIds C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qisu\DefaultIcon C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ = "_DQYPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ = "UnityWebPlayer Control" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\TypeLib C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\TypeLib\ = "{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator\\IEHelper.dll" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02} C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\HCDNProxy\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\HCDNProxy.dll" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps\DefaultIcon C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\shell C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\TypeLib\ = "{75A564FE-95D1-41a9-B1D9-10D1E3CB502B}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\ = "IFlashHelper" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ = "爱奇艺浏览器插件" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID\ = "QYPlugin.QYPluginCtrl.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pfv C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\UnityWebPlayer.UnityWebPlayer.1 C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\1\ = "131473" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}\ProgID\ = "IEHelper.FlashHelper.1" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\DefaultIcon C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qips\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\"" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator\\IEHelper.dll" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\UnityWebPlayer.UnityWebPlayer\ = "UnityWebPlayer Control" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\FLAGS\ = "0" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlashHelper\CurVer\ = "IEHelper.FlashHelper.1" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pfv C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_qsv\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -runfrom openfile \"%1\"" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\Programmable C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,0" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pmv\ = "爱奇艺PPS下载文件" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\ = "PPS运行协议" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\URL Protocol C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\"" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\AppID\UnityWebPluginAX.ocx C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{790F2D3B-18EE-40E2-A45E-1FAC13B6AFB8}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\ProgID\ = "IEHelper.FlvFilter.1" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\0\win32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator\\IEHelper.dll" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\{305ca226-d286-468e-b848-2b2e8e697b76} 2 = "0" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qisu C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\AppID\UnityWebPluginAX.ocx\AppID = "{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\0 C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Control\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -ppstream \"%1\"" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1\CLSID\ = "{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pfv\OpenWithList C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.qsv\ = "pps_qsv" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\Shell\Open C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\shell\open\ = "使用 爱奇艺万能播放器 播放" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\TypeLib C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\TypeLib C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pps_qsv\shell\open\command C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pmv\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,-148" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 1800 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 1800 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 1800 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 1800 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 1800 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 1800 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 1800 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
PID 1800 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
PID 1800 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
PID 1800 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1800 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2292 wrote to memory of 500 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2292 wrote to memory of 500 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2292 wrote to memory of 500 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2292 wrote to memory of 500 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2292 wrote to memory of 500 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2292 wrote to memory of 500 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2292 wrote to memory of 500 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\vmpagedown.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\vmpagedown.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\vmpagedown.exe
PID 1800 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\vmpagedown.exe
PID 1800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
PID 1800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
PID 1800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
PID 1800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
PID 1800 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
PID 1800 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
PID 1800 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
PID 1800 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
PID 1800 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
PID 1800 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
PID 1800 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
PID 1800 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 1800 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 1800 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 1800 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 1800 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe"

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe

"C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe" /S

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Program Files (x86)\IQIYI Video" true

C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe" -install

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"

C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\vmpagedown.exe

"C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\vmpagedown.exe" "http://vodguide.ppstream.iqiyi.com/search.php?ver=1.0.6.55" "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\search_top.zip"

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe

"C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe" "C:\Users\Public\QiYi\QiyiHCDN\Config"

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Users\Admin\AppData\Roaming\IQIYI Video" true

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe" -i

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe"

C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe" -finstall

C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe"

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" videolibrary=uninstall_setup

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频客户端" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺HCDN网络数据传输组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频播放器" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe"

C:\Windows\TEMP\assistant.exe

"C:\Windows\TEMP\assistant.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺PPS影音 播放器组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺升级模块" dir=in program="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe" action=allow description="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频辅助程序" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe"

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe

"C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe" -output "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\爱奇艺PPS.lnk" -target "C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" -parameters "quicklaunchrun" -workingdir "C:\Program Files (x86)\IQIYI Video\LStyle" -appid "IQIYI, Inc.PCClient" -icon "C:\Program Files (x86)\IQIYI Video\LStyle\skin\Logo\LogoBevel.ico" -description "使用爱奇艺PPS收看影视节目,清晰流畅更新快"

C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.static.iqiyi.com udp
SG 118.26.120.1:80 dl.static.iqiyi.com tcp
US 8.8.8.8:53 vodguide.ppstream.iqiyi.com udp
SG 118.26.120.1:80 vodguide.ppstream.iqiyi.com tcp
US 8.8.8.8:53 static.qiyi.com udp
HK 118.26.34.91:80 static.qiyi.com tcp
US 8.8.8.8:53 msg.iqiyi.com udp
CN 111.48.118.157:80 msg.iqiyi.com tcp
N/A 10.127.255.255:5353 udp
N/A 224.0.0.251:5353 udp
HK 118.26.34.91:80 static.qiyi.com tcp
US 8.8.8.8:53 static.iqiyi.com udp
BE 104.68.86.49:80 static.iqiyi.com tcp
US 8.8.8.8:53 policy.video.iqiyi.com udp
US 8.8.8.8:53 list3.ppstream.com.iqiyi.com udp
SG 161.117.186.135:80 policy.video.iqiyi.com tcp
US 8.8.8.8:53 gameguide.youxi.pps.tv udp
SG 161.117.186.135:80 policy.video.iqiyi.com tcp
US 8.8.8.8:53 pdata.video.iqiyi.com udp
CN 58.215.125.56:17788 udp
CN 183.61.167.82:17788 udp
CN 58.56.65.60:17788 udp
CN 119.188.133.192:17788 udp
CN 1.28.145.91:17788 udp
CN 223.99.251.67:17788 udp
CN 163.177.41.153:17788 udp
US 8.8.8.8:53 msg.71.am udp
HK 118.26.34.91:80 list3.ppstream.com.iqiyi.com tcp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
US 8.8.8.8:53 flux.hcdn.qiyi.com udp
HK 118.26.34.91:80 list3.ppstream.com.iqiyi.com tcp
SG 118.26.120.1:80 gameguide.youxi.pps.tv tcp
US 8.8.8.8:53 uaa.iqiyi.com udp
CN 111.48.118.157:80 msg.iqiyi.com tcp
CN 123.125.84.228:80 uaa.iqiyi.com tcp
US 8.8.8.8:53 list.youxi.pps.tv udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 aia1.wosign.com udp
CN 180.163.251.149:80 aia1.wosign.com tcp
SG 118.26.120.1:80 list.youxi.pps.tv tcp
US 8.8.8.8:53 list.youxi.ppstream.com udp
SG 118.26.120.3:80 list.youxi.ppstream.com tcp
US 8.8.8.8:53 cache.hall.game.pps.tv udp
N/A 10.127.255.255:60000 udp
N/A 10.127.255.255:60001 udp
N/A 10.127.255.255:60002 udp
N/A 10.127.255.255:60003 udp
N/A 10.127.255.255:60004 udp
N/A 10.127.255.255:60005 udp
N/A 10.127.255.255:60006 udp
N/A 10.127.255.255:60007 udp
N/A 10.127.255.255:60008 udp
N/A 10.127.255.255:60009 udp
CN 111.48.118.157:80 msg.iqiyi.com tcp
US 8.8.8.8:53 count.game.pps.tv udp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
US 8.8.8.8:53 msg.iqiyi.com udp
US 8.8.8.8:53 cdata.video.qiyi.com udp
CN 111.48.118.157:80 msg.iqiyi.com tcp
US 8.8.8.8:53 ppcc.inter.qiyi.com udp
CN 124.237.225.21:80 msg.iqiyi.com tcp
SG 47.241.163.52:8088 ppcc.inter.qiyi.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy3045.tmp\StdUtils.dll

MD5 572b16bf94a6492976f777b7d0373971
SHA1 3ae46f117f0d3ea32b28de9a73fca0d912260203
SHA256 fb87ec46457a836060bd3ee33bb37ec4d222d4974816654b32ba9d40efd90c75
SHA512 872347db453458f3bfe6d6bb9dbb66305abcf5773acaaea4d06e8800b3329f536d70e6c96e6dd59a20e963bfce496a0fe014302d2469353bfbcba0fbd2ba6fd6

\Users\Admin\AppData\Local\Temp\nsy3045.tmp\nsProcess.dll

MD5 dacc5f5531887a11804bda084e12cee1
SHA1 85e9f509668d9d78120435e5df593d988b16029a
SHA256 18584f582d454c15de69b515dcd8952a446bf18514de532c309b351b30d77066
SHA512 f16dcc34d444490621df50ea70772a692592bb35f078f7e7a7360976da873e8e917663344864b56f5989a65ecdaa70d8eb0df4f8a2495f50aa5d25f6f248ae4a

\Users\Admin\AppData\Local\Temp\nsy3045.tmp\NSISdl.dll

MD5 8ff1b274c581f2e928a418f3b90620eb
SHA1 ad7ad3acd29b882204e74fe36369a6b89a8beed4
SHA256 df10d5b4ca10ea6ddce96d6ddecfc175f1dff4292a8c5c1f8e0adfb6e1e824c3
SHA512 a932f9b77fb801e624069661f9c0a7fab4a1e540d763d51bca91e2570767029261946c4ef522e1e9fecc189cd8090e99ba9b454439a3e3fec2ca318dcb428691

\Users\Admin\AppData\Local\Temp\nsy3045.tmp\DialogEx.dll

MD5 e0f33283138ef1c169f71cb1708985a3
SHA1 f10f88a272fc7c14f3a37d0f650aa7480bc1efd0
SHA256 a9b34148448d893558dbb91b51bbbdddd535e2c8387a13e930a4b5096b0af03c
SHA512 8094b5096cb0c4ee6572217beab6419b8d9ecdb2b902c9c596ef3cc513e4916b05c2bb54fd6084f274b6919d4871ae31cce4eddadd272cb7516c30dfc7c7db0a

memory/1800-28-0x00000000031A0000-0x00000000031A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\nsis7z.dll

MD5 cb22c301a35e0d8551578940c018868d
SHA1 1aa3a19c0c5e8cd02feedca50fb1845a99964ee6
SHA256 d77183207b8a3b6bf4d7267aee06c7d0f76a6b42e0c007e596931ec59dfa597d
SHA512 f1997bc05c360c1adad90317e7aeb97af9982b2e40e4aadd88522d640fda44648c733e19c572b01647cfb6b2093f2387b41db37f52cd87b8d02c479be0395f5c

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\Signin.png

MD5 053bf204ab9961e6843a052348ca8d5a
SHA1 cfd71af85b0cae52a4c54429e925add459287de6
SHA256 1b02340f651f6af1019402f595737b2e71f1e341892e419ae64617aa571db6af
SHA512 3476e12f9ba18a7663b6519ecec7fba8379a974d5962b37fa0d0ae024f9cb554d9ec44a13c2fc739e472b851531259aa3460f89c7683fde9e8de0b5e8a1051b8

C:\Program Files (x86)\IQIYI Video\LStyle\appdata\webcache\2\movieLib_pstyle.css

MD5 04934b72e752e77dd0bf67c9d06a2272
SHA1 9e5d3a5a81089989981cd9a44784e42ac40c638d
SHA256 a18e3ac76891027def955b9f310ac15a51c8b514e7b63aa27cbb96f8d38cf926
SHA512 7df18a0a080715a781df5baa0a7fccef6eaa4818bed11d985c42ee81acb9ce2665a5aacf30b7517d4d30c1aac6557f6d6a8b6623c15a7ce8f10c5d7691ee380f

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_17.png

MD5 0893bfeefb776d58da6ef7bd6b8d64c8
SHA1 c9905b5a2edb4f4caf87c76425e7db4e63b699d6
SHA256 e0787ff81f12df511d1b97382c78d58bf28269fac897eae4e0faddffe7be6aeb
SHA512 fe8735b4b0042d1124ccf1dc55edd298fdfadb101bdab735b0bff89068909e61d81cef5b4ba967bc11a683b064cfe7638ea91cc4026a9073e197fc489ec78435

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\normal\loading_17.png

MD5 28853faad82cbc1110fddc0c3a54d85d
SHA1 d11e7cb83ceba8bd8223b59150bbd747222715f4
SHA256 59fe4bb150bb9bbb28bedff5d2aaa87307041420100c2be31c9084f9a92fc342
SHA512 4cd0a50c61f650df55ede29da8e72f5b909cbd6bae3d375176b0952ca8d46ce0ef06e104ab540e500f23e9ae9af9e2fcfb3b6c52ab7ed8cd6e7a11696150eb1e

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\config.ini

MD5 534a43f71c3ae9f4860a02b65d1de41d
SHA1 c6929fb5bba5aa8b56a3c891e9fdc1f571ab42c7
SHA256 b7b478999cc6ff9694335c0877d9a0182415a0478eb04d660849c8c98556672f
SHA512 5a048eb691bf368d955c010d30dd122dd27980de7da38a7e0ee1e13b9d98b71e3a5edc5cc1af908d73014bd6a4a2f25aaec5750156598c871d516d6dbcd838c8

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\loading_16.png

MD5 11007ca324dd134924fa2bca5244eb73
SHA1 56fa6e06d7db2e9693d7eb26eb13d52ab9ce8fc3
SHA256 05395237709655d0cb9de583e7c2a3192df91388333d70923798eaf61b1562bb
SHA512 bfa1d34ac7312cc273fbb59748a6e6f0cea6c6db7a498c04dfc8ebc2491806cd9d55fe766f727e3c0a130699a7f20d1a8d2e01ea005ad15cf706b0916a115e63

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\btnPopUpClose.png

MD5 7844d223803d5f35c4eb453908d3d3d2
SHA1 f6946969ca172c5735f19cc5215ee170bd963bb6
SHA256 38e371539a017a690e546a161ce82dbb757ccfd46e7bfa46c79f8377a9d6a223
SHA512 4db164312a9813a0288abef93a4ae7d12945a3f290010603e9343b4bafea8883a1bc626ebea2e548eb6fb915ab47786b2a0adf02b1b720f4968f8b15005fd49f

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\downLoad\config_dlg_close.png

MD5 754a7d6d7740eead34bb5a9f6940f009
SHA1 18acc6593a114f5616a539101f31504cb511459e
SHA256 154ca004725f7936e20efa1780f3cdef20869de4ac00d1b0079c86e31b0e59f3
SHA512 785ac79cec2f7f3fd813761a53b506ac5b2fede0ba67ea8a5bf495da5dc028c69e88217d1c45ad4e4ad4c34b3d3a1d6df88363c4e8fc1c095af3078357e2abda

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close1.png

MD5 1867ed15b4256e9edc952c334a543201
SHA1 386b14cf44c620a55f64c6069409eb0eb5c5e3a3
SHA256 87b01d7e066af46794e584904a4bedb27707da1eb32080b60a286f01b9c27820
SHA512 027e984adcc90553c9c699c6f1a797eea5e7b02f8cb4a807aa62263780485de235c6294b608b8a34c67e9b5024d98768cab6265cc7776884b9ab4e6585e0c0a3

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close2.png

MD5 33cced8d3d97f78972a5418ec7e96f29
SHA1 09bb1332bbb1f06eda3bb09f37b3699257162369
SHA256 42803e7485f1507abcfca5f455e76956a0dd92ddf2b9d6341a4f2375a941746f
SHA512 04683521c7dc5e7f4ff701da3fe4291eccbe6b96ba5631676844fe4616a0fcb5e7434a47f245f9b800a47922b25c3d5a2d1063eee61b82db656866c194aca1ce

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\common_scroll.png

MD5 93343a6c34066ba4b50a6d455210f538
SHA1 10bdaace70cee2656f3c6eedd2c5aa5182dd6de1
SHA256 d2d9f913aa2646725e0af0d332a10a78b1d7269bf0d774aeb3e6dfc4be40558e
SHA512 06066d93e57cf309c064779a415a34290d52d9312da45acad20b0655f098568cb438d694f46aafe5d0edeb5178a50c6a729e174c683666d97112a1e09741b1aa

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\filmlib2_normal.png

MD5 7602910002b9307718bb5a4c221d6be5
SHA1 61004f0ad2d3f55c7549b3c8eecf2108d0efb655
SHA256 9298a0cc560f702a118dec0bf34bf2d609d5a56d1c49e9658b0eeac0bba59a38
SHA512 eac38bff7fbf476bcd003253b737723c46c31cdcc205bde5f6c4bad9f5da75d7f08f061976c1bb724888f2a4ec38a9c0667e56c3a993a4a69cf236c43adcd259

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\cancel.png

MD5 d1a6675f77f74cc5847b0a59c49c3f6b
SHA1 f96c4084818cc5836e4086b665e97c3bd7d99f47
SHA256 29207dd0cbb59bd1e6fe489ab6ada4cb04c74083099127b194402f1f3ea4bf8d
SHA512 3f4a2f4fc645fbbcfb5fda5fd37fe8dffb96329c4e66841ca5bdb8c8ae4836e4eaede44a6e4e5ca17cf6bf02524d304bf83922092fc9b88fa72e94a322617388

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\ok.png

MD5 4d34af20771db466a6439fa56ff5f687
SHA1 5223e4281ff91d0bdedc9af14c4825e56cad01e4
SHA256 b4513c801e7893e2364967da122e5340a69a0c8f28d0318234ee0ca41ac12f60
SHA512 bb770d0649982b3f4d35a5b6628cd0a4168f31ea89e56eaf92f74412cc2ddcf8773dd60f25ff5c0d04d77960570d652f8b7cf7cdd2cbaf07151024c8355871b3

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\QYProduct\blackback.png

MD5 60ce4c0275c77aa5572892c81728620d
SHA1 82fc18f800c867547140a7764f38a65eec9a4b96
SHA256 8ea1ba9ad6052fe784d79b9bd3ff879152c1d58738cc1faab0a1304b68ce69db
SHA512 ee1d28e4c4b939a721f42f67505de0fe2084f36244b53838a4704a19f32246919a88ab7936b6cfa07e54f4b5c1a11d36305376a3ef42bb73bfa5fd679f83af91

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\scrollbar.png

MD5 8f6b9b86898ce75b5c94034ab1f14381
SHA1 4005fdcd5071fe373db13e301301ed0e2dc74876
SHA256 874664eaa38618437f551ed0492a89b718e44f2a6f64e2b5590b708c6ddb3b97
SHA512 f42d284538b5ca4f8382321dd96dc104b8d7f49a1339dc1e7fdcac4fb22099078d29ccf29a7b9d23c94260295f39126197d082b4983acf7be9a1569ad4e237e3

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big1.png

MD5 5fa2adb150f63cba9e5443befe17eaf4
SHA1 b5c2a1cee13211626c061c422961a1d0aa742703
SHA256 02b0a8d8524e604ed201f912fba8ee58c5573f8310145d3e64a3c279726dac40
SHA512 9cbde58a143beabec9cd89ab66bf0f29db6903ece436fdb0c14dfd66803ccc4f951b316216c073be9e8032d20f8e0f93a4c393672884063e3cf8f29f7b404607

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big2.png

MD5 51fd1384bab6df779007cee07422e4ac
SHA1 16e89c96196d21f3a85ed6a0f5d97d096c2fbc15
SHA256 9c0ec21d601c6e193caa0a04db9c80318d15e1fec713d3e82e53f709a5620fd9
SHA512 279c7e23a32b639d13d836b1c9744bbbeec4167a95bd3302bae6ff2738877fb2e99e8a2c95934b38c74d74dda4783ab14f81ac96c551084e9cdbe4f9ee24519c

C:\Program Files (x86)\IQIYI Video\LStyle\skin\soft_txt_icon_2.png

MD5 1402aa18efd86eec43a345d936f8ab4d
SHA1 c51a44b65489e041620c8ce9ebb5d04c517d27e5
SHA256 2276b09083e0da61a550d97c12cd814622c853358f26dcaffd423285ed29640f
SHA512 7b4913b6a30410d87a3c1c87d4b6d15510c47f17b38c3c2db11da2fb344b88e5c3d86dba86781eff180eb803222af6a58b6a0a12905139b085d988061c5bfd12

C:\Program Files (x86)\IQIYI Video\LStyle\skin\spaceship.png

MD5 575984f7a1cfe13a9ed1d3800bd7d14a
SHA1 df04fdf4070d29d76aaff8f5b2f68bff6ee0cdc3
SHA256 925b723d434d5528c4dd712102279974e76842b71544fa8153d6108d11ccd7de
SHA512 1d2eca187cfead14798cdc18b4ffed909b483869281bd05fc4b7412fb76a7ee6987efbffa17db218be32d4c2e1ee6e1cb383a4a96983f226baae1f42a330725b

\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe

MD5 3544d9748462cd7593833d993c29a37c
SHA1 1877aca3b883eaddc14bb00fb2055240f474647e
SHA256 16957ec4af0aa862c4d7da1ddc270560837485b602246a475f3d7124e942db96
SHA512 805b0ee15917ef2c31f1d087ebbcf23cf40cadeb0cf25512bffe29678c4e4a91cbd1888871d047efb4a173fcb1b1be75e5a9b59707f6b9b0b25cb9fe25523775

C:\Program Files (x86)\IQIYI Video\LStyle\skin\logo.ttf

MD5 e1097f713080d07e0c717e0737ef167e
SHA1 f31f1c4570925450c1fd1ac847cf54461b6274d4
SHA256 f2aa97fb51572edf0694ae328bbdcb01a172189aa53549b7ea8caebc66325249
SHA512 786dda62d0423a9733af16035390e99bd47c5cd8c49f2802eb443896230b2dba70eefbb95de3175b2143dbca1f9ab8ccb8cd8e7cd8b8821f0a93d1a5c69923ad

\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe

MD5 95bff19e30f8b194eebc8c81b671d6d7
SHA1 be2883ccd72263e162350cdfb7bf9d4bc5090f17
SHA256 4fa1020f67d7beee37c67bb6bd86ed8925e348adbf5748f9555dc96797c651d3
SHA512 762bf013e4d46ca61dceabde986753cf501442e1c72dcf394b628e2f6273ff05f686908bf9ec3be17d28b34602ea0bc18795e296da43dda7de47e81962a559db

C:\Program Files (x86)\IQIYI Video\LStyle\GdiPlus.dll

MD5 385e243fc4314f79c1e3042070586d03
SHA1 bff588a2ac255b4cd1e3a9528529aa0e26f4657b
SHA256 18055410347fe57288aa11917e77f9b5833f59e669e8c65fc589d314eb6b695c
SHA512 5854cd81f2f9d5d01a7c0e3ab1b6801490f455191089a21dbc199cf924f59aadbff85d9b963700961c326a4def2a13ff9ba6d3933ead17262b7b66d0279f2c55

\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

MD5 b6e9d6c600b793177c69ffc751c7a8f2
SHA1 2d83d7e4a84a5378333250a470ad6577ea858780
SHA256 19aa1945952438cc82e633ff6c90c4f21835fb79d49de8649dd1e18ae4c9a80b
SHA512 069ed99225d5d69817e16f8dfc2c95fe7c667e9e7f7b03897b58ffabe14ced8b4498b5ed117155ef79761f5189f88b54729864623cff1c80d9536f7c08ef4a0b

\Users\Admin\AppData\Local\Temp\nst6441.tmp\UserInfo.dll

MD5 13a689123cebd31c1d1862e05981beca
SHA1 0430094a1a0f639ba9bf5831c24f1f4330762a6d
SHA256 386933bdaf4774e88670e21abbebdeddf64b1e87b1681f85ac5b3ec1cac8dcdf
SHA512 0663148e80f4703000bbfc8ede2bcc7cad19877585a5cc46aa13a7003377d7315d33f01c1d311d38bcf5e3782e4b361510214f09a9f6537b856c5ad9bc41fdae

\Users\Admin\AppData\Local\Temp\nst6441.tmp\UtilsPlugin.dll

MD5 877ba4f17e960ddcf0c2fa2df62b6710
SHA1 c452ce34ed1b5043bb26ec938d170fffb14b53c9
SHA256 7481df00348a7279b044cf12f7188b2c15e6a1862e5ed2ea8e7e2b0dc6c027ae
SHA512 0ae63c05641c234d53573e69eb143582916c4c976fc11d78efe0310b8fc04b0491838abd94b8c7b9ee5f77ddf41bfdeef61227c87a6da427c68b9feae6ada612

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\AoreAudioVolume.dll

MD5 a53ff1a83e51f4915a6a61ee92f408d3
SHA1 15f9bbc83652f057f933ad2dfa02c9713884d328
SHA256 c81aedcb12656accfdbda1d1572311c9a0f9954c0036c0074235f42b6c0567de
SHA512 be5d2b9c05d28c49ad3b8be847f322bbf23b06e9966418f57698e463c9bd112e9ad27081029fee422212013924beedf010074bcce5683308039ccbeee072f436

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\error_togame.html

MD5 5926b1d339e58bf3ebc876939ea4c2c5
SHA1 64394e162c82bc19812c62881ca1545288e56516
SHA256 5bbaa9feff7fbe44b794df4b493c587303588d74d138cdb50504ed5b6e3c8669
SHA512 a8f7374e80214bc9ba4e493e8706e59f55f07ccc31601ed550f0d1787e1c5dc6695f4fbf75e7e2b66c031fb44e391af6d65ea619c3286aedf3d12c819b3751c8

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtnHov.png

MD5 6cb194b84853c3d231eead716d49370c
SHA1 f95a681a3dc9318580bb62ef8ce4a678d78f1ec5
SHA256 ee34c098163504705e055812f003d823efe727600ea4b56db73553e2ff9d0219
SHA512 5ba1f927981c8679b49c5fd079ea2bcc662c8e9282ae736783c7d46ddcf7c486ad48856cea0831a223ac8b9600eea541a35fd3b4afd4fa2f132dc554503ba4ec

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DelBtnNor.png

MD5 5ff65cbf00ca0eb38b04df50917ac76e
SHA1 d5c498ddc143f575bc00955bdb38640901b85a85
SHA256 bd20a3bb861109627eef3acfc4cddd6120b6e96d7de94415ed375b43930c78ca
SHA512 01bdfba569dd465a84878cee5f31ba9694953c9804338654a135d8e081639a88dd419cb7b1f3edf843fa98bcfe0be8550f0e0709f3b51f5a051914fe2cbdfb9e

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DelBtnHov.png

MD5 159f343e6d3f9ba1d99da3d187398909
SHA1 5855b18908526953cb8b8a9d281ee144107dfe76
SHA256 1446a20293259c127b7631cb9934265c89810039e8c076cd98f946d55e00da1d
SHA512 70d6c98f6e57036a2e894c102888ea86575ad3e00e30ff386a1d97c6d4f407d29945f3f11c0e633e4f81179fe6f868755c0e82a0b9f1dbcc46e9410e6207ccc9

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\defaultgameicon.png

MD5 116824ac4fabdc85d00e1d6e60fa6fff
SHA1 5bc1c4a8c152de3c1ea834a44e247ecb1e1ae865
SHA256 ae9291b1744a13ff45be576d455f268b93068651944e5fc5998b8c85eb1ef462
SHA512 a2397a5730dd9fcf8da86e58e247dac4b3806b5cae62b706cff2f8a87a0e7000c875b745413d6ec05c930fc4d5d89bc9b14389c6100bb437443970c889207a61

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CutLine_mov.png

MD5 7069d28083d1361384f04c0d0f68904e
SHA1 eb42e13f8ddd37a0a6493d1a8b4fa629c04ee229
SHA256 328ee1b1c993d27c97aeb037e0e755e05a106aa4ee9e3203f350c9a09c4fa8d6
SHA512 316e4539fb1cbb0204bbdf4beeeba9c3f268a006f280c74ae3d2d77caf1d34c571073c0dde726cacd94aa2237d5e03c345d38fe0feb6eeff01803cc634358403

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLink_Nomal.png

MD5 673f47624b85a4403fdc740fe2721397
SHA1 ab0843b01f6a80a70c2cbaabe67f273094f80b33
SHA256 38bb2806bdc0022541bde8ebdfcc7c4b4724489e870cfa7ec5bc16919057f629
SHA512 eb43372ada55842ec5a7ca52be3a4cc0eebd1bf83323b06f3587632f9ac76ba57cc943cac46c3529bdc269105aef965a2662924815b253044f5b34a77b0d73ca

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkTips.png

MD5 cb1e1030a8813d00749d308b0da73b9f
SHA1 d97c9823d234fd8650dfcf540796d26f97442776
SHA256 2d0fc3650a7f32216d8545dfd541bf4a1ab9f386521ae8f035ef8f6c069089fd
SHA512 24141197dabf6dd18adedf1920b52dbac7a72eefcf71cf66d02048e08d480c489e3ee72be174c593bd7a4e2882ef62bb0e941e5dc3c98d6abec15db88cbc5051

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkClose_Hover.png

MD5 2855abc8bc2f15113af379b3ced104a2
SHA1 0aebf0295a17c7fd6c722ce10a65c9fc4fd09f03
SHA256 671af83a229fe930a720e5805e079ce2c01334125136011d8adc0ee6c3dd50ab
SHA512 5b5063eacf5fdd0ee1e939090334d5f918c4fe3484a6a0a3ee4c87e8808153002ea8316733a5a8e84c5e019a2c6f4a64b8390ca339cfad7c2135fcdb9024b3c6

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_normal.png

MD5 e189e1d1d43cba9e78c008fa248e02fe
SHA1 b374269f970d337375552f2b771126f11da42f15
SHA256 911eb65979874e946ac0b2da2440084f98c3088758e2f1bd9144d495061d6aaa
SHA512 fd1b83cd8130000670756169910920145c9a1cc1ca35b4efca61311248db07488d32430d5d3d1c45b231b3d5803e011470326f4e3ec694ff5663a16b66e1df67

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_Hover.png

MD5 15ae314b60106f6eda43676eb1d3de6b
SHA1 2897302883ec07add176c4e03f8dc9a4ae6afdde
SHA256 8927bf74e9d960dad95ba796e6f2bc731c5b4e1192cbd7b120cbd2f1898ec3c1
SHA512 479afa994781f6a495d7439ae3d0afc131ad5ad7bb5ff1471f1ffebf61633a74624e41b06b481f17c8a9f723635de871273147659ddf070664c385215bc23a80

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtn.png

MD5 0a2318d4078889584caa4523315bdd70
SHA1 281adb6f789746a5c2e446eea019c1e1047ab8d1
SHA256 5956629dc86c8486d28137f91fcc493183a53a103c1ba5f4a4019f67a132e9ef
SHA512 5c05917259aefc4b675913cb896af105b1e7bf7cf07ac400083303e2952e307fb72eef4786e27381a7eee5d2b17dd4d55a9ed1dac7acded6890db927f4657b5b

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_MOV.png

MD5 e4c70faae3c4fce495e12d24c2854c8b
SHA1 9faf01736350722f60820485bc6fa1eb364e2c5d
SHA256 03f78a2bb0eb5d120d85e7c08a16410921824154186b04ef1027905b07d137a5
SHA512 54567bbe7b75acc0e09a4fde69ff50d295609fdab69478d8c995213d4491f09aeaeaa134b2a63a76d3c5f92a8a3b61c1e56b8593dddf17a12ca28b6c8af4e4c9

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_HOV.png

MD5 8f88aba447c6b48423a6ab9502060195
SHA1 2d434c1dc6f8523b49dc669abd8f69f50656ffbb
SHA256 78a209e1df0745cffb42aeeba157769ccf016dd3e356719415c11374f0e592df
SHA512 927b79089112c18870b43568c6efa1f8959beb39aaba9356429d7209438f8ad330488f3c49d8b4bd9aff29808b751ee52c82f7322dc72eb8a2d1ac563ba79fbf

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_mov.png

MD5 683aebc33c1a57d4e7193ac11edb718d
SHA1 f880556c87ea97d913003b5d61bfcc46309203fc
SHA256 2a1b1688b001bf57d60a0c47b6b82910c443015711820f6a95a073e540621a40
SHA512 6aa2665a83c7b683658601815d6b0957ee3376645158339657bda2ff765b7db91fb8abc49ef0e50c5a9474965ccc9e34ba8df82e28d8cfa2b05cd49225a3a454

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_hov.png

MD5 5e9c33c45c3997c6bd2a227496d8bbf5
SHA1 61438ac8294a4723abf785604b05f3cfb3f190a5
SHA256 59a3e8272352042ab795032d5dd448b2f9bb3c9bb0e4a119792ef31094e69005
SHA512 de8df25f3294dfa0a01433df94672272c119ab58c58e7af5bab3cb155dca248113d31e5145b1039dcf24bd27725aa385c860e286ffb7c6a85b4b8f25373451e4

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheckHover.png

MD5 0e40da2e0b0d35ca116a6ef8cc09ab27
SHA1 c43ff70922be4bfcf7823551be6b2167c341f979
SHA256 b443f84b1dae129f7f7d86f46a1b6afac0569f5537ef79919396a18f15a6c709
SHA512 82042d24bb547bf1aba3b317e611516162a955714df3c44807c65ac5ef449b0e5e0eee8e673de24be9eb89c9cf45068afff74fb710e2eb89e9d4106ffdd645a7

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheck.png

MD5 0992ec4811eb429baf46221fb1bfe4fa
SHA1 c4d95902c17a2c339cfadd366a1735a08dcef39c
SHA256 179ad885c9bd5e378b834f0c192f36d24366dac0af3df1c3a7896150e94a56a0
SHA512 91fedac3aad148511f028fbf25f544590abd7daac05fdcf9f62063911a1b5e39003e9a97d54425d2facfb4446311dc42499e625766b912656dd1fbebf8fc56b1

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxCheck.png

MD5 d9cdf06422119816ca6f9c4c72cd09f6
SHA1 64e3bd1921689df2f3ee450c8387f9325d1254e0
SHA256 23f27fa2319a141f10a8be0cce63f11fce499f5943306d9d555c177c74d346cb
SHA512 2763f47b77742585d3562d61afe00033ef7ebb9f3fb1b7cd8b163d62ed5770680b00ac27bf200a47734cf715adaab862b9710268db9b6fc67f3c6625612cd88b

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Normal.png

MD5 e720f8d7d9b1eebf115a3ac3b2e8fa0e
SHA1 39e7f401d756d0f67413f9ff9ac925780b6e5434
SHA256 395035ebf113e3f7d46d5fff75fad4154a674747d86049eb88d0962865cc8328
SHA512 436d15bbdfd0cb4a1bbea0db7be5249ebb5e59268c6768a58424c66d155f4485057de177d9b36959c022b6a3c305af072414a75e829d44eee5cc0a8b6b9f4dcf

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_MOV.png

MD5 0373829c3ff82ae9637c770174be1f01
SHA1 b608bca312673a83e435c475c3b6e56cf0ed0f61
SHA256 c5db13edaa19ab6024f12952264a3ec005c4ff87f677e33d0444a9485c113179
SHA512 ed0aa92263b53f6b65820303a08d31c7d54c422425aeae90ea52e08c54e10392acf33fdbb12e9ceea954df9a3cab1b13d4cc39c5a46198c364c6de3017d9dc87

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Hover.png

MD5 d94d4858a788fc9c9e4372a9847660f4
SHA1 863d2d93f6909c19ee666e0b73e5a1914343c221
SHA256 6dc00a8eef3d4d1394655073304c749b499e4ebe34ba292b3aa1e81f53a2efdf
SHA512 f734a7c10005bd83e56e4f00139375404524c94c8a906d71bcd67dc590d91a9d9caeaef702a67540c7a627100a371c663a4d2c0cc6610b429e2618e1869f61d3

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_HOV.png

MD5 fa74861595b2d7f8029238da227c9ed1
SHA1 c2103a895f32dcb9e8f1b8a7f647d38821b2df1b
SHA256 f22ecceffd5edb6c5818da84a7753190a2f1a050d7a137676c6baf155955ac02
SHA512 7ec53735e6f498db76f25e742d512a58729dc3889ed6c5aa78844fa9178b8ced9de960d238258f161c3dfa5217bd2c575488b868910ec55bb5d887469ef7989b

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_click.png

MD5 d5c86709860616b2a77328be90005dd7
SHA1 8e3051d9b74eeea2641ca29510e8dd75e8f6dbe4
SHA256 4f3d3d8f8544b6f5d973443d28972712d9f869f745544822a7af63d66cb9806f
SHA512 c2149278520b60989638870a3095b82f85eb7329f67741c99e832c483e2a2a7159e9f5294223d504eb98f0d1b185a57834d43da0681684a7b4152929cbdaa6de

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinNormal.png

MD5 0f8c32a24cdd495cf044885babc2a284
SHA1 b554b4ed413de5050d7ba05f5f9135fd9a8bad66
SHA256 ce9610d0d6f603ed290e3eac9813fe6428f85575399f1d2f3b79ec2b80bc5700
SHA512 88f4ca39e9acf4d4e17d003e1bb043a2cb4784d3c06fccb061f4e78033ab814ce301d23ae2a71ff454e8ab8f82557bb5385cb6ac927950aab955ce9ca459b0c3

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinHover.png

MD5 3d5ce2154e2739d8372cd19ef6894d54
SHA1 a50b1d7dce90ace6de2f64420cc501d4ae044ff0
SHA256 bcc19a19510a08c675266e240a2262c92f1bb214f333cdd3c12e50a84f97f881
SHA512 382f29d7c19f22c34a9fea304028535835fe2693fc6c86834d3b2ca915a3e14b88cc84cbb368543312f6080f53479039557418efe65e2909ff5b07e06c593684

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseNormal.png

MD5 5c58e41384824810c9233b4e20544bbb
SHA1 19a38a15c08df0c87fc96fb2ff1218cb11397bb7
SHA256 b6f7642aa16976177755b14a93dbdb3245eadc5f31cd28abbd97d31b4939a189
SHA512 1ee8e676ea4702c7196f123c327aa0cbffc4553f389816dc7a8ade555b7f8c07e5b4b80bcc8ef6546e85e9b5255f20cd81cde91faf509f7d4fc0f35421af364c

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseHover.png

MD5 77c53a33af5d9060edc64d742581c78d
SHA1 a6ca1ead89f69b55cfa2557a2607e056d7b98ad5
SHA256 b8ee599130d00563db4e4c0cf66b07d626d00e28edc35d9e96734d73c11e56f5
SHA512 16bc887a618d565e5a5a93c98bce80510138a1c6687a027b16aa52233154bdead4224d4fbe76b2c48d13e210e426c6c86c250a27e7b4b7e695a9af59e8a8f506

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseDisable.png

MD5 a7a050294a34df2b6598b06c0f1b46ee
SHA1 ad0a456db2e13852af75b30f8a84495dd8414b1d
SHA256 a37bc8a0d719e97f6bba561f05056c90beafef08dc5cf77ca0604caf833b82ae
SHA512 3d1bbf0957bc2df884b0716ecaeaf616f83f803a006cb0b03f66102520d99e98833d4448c407b75dc5a67505f0c7cc23a919a4b58881bd4c1691c5257299df36

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Mov.png

MD5 62cfbca60f27d4b42253c96e1753bfbe
SHA1 496690bcb841f2c95b1b1d3ad2f8a70c7a3dee76
SHA256 4e2ef52fdf819e5d5825857600bb1ebad672a16873f4f55cc02c4b78c04d01e9
SHA512 ea87b367f8dd7a0670ae3171dd7a6f957682a661528e9f1330921c8273dd6df952e529aed59c21be33f0f733483266468809dcf0a5c38137610849ca2489c4a2

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Hov.png

MD5 f061cd973c3245b935f8ca0e7fa2df41
SHA1 b843b3013d90a3b54f54796f36d0b3ae64e0684a
SHA256 4047e046f0f25b0f41d3cdc6578e252d35d5b2db9d44f91fbe5400b14073c8d9
SHA512 05047a6b3c235dbf1c086ea97759f888efc88dbd25eef984de53aab304e0091f40f0014b6edea4368f813f4d4dc0cd04d35cd1fe0dbaee3a9ddd31b675cac186

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindingAccountTips.png

MD5 782b458a7a130a168e2348bb6b6d1ec8
SHA1 bf958b123c4c07ffda0d47939747464deba924a5
SHA256 37bea36b1180d7b0a2a2734a46b3ced630c997a461024dbd395e12706ba29599
SHA512 3b765d00dbf554f5b4037b27a6ee5a3cfcbc26d33a6b336f5a37fd085de24ac5bf26edf0e6855ece7184799a1e216bc072fe516356a419e9a9d26846c58ce32f

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_mov.png

MD5 17ded5e0a173363a18f2e998cf05882f
SHA1 121c6c1c92e0538cc4a1964eea2a6de7784a6ff7
SHA256 5a6d97e4f5fd2cd4ff81595bce200b8b9bb0af8c87e0a5a1ad33e2ba8592631b
SHA512 12d6cf34bb4f1c3482421cc986d2776d6724e3b97f257a2cfa17f373b688742c23d8a7ea682b8bc19c5b6162e2bf9627c415e3dc822a7beed2bdc2799bcb6b6c

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_hov.png

MD5 f3506a23a8eab8def532ec1124fc122b
SHA1 5dab7891775c289e860aa2b144483209e8673b13
SHA256 4d2fe7c86523d8e72de46e925aa1ea473e43b46534088c2372ebd5cd2db6a02f
SHA512 1095e4cce712836bb0f1b45f83a919f44c7becc8c51f950fec2a1e4034f8d6004372e23f100e51e309a7a406c51b4fd0821cc92f8245b720e094ce6b9cbc0856

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ArrowLine.png

MD5 bc5022a5719a200d8cb4df3b5d95337d
SHA1 33b3389c08cb110d2882ce7c87c09f6ac768e91a
SHA256 79c208d9481d9ad70b6375aaa875c1933fa6a5aff1a20ca69ae9e2d28fd16253
SHA512 71d564c909621d9260a257daaee9bdb019a8fe24f81db319ba7bf31b6e81e5db7fafde7b76c181a615bd872fd702ab60d463ee340b8b8124bb524ded20cc9245

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\control\mainframe.png

MD5 b702f688b22f0d326be0496338307f0d
SHA1 3a69c7a925bef885ad3491fe552a613dde803aad
SHA256 97aec0db2dcaf6d20a1ed9e8cb2d8bdde456ea0bbee9bb9275bfb284dd059a52
SHA512 bd30e9c6518072b5954d69824d084a99011f24cbc386e4be15a3d55bf5f69cc11f1ff4693699b2291278ea7d19665348e847f6c0ba8737fe46ef837dfca3d102

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyWebGameClient.exe

MD5 4c3d98b2b8e9e4064e5947d64c4ec613
SHA1 6b8c3f2ee10d8f830f8678e5245cc2a35d18ac28
SHA256 46f0604a4450ef9f828364e21a1441bdd4fa7a229964aa61bf16279150c9ba55
SHA512 10025f9d34b952b09037f5f269583d74c3792cbd386eee2ba3e143f8b04636cf662e1c154f286a86343d0f27a1bece456442daa7eec84670e741c08048aada2a

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyGameClient.exe

MD5 85d1912c6c543f4cf7b69ebb76372b5c
SHA1 f43303d60f2baf0d17ae6d14b8d98b6b1152d696
SHA256 b9f7db9f09ad85025a61617ea56089ac92a2f1c9feccd9b3273f88abf8e769b3
SHA512 91f568d0a95625da13da7c416e0813b922f30c280a80e04229365fc121ddec0da9afb4a1f64c63405521d463cebe6ace0c5a6dda4da5bf57a39d50729eac176a

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\LobbyServerList1.xml

MD5 45811f4d5463405dae043f7e9b9ba846
SHA1 886a410881900f0237ed619bfca6583da8ef919a
SHA256 a0635bc8344e41759e0a53f0720435952f57fe68df229ac4831fb9300bdc4593
SHA512 cbaa251953dc1bd3d67c176702a23482472449078344d7d26051589e1b5350f5a85cf120453bc6fa66f6a8c6b8db80bd52c4b2bd67dd53d5a1df02c7dd8d1736

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\error.jpg

MD5 2cd92fc75bc2be926e4c002598f325c0
SHA1 484461932de9ae91409a67308236f4f35be0a232
SHA256 657728435b2d152106f4acac777bfd82157727e0fdf6364c4f0eb4906a443399
SHA512 d1ab9a455742d502260bbd3279a9da0579f0408b5a7443ec5c28b4a19c8e31f6e622d33c6e886cde289a3f8e6c530c9b94e8c247299a0ed54dd01a41ca8c329d

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\bgline.jpg

MD5 e50052189fe327cffc4920d2cbfe7e5a
SHA1 917e438ed6c14579b4c923bed88b0938a5719312
SHA256 49de719c563b90541a46fd3db53057cd6e1c854f69359b09453b7c6233707ecd
SHA512 e98a96a9a3086768ce81e2152a7ad98c8f0c08308521ade743940ecc23170ff6309d722869543593f8fea742d2b0f95602a594ddff9894881043654d69008a58

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow4.png

MD5 55b2b0485d8cb14277abed24471c8ec6
SHA1 121aca27f33646990d96a7b602671a0d01f6a4b5
SHA256 41e8a39560fe7c5d41be57668b697ff6d163794c1fe0d178bd7ff603395e5666
SHA512 d0330c27c501f78cb3dc07df0b2b757851420a88002ee1ccaa5ec3fe29d42fb59bcd26b2fad40bf771e611e2ce7e98fbe7a72c7edd0e58cc5a78075d392cf751

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow3.png

MD5 4b7ff428e1010f5b4b924a381ecc6a9f
SHA1 c64a6c92c9ce90dc5f51fcb61d1fa7aaf55765bb
SHA256 6da80486fc24fe096983626c22d7ade8e72667205ae9ab88eafb1b5e896f7d47
SHA512 aeb5d028c20c69cc04422c1cbcb0ec9ee72557553cc8230c9129b7baa70c6ad3263d91c9d5c62c69792f321182564d6f52e167e18bbbe4370564790596561d39

\Users\Admin\AppData\Local\Temp\nst6441.tmp\System.dll

MD5 d0d7d2799802f7cddf8db7a2d8ae1e23
SHA1 ae8d8cfd9f1a7104036a9e8658f50f9c35c7a1c6
SHA256 828819614dc0dbfb73f22d4c3712e6369230eab92819c5d4efe75870ee109a5a
SHA512 2b5af0e34720eb2f5b0aa04b589b46fb4b4d344b5c5d23fdd382348b051ac9766ff80f6a2455ef66da78ba880e8ce41b23daf741033de7701ca3f17f1adde408

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\ClientGadgetSDK.exe

MD5 9b4a17d36d4730907fbd6d8969ad4533
SHA1 547f1198f277c267627083ab3a6f083931a88f85
SHA256 7a201389575d3c6f60a638dcd6f8c1c41687b51bc7be541ebc271330e1875be6
SHA512 870012f8ee3b07e5b45abdce7c0bbaaca5d963412332669ba1ceb4c6b9c6077740b6336dcd8ea802c10254e73173de00a3e2f1c6e3e6202b397477cc38e96ce2

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

MD5 849c0db12448b338a7454ce8fc8c6365
SHA1 1477afec52ba1303cab09b085a7148bcf56b2497
SHA256 9897278fec98e2ad20355747dbcb541f2c87d15616f6f15215fec3351590b3a2
SHA512 cfff784ac25afd5d6b6a4b15b90f41614f3a9299e77921e804b9464504ea472e6da69e2142784a0c6dbd6f2319ef124220da22230dfd260e440939f14b97124b

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\vmPage.ini

MD5 3e8a5d1adafbf32b88bccd9e04866c1f
SHA1 1e8f652bdbadfdb76ae3783f2b13e782eed2a755
SHA256 5639ce40cff3ee7cc012f13a8d3d259c29c3f7711111336e4ac1b2cea6932d38
SHA512 91a07ca3130e33c5e142727bbaf0973b99d75b36c4ae074f6374a6b81b2bc0d8b88d0e253b40b916322f47e15e49a2784dc55ac6d93cd6b2915bd6a6aa2406d9

C:\Users\Admin\AppData\Local\Unity\WebPlayer\Uninstall.exe

MD5 f5ec6cd3d798b1c9a2392dcbcf9bc502
SHA1 56593b443ba4554410fb7bba45a137a436880008
SHA256 97cf07b0e1a1b5a153a5760bc4270ff09d319aca9d45a2b9250edaa1bf5b848a
SHA512 838cdd97e05bc13863151504d930a14ccba9e3829e432f617b17d9ef29fbf21802ad66f6ad9c6ac385c8437f80e8127e00a11986ce3ae9ba06ced1caa327e3ce

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\xUILib.dll

MD5 dd1da7c9c63bef5810d6bf420b250711
SHA1 aac132d466e9d5c6d0c0e7361de660d19b233832
SHA256 520e93652c86c834ac667c129f6fa248be683dcb08a2001af8bb8293043d059b
SHA512 e98cf642aeba71c5bd4f14d700f094c5310d63914c070a7218a892e7842e0d7d2701797742727e11eca929a4839d3d6d6c243725b80b056b8388e476243f2355

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\vmPage.dll

MD5 93d53ff1b299ffec787c73c0c87ec223
SHA1 91e674bc48d7f9a18668e13d3889ea4cfdbcf7c4
SHA256 b50fd866fe75a6654ca15ac2ebbde98dc7c5e6b23df6ea658d1fb4f55825a388
SHA512 92e2c5c1eb85f3bf18e17ebb04563b1f6e85efa27d9ccdfd2b6959a1fc43ceb9c70fe129994ae22e8b9320fce7f5b06973f45a3da23aac00da75de9a1edb6b0d

memory/1800-5396-0x00000000051F0000-0x0000000005249000-memory.dmp

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn1.png

MD5 d271a47cd14ebb209b06ea235a91d144
SHA1 df6d11259e8b54247d052a64b2fdeb86908ff751
SHA256 09fda339a9d73d4bd0c728084eda60967139cf45c96e81fdd63ef562597c37ed
SHA512 a074342fcdad77884e7b3c0360dcdf5798e3b1dca4484df23cd85b0283da0920fc867fddd41bd3d8eb4b1200e43c9b34114ba479ae9d4e874f46ba4808705ef0

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\BtnLook.png

MD5 a10dd22d96d01a586d1ec1bdb3e2a452
SHA1 dbf16d2feb475ffe776b3f4ff93fad0e1df8a324
SHA256 692e2688c727b8d4b5cd5c9d57e1baacccf4c9b42050a6a1e61dc0f97fd7356c
SHA512 d30d1cc6635911924fdbcee591a6236c219b46f232e2a4475ec0f94d92ddbef2fecff61b11535f25ee51d9670fd937073a5da9b02e50651a6109f47325f22350

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_page.png

MD5 a501626cf7705ff8174c95811d8df7ed
SHA1 73a11ce3c98edc4b3440877fe955bf67b1cbe2f6
SHA256 79f8d73e8261c148b892928921dcf4a4fd0d94efc5e550de568b0930e49c2de9
SHA512 2eb7c3b389ea103b5d65a32c0a1bb1130217ee728a02223515fd0efc9cb949e5ff95226e2c930ac61d0001e063f89d166d3c21ff0ac70d6083ae4b3c7f03651c

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\bubble.png

MD5 5809d6111ba9d0f0dca94aab242026c7
SHA1 7c22450d09a0d56d18dfc742455253361f012196
SHA256 ac1cf25396f995245fc4955a3dc4fb1cc49c39307db7bfd71a7d7551ea6c7be0
SHA512 da6c207f8eadfd661650adf72191bdf31b7cfeca8b3fbb4cb75e0fe6686f7defaca3b1e9251bef5903bde1e3849ce5d91005fd509f80abe609d603f533c7d8ad

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\clock.png

MD5 b544e79b41f4bc35aa817082ecd8b813
SHA1 5bbbb6b5c015f62b8ff3eb0a6520acafd59a5204
SHA256 a61bfde4ad5caddf5b751af7fff2c65fa9fe885f780b0d6a4c49b8717d97ab42
SHA512 7c5b112c9ce3a4cbbb92aed4e74d18c23b8bbc2f31c9b281ac4024994e62fb995442002aaf8a539a3e07fe030c7a9e09b13d76b72bd75e24a5ced228f25d3076

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\combk.jpg

MD5 bda61d3d16b5e080958a26403856dd76
SHA1 6e0f505387a78a81be4e9a5cd1b9e7e169d437c6
SHA256 e67a18b2fc2992aff28ca1313f098b84e43028faadb6b1313200fcbe8d91dab3
SHA512 8a11210b3ca823639655adfbd357f6424f9fdf9acc0969bb7f506dedcac562c11921391861da76bac974515656a010fe8f735c93a1cdfcd53f2aa67497c5356f

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\down.png

MD5 b8a4119f17b6952072ee95e619438e9a
SHA1 11f9f36de5a4901950ffd58261558ef0e41aceea
SHA256 db98de0055e18b34da2bb4c56d88913afb27d64e6d1192ec87796b756c62ce21
SHA512 117a66f613ab723167c0f608cfac81dd4db1ebc2485d4751adbeff08c93292a520d44a4c8bb3215f1271a0c5bb648d863f959b988dd0b431d4ecffcf0ceb5b74

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\download_game.png

MD5 59dac2d26d640c66b455fcb14762c4e5
SHA1 3f0737acf13fc2af2fbfa8296a6ecfaf7b3891fc
SHA256 f756f1cbb6bcb9f724e1753f151f1fb59fa3159d44f7bdeaf188d0e485b28f75
SHA512 dd9824ba456272be54af89bb6a7719092e1cbb3c6dacb13ac9148da9e1217364eb99c6490b15f11ba4b500a54b91c9f56ee374e81e4edd5daf310f088a02c062

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\effect_dx9_4096.efx

MD5 e70e1eeb48a6917dd29706237528963e
SHA1 d44dec9b72f3a282a9d7c8c5864e1b7e3c7e0409
SHA256 9791efa6f1187a8b35b8cba5e9a3913c119695546cb7c6db085dc71ad42bba04
SHA512 d88ea3b8fd6d76ce0c012558af36e823561fd7f0295ba8631224f1c412be6e8b20137224f16800c9bb453b226abc865bd457ec51cbd41b2dce192c9c6a1bcb9a

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\error.png

MD5 c4a5a20e06eb6ce6217d140769eb1553
SHA1 fef5ae83e09ae1f90905a0ebd7558621e0523f37
SHA256 e2eea44582a65d1f1816242304a817873eeadacfd1e33f9041122201152b8d0d
SHA512 8ab5084d18e0feb5477cc3b610a2aab52cb830106f712b28341ba62e69ff9c6662423dd797d089ebbc5afddbadb87132a5a8eb470e2d4070a9b161385a3b3c2f

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\favorite.png

MD5 925dac8d7dfb904c4880d58f8534f195
SHA1 2ec4dac0a17a25b4ba5d0db1a63c98ed5d1f721a
SHA256 fce5afb7b6bf8862e7ea77793a9b7a8d5bbf4e6959ce2b11097e58c929f3c1a6
SHA512 4ede0c70af35a5e4bc45217aa66bcf887aadf72784141f0916d7bb13d7af5f45b92300a8a9560ff3b27c9fed459011f09623722a60e01ebbcd92e416863bddfa

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\favorite_tips.png

MD5 d00008d5c1a31a9fa8638cf84006dbd8
SHA1 620efd03173868316a8be0db68777959e58d8c45
SHA256 1baa2c70ef0888dfd516974ba035def89b71e59df4e67641aa6998fe57872ad4
SHA512 bb7b795010928e5dfc72d48586061a8761594a8148df5fc45c72c10d593f6ee400f118542668c8981c1db5cd4a028f33ddd852e6d9600dc0dd615c52bc95fa13

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\garbage.png

MD5 8e6989854282ca58bd40972d41c7fd25
SHA1 7f4a2b8bd72ac7174e1638cf7f2d3120d8003ab6
SHA256 858be9c29e75548d3233ba5c6d41c418a45898b820f1ad522c87a5c371ddad9e
SHA512 3b9d974a28ae4739814ff68b5b6df7cd284531db5eab075146e0d5ff8a4003fca4726a14aed82125a2765288b97c0de1a8e2011d3ea9ecf183432d657e643dbf

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\head.png

MD5 a89916eeb41c0c3c443d50cb8d131332
SHA1 b49a77bfb3a6e7c3a3df87c636341d066c86d612
SHA256 f6ca4b4a8cded79092aa4b5e788ea16683b7a09de92883b485bb809e0623fa55
SHA512 14b95c8437b3c907fa085b073c361f58c198051f8f1f6a9626bde01572ac789b9032880466d7003fc274327a71a2a9366eec4cdb28ef331d1e69e3308e71838c

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\head2.png

MD5 2b1d08d477bdaec7728f3bea010d87fe
SHA1 89d5a0356cf74e453d2488e0cf13f1e43676024b
SHA256 84bbe269120e92fb35cc87c78854d7b189f233ceebf167d95fc1122c93875f8c
SHA512 071813fb47e8b6b06474a3691fa8edf054d3e90e737e39c521b126920eaeee33224a4cb9d44abd0ba1c1e4482c08e10a1fa9a1fd89803b86c5fe2b3ab2ece2e4

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\headcircle.png

MD5 b2fbb530f0eafc31a1cc1a26278d734d
SHA1 0393d257a3f2378be6eaf9a59b788970e3b019e1
SHA256 102af904151bd926194f1d98eb5bb5520afa6b77e50fc2b285ab64a815eb6de2
SHA512 8b487590724c0ded62785f27ab0065a9f02dd6c81efb04abfbcda2e9254b571b875e9c414554ff11db0b694e3a6712bebefa9374dd628efa855d888399486c25

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\heart.png

MD5 b63bb93c3b88e1cf8cc9970123492c41
SHA1 f93b56d3309fea33fe4d3380e2198fc0a5c49277
SHA256 56723f9cf6928af7d197f600293974446338d374394a12e714a7548780a86831
SHA512 f41775cfa71fd628c9614335357fceca54e26b51f04fa2bffca5027caf25fbd280a988df58cd4dd1dff54085b15a94c41da47a6fbbca0181b9ef003d0054828d

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\hook.png

MD5 7f66ff68c2f14bf25b71d24aa6fcea22
SHA1 91109033be5dd485c7eed0551966307b6e43d5dd
SHA256 8d1c9f2e6ba55339f0ecc724723680316846998c6697a471822930fdbcec7b31
SHA512 1970416ee3d84626563356a0aaa8622f5571f59327b3db90cfeda5e1a87876b75eb739c0625d5211b7edfec6738a98286f307ed3e8b4b541dcdce2efc111a1c6

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\hot.png

MD5 d5011afca2630f52a05110f2b2eacbe9
SHA1 007f11da34e1ef6cc104b8f22c605885b8093046
SHA256 251ede71301ae3ad14f205dc32fe65943a1fa579ba1df0a749ccf0d1931a5fa2
SHA512 8ddb8e67827bc4b4a97b31360bc58b10f62d7292a8a2b34108eca1eba73922078fa34138511d2394f1c8ed50c5ce6000a8109d22c149c8ef492f813023fe6618

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\hottag.png

MD5 8dd0c25bd3605eb7da1fe868ed8c6a91
SHA1 336a2b527d7359a3c05327dee404877ff4219831
SHA256 d66fc785060e27754e89daf77928bd4c41d8b4ad27e1a042c6519aa1dbde4ee4
SHA512 3676322889a9674eb5daa8f9bd3cb0405e3911cc10d46eea8b1d47d5a09c81f52eb8c0619778cb290f0046d63dd509217a605e5188209220af6f699b16e601de

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\hot_rank.png

MD5 d5b6b274004897b3e6e6092517f01488
SHA1 ceee44b82925f494fe99f2d319dfc516393553e3
SHA256 d22dab596f46aab4031e3ef19b935165b79132cd1f1f654a737b70e50ff1f99a
SHA512 efe483d5136f023a3780e33e523f3964f59c46dbbd95b7aa9b6489786ebc64949c47cc6045e609e2ca109402a13dee8ede575aa24f4db78ac14d69b43a2eddba

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\icon.png

MD5 b3d0a1a26c2da9675abf659c3ea28f11
SHA1 d996a9e1951095d5e8213942598b5abaee602a22
SHA256 ca430ffa0a54fced7932ff16beae55db25a2f2922f24d842170ce442e2b2b4ec
SHA512 0e9ac64dc21ad40e17037279e1b2875190b5b3d5f76c43181d688d916c3ac13ed3c54d8b2a21e688930146b24964e6ad230be432840c69f4e7506e742f852457

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\J-4.png

MD5 78401ac75446e9a15f52b7181507d083
SHA1 7188acbcb65b57899a7d9710725e27ff74f0841d
SHA256 b5ecdf04ae1f2b91210b158c18fc7bd1599521bfe54c8aa97d93d7794b6afefd
SHA512 369ef504f9e5b9b7820b5a91d564cc7982fbfb1d21d09245337fa67ff08a680aa5c009db7a322ee4a1b731f4b9ea4ece471f70fc1717b009dc138e376e480df9

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\leftright.png

MD5 46dd1c7f3609632c84a2b21811e7dc3d
SHA1 0c716b1689ade499470618b8b400a5c50639bee7
SHA256 1dca9956201c44a352bf88f467e7d1574192ab76ad0812d41ce83b323eba4a2d
SHA512 73bf63b148cbad5df9c8275b0ae3a76e8b5a2468e26833fcde87b31d243482b55df1e73787b6aa5c46e76724d60c58a2fc55a8e75f75cd924c0ff83111bb11fb

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\left_top_icon.png

MD5 ae01da726f23c1353615873831397155
SHA1 619b85f3e146153d5b78036a9a4d189cff4214aa
SHA256 4828cf574832bde6c31532a8a45d200cd1b3b4343165619620c122b651c90d19
SHA512 99c4e0f3123ad3efef069760350f71f49f4486403d950bd80da22bfd47abda3b55eb0844d3fa512d89f449497d0387f693dd216f882ececd66efe639cbf1cd16

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\line.png

MD5 bc6545a79579f5fc5ac22e9ffaf01e3a
SHA1 3d7e54f13ecf332dbeae3709e67aa63c347abf56
SHA256 a9735d7b0fc7dc750d77e8e4078d4721556caed4d5a823a446d7f1de8ffb9c00
SHA512 0715ef51e8c3d066e85d7f5043ab6cbf719da5cb06bd1c09a5d814ceb5301912c9cfad65d23ca2f033cdb9b5c3a26402bf750cc81124daa648e0cb5ee89e2f63

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\leftright2.png

MD5 0483e86e4661ec11cf26ad1f7a822ec9
SHA1 95eba7fc75e807df07a8d1d587621d79736581fd
SHA256 47502df1c64758986297904bca4873e16c2fef14335afc08a95b15442dd95a03
SHA512 159f06e9211451ab4ca016cf2fc88994ae7726b45610de6683095993cb6df5c8df17b3473de911747815cb5dadf33090d66d5b867fb5e3351420e94d86d91023

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\LiveVideo.png

MD5 e545d509b6f4a62d7535537af20c6f1a
SHA1 081f082a8747b5f145c1dca193f820646eff0e63
SHA256 1ad726ca2efcda0b8cd3e20f37e6f7a2bb539b18a496bf4a9a28783bc66904c6
SHA512 72eb9a64df799c3b6a80399d39ab310ff341d4142de771dabd3f3975b9de8da288106450382454eddfc2debbc122d402b3de26012341695aeb8ea451cc55f6f5

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\LivePlay.png

MD5 11b9d51defec37c76ed968874bb6f423
SHA1 3af43f28510174bd55087da781b79a6ef14257cf
SHA256 55ba712c497194dcc46096c663156954995a71aca02842fc5835b1ecf80fce93
SHA512 48f0a0f823ee44644cf865b73fa2aecf10e8d8e94448bf7ac4ecf112b8f754b05caadb657a7ac4d84c5800c5ad3d9130750b3ee04846b357cdcb4e20281fc191

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\loading.png

MD5 4478cab089e7bf1cde31041322bfcff4
SHA1 709398f352fd51a45c5ff0f44d25cdbb4ddf72d6
SHA256 bd02f963d8f11669a0166bd2b65fc02499cf4941caa1aca1f502cb31c8a839fa
SHA512 bcd1dd3319c48c7cdc09e2c1844cebce6601b34ed502b7c2906996c36e9ad7335a89a104c4fc154aabe6b91a7f1e1ec9f3cf22c84663d29e825e45eeafcb0a8b

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\music.png

MD5 6e1f16bbc843b262a4c1da2a0262a952
SHA1 17d2ea4076edefa88a49a54bf971561b91cb5bb0
SHA256 62413dabcb55be2ad9e23b5726f088ed94afc47e23c6b3ee440b63a0a759da54
SHA512 3a72b6ad91537bd60a40e6a57469694a74f3ee591c822fa98f2ce84c0c74e5df156dea08787923fb518eab2f2ae8dd365ce672ecdc2de1ed88a60e0a8897c544

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\news.png

MD5 fcbbd915b061ca5aae13b565ce8f45b4
SHA1 93731e695e6dc39b7b581ca178e34a25fb8f9ab2
SHA256 69415a52a12d0617e463c911dc4d727cbd7b33de94289aa082fc5e2538ff582c
SHA512 7ff7a5bddf490752708c52c0d804edad7ce39af7d6a7ae5b916b19fa23769f16e68534b91bd3f9f38517dc44e7d489b98c3314ba4229e006b5de80ddfa70c92c

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\no_up_and_down.png

MD5 de4109c2374280da714e9dcdb3d3ad9e
SHA1 ce6657dd563c51c684277a4213fb2be052a13f38
SHA256 03b3fa0f39cc032f3f0fa0748810bca79d925e64ec5c2df0d3898580b1d7b203
SHA512 99160096e9ef20e984d09d6abd34a0522543e00b582254f337a3f61ead89ec933fa8f2618bc1deb32f7bd44c821ddc1ce9b60392fe65374cd1912262a632a205

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\pic_error.png

MD5 6645b0403ac7984fdb44c265940b9fc9
SHA1 faf67ba19687a5263fe033c81a82cc87294e4fbd
SHA256 6c45ed533dca604376c7579ea513ce672240ed451a2bb756a665c637727e5f53
SHA512 c7ef0fded6156a9dba77d348181d86c740ec1c798b631fe873969de3845e3770d24a4798593099bc9bd7d674c05cdb29018e38529cf3cd998ae9c949a35ca801

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\new_style.png

MD5 7e2912d4dbaf29527cfc78bb933fe658
SHA1 5121d04a911dee136604a76bfefe714507202106
SHA256 612a2a38b0730c33ddd84f18a8acf7886079be2dfd836b9434580d3dc6ae5900
SHA512 3195e7b779b5eafcda46c0e778d7fd1eaba7dd38c6dea0ec83c03e8b6d5dea3d5962e854641b11bf81191c9543345a29fa855907aa4d730417d21b1042047cd9

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\play.png

MD5 ecca72ea57790fc9333c92d059b9edb5
SHA1 298b4593faa50cb9a31d202c29db6de2e0038499
SHA256 caac867bd0dc199a43e4ca95cb4916ef42c98849801d44d31fe508e08587df58
SHA512 cd0f5b2a1e2a533e9b83906c9ca9fdc18c13c673312c0fd54df1ae374d980a7cc285f94f61b40eefd001e1ca2cfe4c8d3b75f6812b7027ce7870cae5964902b2

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\new.png

MD5 ea130938eaef26312b8fbdf97f1f2d96
SHA1 ca47a9e5569c8405d06eaced76f309a1a52f50ae
SHA256 1bcf4ef0d57135888ac4b6ffb37d19bcb102418d343dcdac26158828f71cfd41
SHA512 286316a8a20c1c47ed9dbd07b4313339e8f830e2432f999c6b0efb0881c7d296ee0a48ac062f542dccb3eceb1f63a7c7a644145572f5092ec066cfcb50b9f9bd

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\login.png

MD5 4e1eeaae52b76bbb4617cf835bbdbe05
SHA1 14dd16283145825a56a7438d7684f14bdc9805a1
SHA256 3cf436503b95e188d7698f49360101af37ec832b2b76558139354693bfd4eba8
SHA512 b719fed3fda82c6ad3702c4955fd646d9b11e4e7143d9298666563542abd2e42556e320adedcb1efea59e9f23d8345f4ef39e8dbd56112648f220fb8de158913

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\playIcon.png

MD5 db1019bb0ed6cf058c4778e02fbe388d
SHA1 e0f96986631b4ecde1afe76852f002ba1a1e8d0c
SHA256 35adf3e41cd689d6d4131f53a8c94af50c3bfcf9417c6254499e6e1fced7fc17
SHA512 c739d90910c4bb2cfbdfed6e43ae36974503d13e46c89bca126a8a57de1eda9e1f9da1316ff4acc2ece4bcc0508b49193995e732c8c74f37954fb6a7df6248e2

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\J-5.png

MD5 1bd8317a49a4845a6fee77cbb53c277a
SHA1 d793198a2ce8fc3d1121297a2004c4bfbd6ead42
SHA256 2c4e73a9b576e735771b1ab739122be61714ae4fd8abeea1b0638d7d382c03e5
SHA512 f51a88f2c799aff53dbf7c824d45c016b4daa9b942e94bcfe8245968ba0b689adb3135ae5781b91fbd0f9bdf6bc0a486839267fb5ad3c2159f697f06da2bb332

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\hot_1.png

MD5 28c09826eeeb9a2d7ef080ce7260416b
SHA1 134c74c1c9dd4b71622500c9f7e319f8c9ee5421
SHA256 f872d23d5a6092701b8ec1912dc16381c57833d6b4e84c0b1355db1a94a0882a
SHA512 9f95708accbe218c89567428662febe2b7481121d20bd152e8840ce892af25bfdc6cccd188563040acd9a566fcdb0d354b114a01513cb7927e70b85bac863058

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\hot2.png

MD5 949091a4367d3948baa75eeb991a2fa2
SHA1 881d64bf542530ed84b6cc79e6c39c9776f0041f
SHA256 57a851ae8b3967538d8916c504df15ad10bada7f7b6447eff7d53fd955c8fbd5
SHA512 f5450ac50dd11a26e8a6944ba9d2db242e83208a8482ef2c73ec691a0de9e66563cd30e434958768656c5dbe65bbf69982836a5afe00b57cc93a5a56881bf617

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\frame.png

MD5 592108d157c2b435940e9dbed9352bd7
SHA1 eed5358b33261c10182d5a60872424bf9ca8b0ae
SHA256 cff533e501ec402454b48ebe4fd22b73b98c3c3ea4c963310a7b62cabc9d3f49
SHA512 c48cb65fcfe82d95de13c6f3f6faa0d047f590f320ff4ed36aeead78e2aa0e2ec15e9807e4f3893225a45d7495ab00c6025d2b852c39e82ff3c84de61e1d1cbf

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\float.png

MD5 ff304c62e6fab224599ec0b105ac81e6
SHA1 0b4ba5a403859e4afca596406a248f946a98f186
SHA256 121ed9ac4caf66d1678dc81b2a4b1288620083e463ad9ff867f882dc9b8a772d
SHA512 30b9d00e1c6081b4038724468bd02e452c4917f954e04aeb23b343183191466b67c83f921d3acfc0c355e344dbf7a2a1668bb136533b726686931f7ad768d10b

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\event.png

MD5 6593763ad138debcf7d3f90b2c5d5755
SHA1 47fbfac0d17b1556003504e616e84edec12f0788
SHA256 e45e77407d0d01ee60fe6a947f2fbb05db8f07d4dd9bd2d7753195b235200f92
SHA512 d93baf7070183626cbb23a8da565bd621cc3317e76a1718dcc641098a9c4f39de4a2c1c6ab4af804fbb4bf84e69b7bf2429ce425cdeb79e8d295e6f1cd7bbe59

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\EnterGame.png

MD5 475bfb6523c9f18caec3acbc86e92404
SHA1 78c3fa8311e88720fbedfb005736e200da10b874
SHA256 6b5ac6a356f7d3a80e5e9e172d2b57c81c285f210e10dc52d651dadd5d2d211a
SHA512 22f98e7ab9ba9621d7bfcd955e70c665731fc4aeaf924f6066707e8f5f08e143880171a2d0ab449d3b79dcbb1853f2a148725dd56bd24b124a95b6fb6b161441

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\effect_dx9_2048.efx

MD5 adab7bf26923884a3c0302535f09958e
SHA1 c5b22a6b4b6cf9c4a44777e72c16bbfe5ac01435
SHA256 223036f5851510434f3f80e8c0b52af01212093bf1afb42a671822c64667d6e5
SHA512 f461eb0b7d411389a0fe7276e36c6077ac8bcb9fd67b5b89de28fb915ac8541628c7eba5c5748e42d57b16291443cedccf96c5970d215dc91bec61d29b5da953

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\DropDownUp.png

MD5 6ea730d53be92fa405868fdfd2f03150
SHA1 343b3d1384ef8f81e5cdfa396e21951a56673332
SHA256 aa193c7fae1c657af2d60ca971b020feee63d6a529dcd29d4c33f6b00fdb9bbd
SHA512 ec76aec2a4b2e736ab5cb64d0b7f00615f4c559a6cc3468b1466045c45e7ba240e5c73ff087cd7824373724f77784ed9bc3b957667880c17b9bcaedcc4efdc2e

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\dropdown.jpg

MD5 7ad6ac7e3b63b884e12c4d1ba8732702
SHA1 8236eec4a0dfd722b222e451fe964b4cdd5e2e19
SHA256 51f7b5e1491d928fb39cb3b574f9ff17cb1a0b39617a93f10af77636b9254b1a
SHA512 1caba34b94e7e94be45d89456da4df222a6a0804196379a5bd9e1630d25e61e948656a8d1d2b277874c7956e1b773997c13f81d3b585aa31cf9eb798fc6a7c43

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\download.png

MD5 c23de7a166cca9bfd65f45ba34d1818d
SHA1 a290c61c941052cdb4a7e14500e7b3d63189b201
SHA256 ea9383a3a1832fc40bc609628ee597a397875873000dc8064ee0eddfc9f35481
SHA512 583aa3814a4388e76012c9e050e21fb271aa4534864df9ca696fd62b7011ebc880c712fb3fc9812cd50caab53a5ba4c27bfee7febb81a4c48a4591dccc82881b

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\dotline_row.png

MD5 7267ba75cf72626c31e8548324905e97
SHA1 b67e335e04d2fd9a370895c909958b679a4e02e3
SHA256 139e56b5227e87e169ab7c90bc972dd16132fb89880b2f49ea3acef95afb9042
SHA512 c4391daffd8ea11bcdf193e587873f21af3d1f694fc04192e328584959927bee3fd12053cf79bbbd6388d12d258e06763eb8835d699b0a4d96e473d1fb3c8b87

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\playPng.png

MD5 44eef76a38f306fa260634feaa642985
SHA1 d41b9093d1314f4c889eb461d137c02f56368f42
SHA256 c8757877fd1becc8234ffa24f74d8dc7f66b54535471e5bc8a4d838e2cc41681
SHA512 511cb39820bca1454b9d9a374fc61d393318df00d147ade6b1bad1605eaa141fa2e5ee21932c8188e04a0e289057e6722a4edbba156e98fbbc5b5ee284a32754

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\dotline_col.png

MD5 c0ca066c359686727c94faa7785ad6bd
SHA1 ce6fa096b57c66f9fcd3051756a60afa7f44e41d
SHA256 41b01e59c1383425ba03e4d05999c6fd627965e6269495c00b213aa4325d3240
SHA512 d6786c8bfc9206ce3abdb7db6bb021c7a06d7a0ec49be8b355dfe540a1c06e5e5e6a5332f859c4380e92e81add0ed5674aa7557f066e768a8653e117f66c5d23

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\dislike.png

MD5 12aea16243dcb7e1dda1687b2aecd6c1
SHA1 289cd20a1a409a52da2c95e4b47bd99cf45c9a4a
SHA256 3d7026fac432528053b0bd89a715bb2c2e54179832fe03794185517f841e7403
SHA512 d8244c7b57bd230b1010093a3eb5f2e116a4ee31776d571327e96f11cdd8d99939dba3659fea1b52e10cc34321caf5f6ecfafaced7df5c7e63cd165e42f7cbe3

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\default.png

MD5 ab98f23ce1c7e3187b0e73d42efd1d53
SHA1 b80d38ad33dc89b42b81c053fade7a1a049b68bd
SHA256 3c88faa2dc8924082654c78c84980f8f44cff10c2326c9c4594dc2d475775a5b
SHA512 5fc9ffe92dc94e1d217dd035d378466ebdae9360405ba6bdfeed7fff57344eaafd19169ef757b0162fa49c7558547c929755a4fb75d6e33019741d47fe62616b

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\CloseBtnImage.png

MD5 669e1458615cdc45ecb657f19f4c47ff
SHA1 5a581bb204332d05efb30c58fb12c6e954a588a6
SHA256 631bee4f6b34820aad4c74092ab8bd241d84c8a72183dc8e054cb82f01270297
SHA512 437ab69c46668ae16f9e0ce1823255799884e309a4fb2345f8830a5c6b7d73655cdafec8ed813c7ace036a62f09c9db1f905c69365d9645d1ec83439337b8b3a

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\clock3.png

MD5 e4a948196291cd9e4593dd8176a30e8f
SHA1 a16f8d4aff82f0a70872bbf1bb49d0100a7c5d87
SHA256 97f6442227b58735e933e67bc5504890e2580590060648c71ae9fe98b4526fb9
SHA512 af1f8bfb182e1319456ed0e79b2905a1446cb973a25f6fb38d6f88813ac7eef44103655e590eddf94c6c7ba045721b5d2b16255b539c5384dfcef9e312c3ff78

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\clock2.png

MD5 e28c2b70c7adc739dab9f8d1c35fd4dd
SHA1 b410b7a04a1e759317317e640ead04c7d3aa68b1
SHA256 767b41c52a61ce2052f1125098a67c137cb66cea10de1520f9eba19143b0233e
SHA512 c6ca780fb6072312694890d935c77e245a8bc724ef68e892385419d8e4c9eadf7f8a32ba496bc8ffa551d2febe30f25d9ddb2f574e3ffd3f581308d9ac45b6dd

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\change.png

MD5 775c8c473d114371aee960166e797a1c
SHA1 9d6781c18cf88a45fab4eccbc0080167fa71b7d3
SHA256 29faea036beb35f0742556fa75cb9c9e8f34895bbe24899d7a461c9a5b7ad6d5
SHA512 1318cdf41d31360049b67f4d1877bcc3b3e4f0e27ff91321e6c7739e6007037116baf4a46c5fefc33f30e859fd4cae77fcd2cb4dcebd74be2c95fa40c31ac181

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\cancel.png

MD5 c4501efb71ab8a88611c877bc8d3f2e9
SHA1 61836546363409c117919f7f744eb3b62619399a
SHA256 a1b31668e240e38e7b85888d783cd5045b90747a2e8f3ae8a72ec3583274f82a
SHA512 26ec7eb4c95c85ca9f6e5fd823fcdb75ea8353751999ae524f642442fbcfe7ba8a48c644e6384fdcab78a6df1114aa529f0871b0731b752946df9961250758b6

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\buttom_gray.jpg

MD5 01aa1d97e77f242a34b5da6d2f2b1de2
SHA1 dfa6ae051c6f22d30387a6760807fcefe1746343
SHA256 55e5a5bd697dd9d01189ca52d10492cfb614c023e884d781d2489eef94940ec5
SHA512 26af1af1f34f0f0c5a32506fdefa7cf8abebb6afd16089c3ec89ec754efe894fcd7fbe55d222d6b6bde690ee26977bae2fee570a1fd3530397b38c575d19305c

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_ret1.png

MD5 2a8f0f7669103f39c10a5f3d76572f19
SHA1 40f7f8df67ce3ca7c06347e10e784835647d8fe4
SHA256 e39f3108af9ebb13ea48d540c10e743ad505eadd914e5a6181f7e02c3f4f445f
SHA512 ea64409c2ff9c36c715eaadbfa42ef1301b6ad371a0f5b004c8613c2cad6f36bb537f7dacdc3f496b3b675e80e6339e108c3a4d63d6cc142a5be1ae9f6fd2b55

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_ret0.png

MD5 d1b7f29671caee4fd94f2da0a3f6de8f
SHA1 3db70210a894e341f86200e97c6796a6cb957e19
SHA256 5a1a5e6e22070178cb4e197ce5908a385624ecfc4397eb8f2c386303f23419c0
SHA512 94f323918c207233cd31eb5047f9b285546d50f3ee3db933aa35f66e393b7fbd1ea9cca70de8dcd8e1e60be2a85ee8a914a944717e9a117ee76b966620abd490

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_play.png

MD5 efe072b9f40e37707fea80e7c44b4239
SHA1 6d4813b46390e88b2fda0cf4c86677999d1d08c2
SHA256 f3a5382d884ec50790f997c832698637d3ab7d713da87d34c1a2abec34154248
SHA512 36da4270612a0178ba085436812ddd755c1a3361361062a8a83476087fc8936de332d840d5c939ffe1e909084a91ad9c7b2bfce75461fecd03e671156f0c3fdc

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_next2.png

MD5 e6c6e3ab8badf71c9b74ba5580a142c5
SHA1 8f9785ef428d3a4d7b24af6eea4d9b4f138000a6
SHA256 1480f4518ce6abc1975c577e24195db18ffdb7819fd379245c0ea6eea811c387
SHA512 9f70184a0d21a8bbcb13eba85f56a57f0e9b499004855a6967c6922101bbcd4a668913e1c4a569c01102950b97b2f2bd84a7e28bea91660cae55c62f0ac75713

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_next.png

MD5 d2f76b0e7cbd0875f256034b701fc745
SHA1 1bd822c14c75db9d8958c9c2d5eadb068b1d1459
SHA256 f007f96dd7b6e68b1e5464d50f849aa4af3f7d518f549f04f6f499a03d2967de
SHA512 5e9ff44861771697f075625f4e201e6aefbc71407d9da7972d273d439809904e2070dd832128c019f2efe6d7a69a73eda8779c0ba4fb3c94fc485faf18ad43c3

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn_leftright.png

MD5 1e99938728bb59279da6c6137d4dac1d
SHA1 486d642cedd0622312e71d084c41156d67aabb22
SHA256 0195bf63fe3f748b8fdec44e48c53807eb5b7f6c9a12dd41b12b3a8f8ac643cb
SHA512 6950623383605e7a33d29a5a2fc4ff6f819fd043e38f5cad65f40d98f5cfffc86f2fcc6596fc1fc8f7218b24b07116952ca9efad10f6ce113d56eee93b5182d8

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\BtnHoverbg.jpg

MD5 8b4727ebab78a0493cd80baadd8479c9
SHA1 d89971e9c4ee5d778b61efff0db875c5f531eeb5
SHA256 41903ae7a88916451ec9d7f6fb8c531065cb8edf6dedd553e140e6a1c2ab8742
SHA512 8181d7e87254d0a7e7350f10e612872ea7c71dd3c9241eaa8dd65713b7b666a0fb274fcc6901613ebb3e9d13388c861197d26bde4049db8df5e68d1960cd23c2

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btnbk.png

MD5 32550273cea0a17561146ca14e7a5c90
SHA1 036266b87d881860d50722703774159ddccabd6b
SHA256 370eb5b574a1d8fde787a22d45653f174170bfd54d416798a445c19319f2f5b4
SHA512 bc27fce0e8e9e99f620f66ca9a966312847b3908b9af69568129399aa1eb7e0884f2df68870fc626c6af43e9a3aa55389a340da5c3046e005cb1dc7d6a80a32a

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\Btnbg.jpg

MD5 677a088118e4a38fdd16899bb674d00c
SHA1 72f3f2f6a023e69f71cb296dec20b7263588a5aa
SHA256 5177ec784971bb764d1c52ac6eb576c0807c3ba52a50550ab49c840da111bd04
SHA512 f224e2727ab60f3a81f709454214cc4148ef7b5478565e6e22aafecec6ce8606f19ea71da58b0fa2ff8a3085aba5e99fa43c568d4bdf6ca3cd7fa067df760f46

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\btn.png

MD5 7ce6f870a814cc914ddc015625f09b56
SHA1 a22877c1c76ff797b13a99ddea8920ba31e37292
SHA256 101e790789b35eae7b1129e6a5ac8ad61a8391fd963a1527f9da81bd130611b3
SHA512 ca7661795e92b6cc282a23b63a0ba11e7bbb413a46c9ada5ed232b479c6850302d4189d09e60c46a7831d43cb7d73c485530b3b24709db9254910cc242dabf0b

C:\Users\Admin\AppData\Local\Temp\nst6441.tmp\UAC.dll

MD5 113c5f02686d865bc9e8332350274fd1
SHA1 4fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA256 0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512 e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\play_bk_image.png

MD5 824d4207a6af2072b3d1390af96b85e0
SHA1 8de3a6f4bab1745db047f15a654e4053cf142f1f
SHA256 f2fa4092a964361551c7067040766ce7f57a27dc01dc5d79dea657efe3be34c2
SHA512 ab67b39f6a1161bb58e5b30c32f53643ca1f580121db3f3d6cb1684a70b39e08d772b4d0e4bca34aba8e2d04edfce2c36e0d96cf6983229f6c0f42100693a8bf

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\prev_style.png

MD5 530e8a98324584ede0d1fdccca5bbfc4
SHA1 47465f71c4618fbae629e9acc9652bcf18a73dd4
SHA256 fd6a59be2092bc6a95df4fcc2bafe3950b16aa7a7d51cb3e2ce8e17857bf8c6c
SHA512 192cbf6a2e22c9e73725ff011ecb31e70b800bc4b59591ab4522565121322926792355201b08b04273279ded019c822b22929006e77e231c6bb05d49386afc6e

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\radioIcon.png

MD5 4a0afbb4b008da94070fb4293564b261
SHA1 102578b628f2d67e8a5d24375da3217cac9bb9db
SHA256 49dfc9f3fbdb3d18cc5db8799fa5826864b27b97482f19f7114d5e2c5bf557c0
SHA512 11430c1fabe10f8ed5042890c8f70621f62b2a6d1fad64e8b288a52c86cc99072cdf4d8374d2ec3dc215c3f3510f809000ceae557a77caaa383e1a464138915b

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\radioIcon_1.png

MD5 20effd71be955c5e857722c4edd2e85f
SHA1 7fbbe184f4dcf2de306384a1df56fc098b40c2e7
SHA256 f459810a485f9d1f3b01192d1541f3c652bfd5f618dd45393d3cfefbbef2b509
SHA512 d841d36cfc3771a875de62b83345d10734b68457b3f20cd4053bfa6236022da22d929d6c1b4132e3248099f6e49dd3a0a4d8861815b5f9f15210fe6849292a5f

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\RangeImage.png

MD5 86b9d1484d97b7653895934b1d2a2f86
SHA1 96b9ac62a27071adde9e68a8fc38c7420a427796
SHA256 5669b6983bc769e8ebe808dd89903e54962a749df424189cdbf0675fda71ef7f
SHA512 af08d124ef897fddfe2d41fabb55e551da623971e2055e72a99b5eff87d4da1b9f9fc960c93798d0fa71453ce363b739a20ec20feb8a45ff69e4f81685cd4fc0

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\rank_bk.png

MD5 4f87cbfa1eaf0a1f54d25d22eac11961
SHA1 27a4db5f20d81681fc7f3490655be1076f4a9230
SHA256 ce3e8ececb55de71194c0a8b29b404345f3a1e25c80c986f498962736a0b6281
SHA512 db918ab4bbd76d0a8a79659fba7b983fccf3215c662a6973e084f5ceb0b37473aeaa7393daa65d27cdad4c0e7afe9e3bb186e386bb891ab0c630eebe6f8423b9

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\RadioItemSelected.png

MD5 f91ad431bf932884bc5c9cce13811096
SHA1 17faaef0f82156ffe670c86eb6e17616eb6288e4
SHA256 f32d584a92c9b5054b4fe236f646398c59fd68ffbf6954e738db49835e947c11
SHA512 e7c23fd04964a92bf686088ee08cb1551fc98c2a11c0cd04bfa277f16688879c3f3b541dc5ef6704c8c0a1115b38ee0d1f432381fb859df257464db2a1152bf6

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\rank_bk2.png

MD5 b7f204c51cdc5fd5d95ed92a0bf48e0d
SHA1 7319bb7e3ebb914e955d77dfd3c5494507628f2f
SHA256 a90ea800caa69be1233579b54c4af46e485817e4eef915369dba974d4a24faaf
SHA512 380cb0cd7e22a237ef4107b205665024904baa98a383a8e7fa140b026282b652d5a15a04e98d46f45d6f8caa661acd05d6b82c634806b34908afc8f90db3989c

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\scrollbarbk.png

MD5 826355e43d563d8cb3eb89cf35dbb466
SHA1 320524d6850344f9a16a8b1370ed673c7ef27e2e
SHA256 fc9ec2a4913ef2002760fe218bb023c83402dd91a0fa5ad1eed6c481894e67d6
SHA512 f48437f054438fa4ab80ba499b66f4d32692830267885e680e17fc63d5f3772fbfdbdcc8ad66a4ea9e74f4aceaca8e8e34b63cde714f4a435909b99175055597

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\scrollbarrail.png

MD5 4be9e432491d973ab1aeead7b757b141
SHA1 260b087cd145da9700a13d35de72ad5f56d2e897
SHA256 1a8a80d151de65ba705a0a89e68889cd706033c2553472391a748419adc1b38e
SHA512 591ae2674738a927a05affe62852dbc9324da9bc68c8e5b4e38024107367f6e89c333e0a4a46dbfca9724f1e102c71f41351b6961cc4ccfd77705a8c21908227

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\skin\scrollbar_down.png

MD5 16c601baf1650ddd8e69216981b88427
SHA1 874bd7ede11b80c165864dcffced0f59a44e98a7
SHA256 f3961bad422b85e15a8532c2b8124690e8e4318754ec10822ed0b78598ce71cf
SHA512 654fa413cea3f8d1d58a01e9defbe6d13e1bd8c451a371696edec68c26582ef7dd15339d39b9a912c9ebea2c4c5c14ac9aa015e4a6fabf46c9cc63c17b18f4f4

C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\vmpagedown.exe

MD5 f5c82723518ac5c1e33cb7b8520094d5
SHA1 210cb26ffc62e7b9e6bd0398b28ecbe9e1b0e2c4
SHA256 e9abaff20fecb812d4df90395990054fb26d17640ad7a31cabd582cabe22948a
SHA512 85ccf75499dced8f1cb0e451b2135cf705da33ae23e290b4594dad1ed901cb7e3b4777b28dc52a7a9d5c40d4d10e9d90e3be3de8c686e276dd6837f15a498524

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\LogoLIB.ico

MD5 094fad0a9eb6e39e00f6452da2e0a596
SHA1 053e9e4ae140cc3fec5a500c6941e0181e6ad143
SHA256 8429febe04859faa258bb06bfba94eb969ff7e80da207bac6417a22cc83548de
SHA512 b5d41ab5c040b0a001aaf399e9e7fd9646eb5d79268fa5f5258fb22a178b311f46e46c48c75495a003ea15949327700b7011602d726d92cf7e348f83e3ec5867

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe

MD5 9e8e028857769d11281f83f1438d8a35
SHA1 a6a23b4e3fc495ba235a5b35c35c8fe05ef2f55d
SHA256 169e700568cb68e2511589aca9be8ad26bcd1ae52d0d109120576934c8af94c0
SHA512 42c9874e7b8eaa50888f4f533bd93c11c8277c8435583f06c764a5858f47c34ff5d8fc982540b5c06cb2ee03fb406931eb4db8170c18d0c1bb3f5bdd52d8b9e4

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\爱奇艺PPS.lnk

MD5 d70f02442487bc7aabb88806744cef14
SHA1 97a1ffa1448f3d3f35e067ff658f96fef6916c35
SHA256 016f19a90943ee596a44377fe621bc511b9a3e2b38be73469bd3a08bc08d25ca
SHA512 b7a77f3d03dd845994f924f08d9651e50af7cc6f145641ec8a54072e491824aad31cdab68c2271e103c21abb02c77b9675917709cf4887d16d72eaf7d4c9ce14

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PSNetwork.ini

MD5 3221fa8864ba8b73d2b5fbd437a289a0
SHA1 0b210cd735603be096e676cc0dc9d4c5c1de63f7
SHA256 8ffc6af8e58191176ef82385aa12d25c0379d3b9ccc3a3ce1d041f3c52d61914
SHA512 220a1f69d939f7a67c94a70e88acab7be105a7ed4fece40890c0b8650b4f356d3d7cdd348e380673a4cac25cc16e8c1324aa9fb64efb3b7337401876ad13ef4f

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PPStream.ini

MD5 3cf9321530be7e4afe11659e766f7358
SHA1 d6ddd1ff48c105ed39c4dac47c0d3cc8973c235f
SHA256 218ad5a76e9fbc8fa28b8164c782e96790a2d0d1c604d76d8faa639d3fa27516
SHA512 e02d1d97aba47ffd6681da7827c6f3641ac3a31f23829a894eda186f63e3af9b84de66a20fb55eed8e7aa25ff4c9ae8e29d31dfbfef5fcc4e2dabf64bcbfd0a1

memory/1800-6152-0x00000000051A0000-0x00000000051A2000-memory.dmp

C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

MD5 c5103a6fde0664c344e9fda517e94831
SHA1 657dbc5daa17b49c7d3d45226ece5d8f50119eb4
SHA256 053d22d861fe19b97d83871149cbcb5ab5997261bd9f32c93a902d24b1fcedd5
SHA512 f328fd2c3cb94dac5e49e4139e0243f6eb7192d5231460712b3d0b478dc7bf6701f96f83603c8da6a94d833ddf74d1a2f18cdb849302738f0f9e3877551e699c

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

MD5 2ead05e1cee75f9ebdd5f9ac04cba9e9
SHA1 5c37cff83b68982eac4e8b6ad8a4a00143890a04
SHA256 0f318d57f8a2101da3b9c6b6c92e072afdf30150d4e628db68d4502a50b5bbfc
SHA512 ef73d57044c0b860839ad2226a4b61da16191e94a11584cb015c85f9ba6bf7202bad73baf2302426b1a1e3981b292b3eb4774643c31af2d7a12312025270e203

C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

MD5 631b073eeb45f5be9d7cf10c5a807fb3
SHA1 7a42119d6d6184bcc42d920b6092789193be762b
SHA256 02361128391c4837b2c56d9a862f9ff415ba3df3111c9062792de71686c75e37
SHA512 5c1cf26ba4f030f9cf6705b021b9095f62da3eb197ab0e58120f496c8c6186cf504fc4c1fe000f2bac4c452dbd953e6f4a936c749e5a4612f4ef3572873e05dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar8937.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

MD5 34764672f4e39d82ba5a428c52220530
SHA1 1afa8fae65db6663f3560ed5907c95bdf0725723
SHA256 9d4f31189ac600d688add6b0c5fcfeb06fb7c0c7ed0ca0898e31075e3ac7de3d
SHA512 66bd88a757b552c1311e6c31941657b94a03c14c2e32cb5f726836b3afc6b4b217736d8320752c56de6e1f081140aff01cad99523d79a6de7a6953424fc33f3c

C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\config.ini

MD5 89647dee1e147207f3446ea739c8ab0a
SHA1 2939c1be244aa0fc4101832ee410418c337a4a40
SHA256 09622256300931a8465cb377e4f958239022f4245606e956728a9940321c17c3
SHA512 5c18225bd6c7ba97909a1f2473bbc6fbbde49ba91b5aac01cd4846a39eca886e7f27b1ad54bb143a1831b23b66887b5a4de50f63ba5a70dc44f00db18027d257

C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\nsExec.dll

MD5 2d1656be5aab3f3e6873cb5d0c046717
SHA1 32facbec7603c0d3a2198c390399711f68a96de7
SHA256 63133db6770f8ae0a5b38ddeafafbdc61cd6bc2ab0b6f3c307c0904f29d8a218
SHA512 d55426322c315a211c4de778eabd676fe2353ebff15f8725eb4e5dce03bb6b92f8a180e5093c2bdb324329bff72b4b1ed37d9d8155ce4c98926e0cbaa1c62ea1

C:\Users\Admin\AppData\Local\Temp\nsy3045.tmp\registry.dll

MD5 f81598566d3bebe154d86906e7419653
SHA1 fb2a980abe37a0b724edf932884931f946332b68
SHA256 b13d15f8d3e5498d3014dd0c5acc2b42df4aa08f96e0b3e59dc7c9e8c1e7f4c7
SHA512 95f6d51d11df472808b9e6a765be6f13231901d698b62f0782e2c17a5ddeee43a8484894f11568ae474ffc7a3b27d8cd01785caf8d87eecdc4a3f64a3ece9255

C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

MD5 30170b9444a33478846e19b934206850
SHA1 e331f155bd09735ecc4dcf23c8554de2fbfc6b4c
SHA256 24e77d13b8f1741647bffdbc1c282b556fb7a965ea5c6f81c853c8c60c221d4c
SHA512 9dca76ae7a32c11f87debebd64ccae5b24ee8b0d0f2cd215f30bf30a9ea4f910db539f8599f9bce909f1b966ee7cd74402cd6cb07274be302e79b937cf37556d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 16:59

Reported

2024-05-04 17:02

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HCDNClient = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyKernel.exe\" -shell_start" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C} C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\Guide\Guide.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_15.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\upload_item_dot_line.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\head2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\headcircle.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\videosquare\videosquare_itemex_floder_shadow2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\SkinTabItem\ShadowRight_Normal.png.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\UserCheckBoxCheck.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\list_header_normal.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\lefttop7.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_12.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\favor_1.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\image\recommendation.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\pthreadVC2.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\web\loading.gif C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\Menubar\more_option.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\register\renrens2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\LSTYLEAPPDATA\mkshortcut.exe C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\FreeAll_hov.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\dot_loading.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\common_firstPage_pic_wall_bk.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\common\Close1.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\aboutdlg.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\MobileDown\AppDown2D.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\logo\logo_refresh_hover.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\normal\loading_7.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\Series_item.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\PlayerRes\Ctrl\volume_button.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\PlayerRes\Top\untopmost.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\SkinTabItem\ShadowRight_Hover.png.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\ConfigRes\ppsbooster_mini_bg.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\download_delete_type_selected.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\Fragment\MobileAssistant\redpoint.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\QuiLib.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\vip\loading_19.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\leftright2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DownloadIcon_Num.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\LocalListRes\del_file_down.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\undownload_2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\userinfo\w\soft_user_bg.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\VipTip.xml C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\skin\dotline_col.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\GoodsCorner\goods_corner_bk (26).png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\normal\loading_13.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\common\FilterWndBk1.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\SearchRes\hotWords_8.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\PlayerRes\Top\maximize.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\mfc100u.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\GoodsCorner\goods_corner_bk (3).png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\ADRes\AdWnd_PromptCloseNormal.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\scrollbar.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinDefault\skinplan\list\random.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Ctrl\GoodsCorner\goods_corner_bk (10).png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Middle\restart_tip_bk.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_2.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\filmlib-selected.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\radiopicture.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\skinVIP\skinplan\userinfo\b\game.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\mfc100u.dll C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\common\new.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\homepageRes\hp_focus_ctrl_bk.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\close_cover.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\checkbox_selected.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File created C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\fragment_mobile_popbk.png C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\iqiyi_logo.ttf C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
File opened for modification C:\Windows\psnetwork.ini C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
File created C:\Windows\Fonts\iqiyi_logo.ttf C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QYPlugin64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyClient.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qips\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\New Windows\Allow C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qisu C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qisu\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppsrun C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.ppstream.com C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyBrowser.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppsrun\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F} C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ppstream C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AUTOCONFIG_BRANDING C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppName = "QyClient.exe" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\magnet2\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\pps\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qygameclient C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\qygameclient\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.pps.tv C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyFragment.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyClient.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E} C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\magnet2 C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\AppName = "QyClient.exe" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyPlayer.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\QyFragment.exe = "9000" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}\Policy = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyBrowser.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\QyPlayer.exe = "1" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAC94FEE-45B4-4FD4-9EEA-D8978EC96C6E}\AppPath = "C:\\Program Files (x86)\\IQIYI Video\\LStyle" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\pps C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ppstream\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\qips C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AUTOCONFIG_BRANDING\iexplore.exe = "1" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}\AppName = "QYFollowVideo.exe" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6BE0FB-8B18-4dfc-959F-233651CC4D7F}\AppName = "QyKernel.exe" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\UnityWebPlayer.UnityWebPlayer.1\CLSID C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\1 C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\FLAGS C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pfv\OpenWithList C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\.qsv\ = "pps_qsv" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppID\UnityWebPluginAX.ocx C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}\1.0\HELPDIR\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1\ = "爱奇艺浏览器插件" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qips\shell\open C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_qsv\shell\open\command\ = "\"C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe\" -runfrom openfile \"%1\"" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675} C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\VersionIndependentProgID\ = "IEHelper.FlvFilter" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ProgID\ = "UnityWebPlayer.UnityWebPlayer.1" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\ProgID\ = "QYPlugin.QYPluginCtrl.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\InProcServer32\ = "shdocvw.dll" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\Shell\Open\Command C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppID\UnityWebPluginAX.ocx\AppID = "{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\TypeLib\ = "{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ = "_DUnityWebPlayerAX" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394} C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Programmable C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0 C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlashHelper.1\CLSID\ = "{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\ = "媒体文件(.pfv)" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\TypeLib\Version = "1.0" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Version\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\Common\\QyGameClient\\QyGameClient.exe,-0" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\MiscStatus\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_pfv\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\QyClient.exe,-107" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlvFilter.1 C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\Version\ = "1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qisu\shell\open\command C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32 C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.FlashHelper.1 C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C} C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\TypeLib C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\URL Protocol C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\AppID = "{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}\1.0\0\win32\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\Accelerator\\IEHelper.dll" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3636FE13-B7E3-4CDC-B7E3-A8014BD2CC02}\ = "IFlashHelper" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB3A16EC-96E2-421B-8462-C6F992596E65}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_qsv\DefaultIcon\ = "C:\\Program Files (x86)\\IQIYI Video\\LStyle\\skin\\Logo\\qsv.ico" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\shell C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qygameclient\shell\open\command C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\ = "_DQYPlugin" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QYPlugin.QYPluginCtrl.1 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppstream\shell C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ppsrun\shell\open\command C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\magnet2\ = "magnet2播放协议" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}\TypeLib\ = "{E1D75F62-CBBD-45C7-9D1D-6B5ECEC2E006}" C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qips C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pps_qsv\shell\open\ = "使用 爱奇艺万能播放器 播放" C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{138F4260-66CA-4F7C-812F-C6EED99B7EC7}\TypeLib\ = "{B6360BD3-5CD0-40D3-BD87-DAFF37889F50}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\UnityWebPlayer.UnityWebPlayer.1\CLSID\ = "{444785F1-DE89-4295-863A-D46C3A781394}" C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 1900000001000000100000002ee0c890fdcb0441fa180c68348589950f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 5c000000010000000400000000100000040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c1900000001000000100000002ee0c890fdcb0441fa180c683485899520000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 224 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 224 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe
PID 224 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
PID 224 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
PID 224 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe
PID 224 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 224 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 224 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 224 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 224 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 224 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1784 wrote to memory of 3304 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\vmpagedown.exe
PID 1784 wrote to memory of 3304 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\vmpagedown.exe
PID 224 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\vmpagedown.exe
PID 224 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\vmpagedown.exe
PID 224 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\vmpagedown.exe
PID 224 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
PID 224 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
PID 224 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe
PID 224 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
PID 224 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
PID 224 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe
PID 224 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
PID 224 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
PID 224 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe
PID 224 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe
PID 224 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 1688 wrote to memory of 3948 N/A C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe C:\Windows\TEMP\assistant.exe
PID 1688 wrote to memory of 3948 N/A C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe C:\Windows\TEMP\assistant.exe
PID 1688 wrote to memory of 3948 N/A C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe C:\Windows\TEMP\assistant.exe
PID 224 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 224 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe
PID 224 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe
PID 224 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\13a825164b8138ac4c8cfce592798000_JaffaCakes118.exe"

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe

"C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe" /S

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Program Files (x86)\IQIYI Video" true

C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\Qy_plugin.exe" -install

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\IQIYI Video\LStyle\QYPlugin64.dll"

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\vmpagedown.exe

"C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\vmpagedown.exe" "http://vodguide.ppstream.iqiyi.com/search.php?ver=1.0.6.55" "C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\search_top.zip"

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe

"C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe" "C:\Users\Public\QiYi\QiyiHCDN\Config"

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" QiyiUpdate "C:\Users\Admin\AppData\Roaming\IQIYI Video" true

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe" -i

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiService.exe"

C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe" -finstall

C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\mDNSResponder.exe"

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe" videolibrary=uninstall_setup

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频客户端" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺HCDN网络数据传输组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"

C:\Windows\TEMP\assistant.exe

"C:\Windows\TEMP\assistant.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频播放器" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyMiniPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺PPS影音 播放器组件" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyPlayer.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺升级模块" dir=in program="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe" action=allow description="C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="爱奇艺视频辅助程序" dir=in program="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe" action=allow description="C:\Program Files (x86)\IQIYI Video\LStyle\QyFragment.exe"

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe

"C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\mkshortcut.exe" -output "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\爱奇艺PPS.lnk" -target "C:\Program Files (x86)\IQIYI Video\LStyle\QyClient.exe" -parameters "quicklaunchrun" -workingdir "C:\Program Files (x86)\IQIYI Video\LStyle" -appid "IQIYI, Inc.PCClient" -icon "C:\Program Files (x86)\IQIYI Video\LStyle\skin\Logo\LogoBevel.ico" -description "使用爱奇艺PPS收看影视节目,清晰流畅更新快"

C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe

"C:\Program Files (x86)\IQIYI Video\LStyle\QyKernel.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 dl.static.iqiyi.com udp
SG 118.26.120.1:80 dl.static.iqiyi.com tcp
US 8.8.8.8:53 1.120.26.118.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 vodguide.ppstream.iqiyi.com udp
HK 118.26.34.91:80 vodguide.ppstream.iqiyi.com tcp
US 8.8.8.8:53 static.qiyi.com udp
US 8.8.8.8:53 91.34.26.118.in-addr.arpa udp
SG 118.26.120.1:80 static.qiyi.com tcp
US 8.8.8.8:53 msg.iqiyi.com udp
CN 111.48.118.157:80 msg.iqiyi.com tcp
SG 118.26.120.1:80 static.qiyi.com tcp
N/A 10.127.255.255:5353 udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 static.iqiyi.com udp
BE 104.68.86.49:80 static.iqiyi.com tcp
US 8.8.8.8:53 49.86.68.104.in-addr.arpa udp
US 8.8.8.8:53 policy.video.iqiyi.com udp
US 8.8.8.8:53 list3.ppstream.com.iqiyi.com udp
US 8.8.8.8:53 gameguide.youxi.pps.tv udp
US 8.8.8.8:53 pdata.video.iqiyi.com udp
US 8.8.8.8:53 msg.71.am udp
SG 161.117.186.135:80 policy.video.iqiyi.com tcp
SG 161.117.186.135:80 policy.video.iqiyi.com tcp
HK 118.26.34.91:80 list3.ppstream.com.iqiyi.com tcp
CN 101.227.22.17:17788 udp
CN 183.61.167.98:17788 udp
CN 183.61.95.14:17788 udp
CN 119.188.40.98:17788 udp
CN 218.61.39.90:17788 udp
CN 119.188.133.210:17788 udp
CN 223.99.251.83:17788 udp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
US 8.8.8.8:53 flux.hcdn.qiyi.com udp
HK 118.26.34.91:80 list3.ppstream.com.iqiyi.com tcp
CN 111.48.118.157:80 msg.iqiyi.com tcp
SG 118.26.120.1:80 gameguide.youxi.pps.tv tcp
US 8.8.8.8:53 uaa.iqiyi.com udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 aia1.wosign.com udp
US 8.8.8.8:53 17.22.227.101.in-addr.arpa udp
US 8.8.8.8:53 14.95.61.183.in-addr.arpa udp
US 8.8.8.8:53 98.167.61.183.in-addr.arpa udp
US 8.8.8.8:53 90.39.61.218.in-addr.arpa udp
US 8.8.8.8:53 98.40.188.119.in-addr.arpa udp
US 8.8.8.8:53 210.133.188.119.in-addr.arpa udp
US 8.8.8.8:53 83.251.99.223.in-addr.arpa udp
US 8.8.8.8:53 135.186.117.161.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 88.175.119.114.in-addr.arpa udp
CN 123.125.84.228:80 uaa.iqiyi.com tcp
CN 180.163.251.149:80 aia1.wosign.com tcp
US 8.8.8.8:53 list.youxi.pps.tv udp
SG 118.26.120.1:80 list.youxi.pps.tv tcp
US 8.8.8.8:53 list.youxi.ppstream.com udp
SG 118.26.120.3:80 list.youxi.ppstream.com tcp
N/A 10.127.255.255:60000 udp
N/A 10.127.255.255:60001 udp
N/A 10.127.255.255:60002 udp
N/A 10.127.255.255:60003 udp
N/A 10.127.255.255:60004 udp
N/A 10.127.255.255:60005 udp
N/A 10.127.255.255:60006 udp
N/A 10.127.255.255:60007 udp
N/A 10.127.255.255:60008 udp
N/A 10.127.255.255:60009 udp
US 8.8.8.8:53 cache.hall.game.pps.tv udp
US 8.8.8.8:53 3.120.26.118.in-addr.arpa udp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
CN 111.48.118.157:80 msg.iqiyi.com tcp
US 8.8.8.8:53 count.game.pps.tv udp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
SG 114.119.175.88:80 pdata.video.iqiyi.com tcp
US 8.8.8.8:53 88.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 cdata.video.qiyi.com udp
US 8.8.8.8:53 msg.iqiyi.com udp
CN 124.237.225.21:80 msg.iqiyi.com tcp
US 8.8.8.8:53 ppcc.inter.qiyi.com udp
SG 47.241.163.52:8088 ppcc.inter.qiyi.com tcp
CN 111.48.118.157:80 msg.iqiyi.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\StdUtils.dll

MD5 572b16bf94a6492976f777b7d0373971
SHA1 3ae46f117f0d3ea32b28de9a73fca0d912260203
SHA256 fb87ec46457a836060bd3ee33bb37ec4d222d4974816654b32ba9d40efd90c75
SHA512 872347db453458f3bfe6d6bb9dbb66305abcf5773acaaea4d06e8800b3329f536d70e6c96e6dd59a20e963bfce496a0fe014302d2469353bfbcba0fbd2ba6fd6

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\nsProcess.dll

MD5 dacc5f5531887a11804bda084e12cee1
SHA1 85e9f509668d9d78120435e5df593d988b16029a
SHA256 18584f582d454c15de69b515dcd8952a446bf18514de532c309b351b30d77066
SHA512 f16dcc34d444490621df50ea70772a692592bb35f078f7e7a7360976da873e8e917663344864b56f5989a65ecdaa70d8eb0df4f8a2495f50aa5d25f6f248ae4a

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\NSISdl.dll

MD5 8ff1b274c581f2e928a418f3b90620eb
SHA1 ad7ad3acd29b882204e74fe36369a6b89a8beed4
SHA256 df10d5b4ca10ea6ddce96d6ddecfc175f1dff4292a8c5c1f8e0adfb6e1e824c3
SHA512 a932f9b77fb801e624069661f9c0a7fab4a1e540d763d51bca91e2570767029261946c4ef522e1e9fecc189cd8090e99ba9b454439a3e3fec2ca318dcb428691

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\DialogEx.dll

MD5 e0f33283138ef1c169f71cb1708985a3
SHA1 f10f88a272fc7c14f3a37d0f650aa7480bc1efd0
SHA256 a9b34148448d893558dbb91b51bbbdddd535e2c8387a13e930a4b5096b0af03c
SHA512 8094b5096cb0c4ee6572217beab6419b8d9ecdb2b902c9c596ef3cc513e4916b05c2bb54fd6084f274b6919d4871ae31cce4eddadd272cb7516c30dfc7c7db0a

memory/224-31-0x00000000050B0000-0x00000000050B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\nsis7z.dll

MD5 cb22c301a35e0d8551578940c018868d
SHA1 1aa3a19c0c5e8cd02feedca50fb1845a99964ee6
SHA256 d77183207b8a3b6bf4d7267aee06c7d0f76a6b42e0c007e596931ec59dfa597d
SHA512 f1997bc05c360c1adad90317e7aeb97af9982b2e40e4aadd88522d640fda44648c733e19c572b01647cfb6b2093f2387b41db37f52cd87b8d02c479be0395f5c

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\Signin.png

MD5 053bf204ab9961e6843a052348ca8d5a
SHA1 cfd71af85b0cae52a4c54429e925add459287de6
SHA256 1b02340f651f6af1019402f595737b2e71f1e341892e419ae64617aa571db6af
SHA512 3476e12f9ba18a7663b6519ecec7fba8379a974d5962b37fa0d0ae024f9cb554d9ec44a13c2fc739e472b851531259aa3460f89c7683fde9e8de0b5e8a1051b8

C:\Program Files (x86)\IQIYI Video\LStyle\appdata\webcache\2\movieLib_pstyle.css

MD5 04934b72e752e77dd0bf67c9d06a2272
SHA1 9e5d3a5a81089989981cd9a44784e42ac40c638d
SHA256 a18e3ac76891027def955b9f310ac15a51c8b514e7b63aa27cbb96f8d38cf926
SHA512 7df18a0a080715a781df5baa0a7fccef6eaa4818bed11d985c42ee81acb9ce2665a5aacf30b7517d4d30c1aac6557f6d6a8b6623c15a7ce8f10c5d7691ee380f

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\made\loading_17.png

MD5 0893bfeefb776d58da6ef7bd6b8d64c8
SHA1 c9905b5a2edb4f4caf87c76425e7db4e63b699d6
SHA256 e0787ff81f12df511d1b97382c78d58bf28269fac897eae4e0faddffe7be6aeb
SHA512 fe8735b4b0042d1124ccf1dc55edd298fdfadb101bdab735b0bff89068909e61d81cef5b4ba967bc11a683b064cfe7638ea91cc4026a9073e197fc489ec78435

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\normal\loading_17.png

MD5 28853faad82cbc1110fddc0c3a54d85d
SHA1 d11e7cb83ceba8bd8223b59150bbd747222715f4
SHA256 59fe4bb150bb9bbb28bedff5d2aaa87307041420100c2be31c9084f9a92fc342
SHA512 4cd0a50c61f650df55ede29da8e72f5b909cbd6bae3d375176b0952ca8d46ce0ef06e104ab540e500f23e9ae9af9e2fcfb3b6c52ab7ed8cd6e7a11696150eb1e

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\config.ini

MD5 534a43f71c3ae9f4860a02b65d1de41d
SHA1 c6929fb5bba5aa8b56a3c891e9fdc1f571ab42c7
SHA256 b7b478999cc6ff9694335c0877d9a0182415a0478eb04d660849c8c98556672f
SHA512 5a048eb691bf368d955c010d30dd122dd27980de7da38a7e0ee1e13b9d98b71e3a5edc5cc1af908d73014bd6a4a2f25aaec5750156598c871d516d6dbcd838c8

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PlayerRes\Other\loading\only\loading_16.png

MD5 11007ca324dd134924fa2bca5244eb73
SHA1 56fa6e06d7db2e9693d7eb26eb13d52ab9ce8fc3
SHA256 05395237709655d0cb9de583e7c2a3192df91388333d70923798eaf61b1562bb
SHA512 bfa1d34ac7312cc273fbb59748a6e6f0cea6c6db7a498c04dfc8ebc2491806cd9d55fe766f727e3c0a130699a7f20d1a8d2e01ea005ad15cf706b0916a115e63

C:\Program Files (x86)\IQIYI Video\LStyle\skin\PLRes\btnPopUpClose.png

MD5 7844d223803d5f35c4eb453908d3d3d2
SHA1 f6946969ca172c5735f19cc5215ee170bd963bb6
SHA256 38e371539a017a690e546a161ce82dbb757ccfd46e7bfa46c79f8377a9d6a223
SHA512 4db164312a9813a0288abef93a4ae7d12945a3f290010603e9343b4bafea8883a1bc626ebea2e548eb6fb915ab47786b2a0adf02b1b720f4968f8b15005fd49f

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\downloadRes\downLoad\config_dlg_close.png

MD5 754a7d6d7740eead34bb5a9f6940f009
SHA1 18acc6593a114f5616a539101f31504cb511459e
SHA256 154ca004725f7936e20efa1780f3cdef20869de4ac00d1b0079c86e31b0e59f3
SHA512 785ac79cec2f7f3fd813761a53b506ac5b2fede0ba67ea8a5bf495da5dc028c69e88217d1c45ad4e4ad4c34b3d3a1d6df88363c4e8fc1c095af3078357e2abda

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close1.png

MD5 1867ed15b4256e9edc952c334a543201
SHA1 386b14cf44c620a55f64c6069409eb0eb5c5e3a3
SHA256 87b01d7e066af46794e584904a4bedb27707da1eb32080b60a286f01b9c27820
SHA512 027e984adcc90553c9c699c6f1a797eea5e7b02f8cb4a807aa62263780485de235c6294b608b8a34c67e9b5024d98768cab6265cc7776884b9ab4e6585e0c0a3

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\AL_Close2.png

MD5 33cced8d3d97f78972a5418ec7e96f29
SHA1 09bb1332bbb1f06eda3bb09f37b3699257162369
SHA256 42803e7485f1507abcfca5f455e76956a0dd92ddf2b9d6341a4f2375a941746f
SHA512 04683521c7dc5e7f4ff701da3fe4291eccbe6b96ba5631676844fe4616a0fcb5e7434a47f245f9b800a47922b25c3d5a2d1063eee61b82db656866c194aca1ce

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\common\common_scroll.png

MD5 93343a6c34066ba4b50a6d455210f538
SHA1 10bdaace70cee2656f3c6eedd2c5aa5182dd6de1
SHA256 d2d9f913aa2646725e0af0d332a10a78b1d7269bf0d774aeb3e6dfc4be40558e
SHA512 06066d93e57cf309c064779a415a34290d52d9312da45acad20b0655f098568cb438d694f46aafe5d0edeb5178a50c6a729e174c683666d97112a1e09741b1aa

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\listUI\filmlib2_normal.png

MD5 7602910002b9307718bb5a4c221d6be5
SHA1 61004f0ad2d3f55c7549b3c8eecf2108d0efb655
SHA256 9298a0cc560f702a118dec0bf34bf2d609d5a56d1c49e9658b0eeac0bba59a38
SHA512 eac38bff7fbf476bcd003253b737723c46c31cdcc205bde5f6c4bad9f5da75d7f08f061976c1bb724888f2a4ec38a9c0667e56c3a993a4a69cf236c43adcd259

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\cancel.png

MD5 d1a6675f77f74cc5847b0a59c49c3f6b
SHA1 f96c4084818cc5836e4086b665e97c3bd7d99f47
SHA256 29207dd0cbb59bd1e6fe489ab6ada4cb04c74083099127b194402f1f3ea4bf8d
SHA512 3f4a2f4fc645fbbcfb5fda5fd37fe8dffb96329c4e66841ca5bdb8c8ae4836e4eaede44a6e4e5ca17cf6bf02524d304bf83922092fc9b88fa72e94a322617388

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\PersonalCenter\set\ok.png

MD5 4d34af20771db466a6439fa56ff5f687
SHA1 5223e4281ff91d0bdedc9af14c4825e56cad01e4
SHA256 b4513c801e7893e2364967da122e5340a69a0c8f28d0318234ee0ca41ac12f60
SHA512 bb770d0649982b3f4d35a5b6628cd0a4168f31ea89e56eaf92f74412cc2ddcf8773dd60f25ff5c0d04d77960570d652f8b7cf7cdd2cbaf07151024c8355871b3

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\mainpluginRes\QYProduct\blackback.png

MD5 60ce4c0275c77aa5572892c81728620d
SHA1 82fc18f800c867547140a7764f38a65eec9a4b96
SHA256 8ea1ba9ad6052fe784d79b9bd3ff879152c1d58738cc1faab0a1304b68ce69db
SHA512 ee1d28e4c4b939a721f42f67505de0fe2084f36244b53838a4704a19f32246919a88ab7936b6cfa07e54f4b5c1a11d36305376a3ef42bb73bfa5fd679f83af91

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\MobileAssistant\Fragment\MobileAssistant\scrollbar.png

MD5 8f6b9b86898ce75b5c94034ab1f14381
SHA1 4005fdcd5071fe373db13e301301ed0e2dc74876
SHA256 874664eaa38618437f551ed0492a89b718e44f2a6f64e2b5590b708c6ddb3b97
SHA512 f42d284538b5ca4f8382321dd96dc104b8d7f49a1339dc1e7fdcac4fb22099078d29ccf29a7b9d23c94260295f39126197d082b4983acf7be9a1569ad4e237e3

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big1.png

MD5 5fa2adb150f63cba9e5443befe17eaf4
SHA1 b5c2a1cee13211626c061c422961a1d0aa742703
SHA256 02b0a8d8524e604ed201f912fba8ee58c5573f8310145d3e64a3c279726dac40
SHA512 9cbde58a143beabec9cd89ab66bf0f29db6903ece436fdb0c14dfd66803ccc4f951b316216c073be9e8032d20f8e0f93a4c393672884063e3cf8f29f7b404607

C:\Program Files (x86)\IQIYI Video\LStyle\skin\pstyle\PersonalCenter\common\close_big2.png

MD5 51fd1384bab6df779007cee07422e4ac
SHA1 16e89c96196d21f3a85ed6a0f5d97d096c2fbc15
SHA256 9c0ec21d601c6e193caa0a04db9c80318d15e1fec713d3e82e53f709a5620fd9
SHA512 279c7e23a32b639d13d836b1c9744bbbeec4167a95bd3302bae6ff2738877fb2e99e8a2c95934b38c74d74dda4783ab14f81ac96c551084e9cdbe4f9ee24519c

C:\Program Files (x86)\IQIYI Video\LStyle\skin\soft_txt_icon_2.png

MD5 1402aa18efd86eec43a345d936f8ab4d
SHA1 c51a44b65489e041620c8ce9ebb5d04c517d27e5
SHA256 2276b09083e0da61a550d97c12cd814622c853358f26dcaffd423285ed29640f
SHA512 7b4913b6a30410d87a3c1c87d4b6d15510c47f17b38c3c2db11da2fb344b88e5c3d86dba86781eff180eb803222af6a58b6a0a12905139b085d988061c5bfd12

C:\Program Files (x86)\IQIYI Video\LStyle\skin\spaceship.png

MD5 575984f7a1cfe13a9ed1d3800bd7d14a
SHA1 df04fdf4070d29d76aaff8f5b2f68bff6ee0cdc3
SHA256 925b723d434d5528c4dd712102279974e76842b71544fa8153d6108d11ccd7de
SHA512 1d2eca187cfead14798cdc18b4ffed909b483869281bd05fc4b7412fb76a7ee6987efbffa17db218be32d4c2e1ee6e1cb383a4a96983f226baae1f42a330725b

C:\Windows\Fonts\iqiyi_logo.ttf

MD5 e1097f713080d07e0c717e0737ef167e
SHA1 f31f1c4570925450c1fd1ac847cf54461b6274d4
SHA256 f2aa97fb51572edf0694ae328bbdcb01a172189aa53549b7ea8caebc66325249
SHA512 786dda62d0423a9733af16035390e99bd47c5cd8c49f2802eb443896230b2dba70eefbb95de3175b2143dbca1f9ab8ccb8cd8e7cd8b8821f0a93d1a5c69923ad

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\UnityWebPlayer.exe

MD5 95bff19e30f8b194eebc8c81b671d6d7
SHA1 be2883ccd72263e162350cdfb7bf9d4bc5090f17
SHA256 4fa1020f67d7beee37c67bb6bd86ed8925e348adbf5748f9555dc96797c651d3
SHA512 762bf013e4d46ca61dceabde986753cf501442e1c72dcf394b628e2f6273ff05f686908bf9ec3be17d28b34602ea0bc18795e296da43dda7de47e81962a559db

C:\Program Files (x86)\IQIYI Video\LStyle\GdiPlus.dll

MD5 385e243fc4314f79c1e3042070586d03
SHA1 bff588a2ac255b4cd1e3a9528529aa0e26f4657b
SHA256 18055410347fe57288aa11917e77f9b5833f59e669e8c65fc589d314eb6b695c
SHA512 5854cd81f2f9d5d01a7c0e3ab1b6801490f455191089a21dbc199cf924f59aadbff85d9b963700961c326a4def2a13ff9ba6d3933ead17262b7b66d0279f2c55

C:\Users\Admin\AppData\Local\Temp\nsd7467.tmp\UserInfo.dll

MD5 13a689123cebd31c1d1862e05981beca
SHA1 0430094a1a0f639ba9bf5831c24f1f4330762a6d
SHA256 386933bdaf4774e88670e21abbebdeddf64b1e87b1681f85ac5b3ec1cac8dcdf
SHA512 0663148e80f4703000bbfc8ede2bcc7cad19877585a5cc46aa13a7003377d7315d33f01c1d311d38bcf5e3782e4b361510214f09a9f6537b856c5ad9bc41fdae

C:\Program Files (x86)\IQIYI Video\LStyle\QiyiDACL.exe

MD5 b6e9d6c600b793177c69ffc751c7a8f2
SHA1 2d83d7e4a84a5378333250a470ad6577ea858780
SHA256 19aa1945952438cc82e633ff6c90c4f21835fb79d49de8649dd1e18ae4c9a80b
SHA512 069ed99225d5d69817e16f8dfc2c95fe7c667e9e7f7b03897b58ffabe14ced8b4498b5ed117155ef79761f5189f88b54729864623cff1c80d9536f7c08ef4a0b

C:\Users\Admin\AppData\Local\Temp\nsd7467.tmp\System.dll

MD5 d0d7d2799802f7cddf8db7a2d8ae1e23
SHA1 ae8d8cfd9f1a7104036a9e8658f50f9c35c7a1c6
SHA256 828819614dc0dbfb73f22d4c3712e6369230eab92819c5d4efe75870ee109a5a
SHA512 2b5af0e34720eb2f5b0aa04b589b46fb4b4d344b5c5d23fdd382348b051ac9766ff80f6a2455ef66da78ba880e8ce41b23daf741033de7701ca3f17f1adde408

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\error.jpg

MD5 2cd92fc75bc2be926e4c002598f325c0
SHA1 484461932de9ae91409a67308236f4f35be0a232
SHA256 657728435b2d152106f4acac777bfd82157727e0fdf6364c4f0eb4906a443399
SHA512 d1ab9a455742d502260bbd3279a9da0579f0408b5a7443ec5c28b4a19c8e31f6e622d33c6e886cde289a3f8e6c530c9b94e8c247299a0ed54dd01a41ca8c329d

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DlgDownloadBG.png

MD5 aeeb6b445e55574128467d1699a62e16
SHA1 bd554f4c7472ef3aca5b1e831f44d6b7ed768fb2
SHA256 19ec9c459ed3c438a6c1a8630e81265f4ee1414c5ca62c704832cdf01cbfc98d
SHA512 11e1484541aa5d56b42f4222d9ca442fcd2570daa2656fea78c96a51c7949aafb73012b74d853a3cbe70163056d9b1d50b505c7b9f6c15b18b1fe807e95d9156

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DelBtnNor.png

MD5 5ff65cbf00ca0eb38b04df50917ac76e
SHA1 d5c498ddc143f575bc00955bdb38640901b85a85
SHA256 bd20a3bb861109627eef3acfc4cddd6120b6e96d7de94415ed375b43930c78ca
SHA512 01bdfba569dd465a84878cee5f31ba9694953c9804338654a135d8e081639a88dd419cb7b1f3edf843fa98bcfe0be8550f0e0709f3b51f5a051914fe2cbdfb9e

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\DelBtnHov.png

MD5 159f343e6d3f9ba1d99da3d187398909
SHA1 5855b18908526953cb8b8a9d281ee144107dfe76
SHA256 1446a20293259c127b7631cb9934265c89810039e8c076cd98f946d55e00da1d
SHA512 70d6c98f6e57036a2e894c102888ea86575ad3e00e30ff386a1d97c6d4f407d29945f3f11c0e633e4f81179fe6f868755c0e82a0b9f1dbcc46e9410e6207ccc9

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\defaultgameicon.png

MD5 116824ac4fabdc85d00e1d6e60fa6fff
SHA1 5bc1c4a8c152de3c1ea834a44e247ecb1e1ae865
SHA256 ae9291b1744a13ff45be576d455f268b93068651944e5fc5998b8c85eb1ef462
SHA512 a2397a5730dd9fcf8da86e58e247dac4b3806b5cae62b706cff2f8a87a0e7000c875b745413d6ec05c930fc4d5d89bc9b14389c6100bb437443970c889207a61

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CutLine_mov.png

MD5 7069d28083d1361384f04c0d0f68904e
SHA1 eb42e13f8ddd37a0a6493d1a8b4fa629c04ee229
SHA256 328ee1b1c993d27c97aeb037e0e755e05a106aa4ee9e3203f350c9a09c4fa8d6
SHA512 316e4539fb1cbb0204bbdf4beeeba9c3f268a006f280c74ae3d2d77caf1d34c571073c0dde726cacd94aa2237d5e03c345d38fe0feb6eeff01803cc634358403

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLink_Nomal.png

MD5 673f47624b85a4403fdc740fe2721397
SHA1 ab0843b01f6a80a70c2cbaabe67f273094f80b33
SHA256 38bb2806bdc0022541bde8ebdfcc7c4b4724489e870cfa7ec5bc16919057f629
SHA512 eb43372ada55842ec5a7ca52be3a4cc0eebd1bf83323b06f3587632f9ac76ba57cc943cac46c3529bdc269105aef965a2662924815b253044f5b34a77b0d73ca

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkTips.png

MD5 cb1e1030a8813d00749d308b0da73b9f
SHA1 d97c9823d234fd8650dfcf540796d26f97442776
SHA256 2d0fc3650a7f32216d8545dfd541bf4a1ab9f386521ae8f035ef8f6c069089fd
SHA512 24141197dabf6dd18adedf1920b52dbac7a72eefcf71cf66d02048e08d480c489e3ee72be174c593bd7a4e2882ef62bb0e941e5dc3c98d6abec15db88cbc5051

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CreateShortLinkClose_Hover.png

MD5 2855abc8bc2f15113af379b3ced104a2
SHA1 0aebf0295a17c7fd6c722ce10a65c9fc4fd09f03
SHA256 671af83a229fe930a720e5805e079ce2c01334125136011d8adc0ee6c3dd50ab
SHA512 5b5063eacf5fdd0ee1e939090334d5f918c4fe3484a6a0a3ee4c87e8808153002ea8316733a5a8e84c5e019a2c6f4a64b8390ca339cfad7c2135fcdb9024b3c6

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_normal.png

MD5 e189e1d1d43cba9e78c008fa248e02fe
SHA1 b374269f970d337375552f2b771126f11da42f15
SHA256 911eb65979874e946ac0b2da2440084f98c3088758e2f1bd9144d495061d6aaa
SHA512 fd1b83cd8130000670756169910920145c9a1cc1ca35b4efca61311248db07488d32430d5d3d1c45b231b3d5803e011470326f4e3ec694ff5663a16b66e1df67

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CommonBtn_Hover.png

MD5 15ae314b60106f6eda43676eb1d3de6b
SHA1 2897302883ec07add176c4e03f8dc9a4ae6afdde
SHA256 8927bf74e9d960dad95ba796e6f2bc731c5b4e1192cbd7b120cbd2f1898ec3c1
SHA512 479afa994781f6a495d7439ae3d0afc131ad5ad7bb5ff1471f1ffebf61633a74624e41b06b481f17c8a9f723635de871273147659ddf070664c385215bc23a80

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtnHov.png

MD5 6cb194b84853c3d231eead716d49370c
SHA1 f95a681a3dc9318580bb62ef8ce4a678d78f1ec5
SHA256 ee34c098163504705e055812f003d823efe727600ea4b56db73553e2ff9d0219
SHA512 5ba1f927981c8679b49c5fd079ea2bcc662c8e9282ae736783c7d46ddcf7c486ad48856cea0831a223ac8b9600eea541a35fd3b4afd4fa2f132dc554503ba4ec

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ComBtn.png

MD5 0a2318d4078889584caa4523315bdd70
SHA1 281adb6f789746a5c2e446eea019c1e1047ab8d1
SHA256 5956629dc86c8486d28137f91fcc493183a53a103c1ba5f4a4019f67a132e9ef
SHA512 5c05917259aefc4b675913cb896af105b1e7bf7cf07ac400083303e2952e307fb72eef4786e27381a7eee5d2b17dd4d55a9ed1dac7acded6890db927f4657b5b

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_MOV.png

MD5 e4c70faae3c4fce495e12d24c2854c8b
SHA1 9faf01736350722f60820485bc6fa1eb364e2c5d
SHA256 03f78a2bb0eb5d120d85e7c08a16410921824154186b04ef1027905b07d137a5
SHA512 54567bbe7b75acc0e09a4fde69ff50d295609fdab69478d8c995213d4491f09aeaeaa134b2a63a76d3c5f92a8a3b61c1e56b8593dddf17a12ca28b6c8af4e4c9

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CollectingToDesktop_HOV.png

MD5 8f88aba447c6b48423a6ab9502060195
SHA1 2d434c1dc6f8523b49dc669abd8f69f50656ffbb
SHA256 78a209e1df0745cffb42aeeba157769ccf016dd3e356719415c11374f0e592df
SHA512 927b79089112c18870b43568c6efa1f8959beb39aaba9356429d7209438f8ad330488f3c49d8b4bd9aff29808b751ee52c82f7322dc72eb8a2d1ac563ba79fbf

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_mov.png

MD5 683aebc33c1a57d4e7193ac11edb718d
SHA1 f880556c87ea97d913003b5d61bfcc46309203fc
SHA256 2a1b1688b001bf57d60a0c47b6b82910c443015711820f6a95a073e540621a40
SHA512 6aa2665a83c7b683658601815d6b0957ee3376645158339657bda2ff765b7db91fb8abc49ef0e50c5a9474965ccc9e34ba8df82e28d8cfa2b05cd49225a3a454

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ClearIECache_hov.png

MD5 5e9c33c45c3997c6bd2a227496d8bbf5
SHA1 61438ac8294a4723abf785604b05f3cfb3f190a5
SHA256 59a3e8272352042ab795032d5dd448b2f9bb3c9bb0e4a119792ef31094e69005
SHA512 de8df25f3294dfa0a01433df94672272c119ab58c58e7af5bab3cb155dca248113d31e5145b1039dcf24bd27725aa385c860e286ffb7c6a85b4b8f25373451e4

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

MD5 849c0db12448b338a7454ce8fc8c6365
SHA1 1477afec52ba1303cab09b085a7148bcf56b2497
SHA256 9897278fec98e2ad20355747dbcb541f2c87d15616f6f15215fec3351590b3a2
SHA512 cfff784ac25afd5d6b6a4b15b90f41614f3a9299e77921e804b9464504ea472e6da69e2142784a0c6dbd6f2319ef124220da22230dfd260e440939f14b97124b

C:\Users\Admin\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx

MD5 fd0cb28279bb47d33605f6a6f90759e3
SHA1 374e2f6beab2520083bf749959dca7e07497a5dc
SHA256 b913b88aa4aac4c0114cf5d0d5e6b3baabd17727e1ec1450452f89bbf91123fc
SHA512 e4e13a61b3c47d2d5ee6bd2b0831f1b8fcf15e0a21dc857c761fd64ee60f06872018582d5b498427961a59a0e5188699658f8d1f60e7d182ae31a10be02527c6

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\registry.dll

MD5 f81598566d3bebe154d86906e7419653
SHA1 fb2a980abe37a0b724edf932884931f946332b68
SHA256 b13d15f8d3e5498d3014dd0c5acc2b42df4aa08f96e0b3e59dc7c9e8c1e7f4c7
SHA512 95f6d51d11df472808b9e6a765be6f13231901d698b62f0782e2c17a5ddeee43a8484894f11568ae474ffc7a3b27d8cd01785caf8d87eecdc4a3f64a3ece9255

memory/224-5415-0x0000000005E50000-0x0000000005EA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd7467.tmp\UAC.dll

MD5 113c5f02686d865bc9e8332350274fd1
SHA1 4fa4414666f8091e327adb4d81a98a0d6e2e254a
SHA256 0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
SHA512 e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\vmPage.dll

MD5 93d53ff1b299ffec787c73c0c87ec223
SHA1 91e674bc48d7f9a18668e13d3889ea4cfdbcf7c4
SHA256 b50fd866fe75a6654ca15ac2ebbde98dc7c5e6b23df6ea658d1fb4f55825a388
SHA512 92e2c5c1eb85f3bf18e17ebb04563b1f6e85efa27d9ccdfd2b6959a1fc43ceb9c70fe129994ae22e8b9320fce7f5b06973f45a3da23aac00da75de9a1edb6b0d

C:\Program Files (x86)\IQIYI Video\LStyle\vmPage\vmPage.ini

MD5 3e8a5d1adafbf32b88bccd9e04866c1f
SHA1 1e8f652bdbadfdb76ae3783f2b13e782eed2a755
SHA256 5639ce40cff3ee7cc012f13a8d3d259c29c3f7711111336e4ac1b2cea6932d38
SHA512 91a07ca3130e33c5e142727bbaf0973b99d75b36c4ae074f6374a6b81b2bc0d8b88d0e253b40b916322f47e15e49a2784dc55ac6d93cd6b2915bd6a6aa2406d9

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheckHover.png

MD5 0e40da2e0b0d35ca116a6ef8cc09ab27
SHA1 c43ff70922be4bfcf7823551be6b2167c341f979
SHA256 b443f84b1dae129f7f7d86f46a1b6afac0569f5537ef79919396a18f15a6c709
SHA512 82042d24bb547bf1aba3b317e611516162a955714df3c44807c65ac5ef449b0e5e0eee8e673de24be9eb89c9cf45068afff74fb710e2eb89e9d4106ffdd645a7

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxUncheck.png

MD5 0992ec4811eb429baf46221fb1bfe4fa
SHA1 c4d95902c17a2c339cfadd366a1735a08dcef39c
SHA256 179ad885c9bd5e378b834f0c192f36d24366dac0af3df1c3a7896150e94a56a0
SHA512 91fedac3aad148511f028fbf25f544590abd7daac05fdcf9f62063911a1b5e39003e9a97d54425d2facfb4446311dc42499e625766b912656dd1fbebf8fc56b1

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\CheckBoxCheck.png

MD5 d9cdf06422119816ca6f9c4c72cd09f6
SHA1 64e3bd1921689df2f3ee450c8387f9325d1254e0
SHA256 23f27fa2319a141f10a8be0cce63f11fce499f5943306d9d555c177c74d346cb
SHA512 2763f47b77742585d3562d61afe00033ef7ebb9f3fb1b7cd8b163d62ed5770680b00ac27bf200a47734cf715adaab862b9710268db9b6fc67f3c6625612cd88b

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Normal.png

MD5 e720f8d7d9b1eebf115a3ac3b2e8fa0e
SHA1 39e7f401d756d0f67413f9ff9ac925780b6e5434
SHA256 395035ebf113e3f7d46d5fff75fad4154a674747d86049eb88d0962865cc8328
SHA512 436d15bbdfd0cb4a1bbea0db7be5249ebb5e59268c6768a58424c66d155f4485057de177d9b36959c022b6a3c305af072414a75e829d44eee5cc0a8b6b9f4dcf

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_MOV.png

MD5 0373829c3ff82ae9637c770174be1f01
SHA1 b608bca312673a83e435c475c3b6e56cf0ed0f61
SHA256 c5db13edaa19ab6024f12952264a3ec005c4ff87f677e33d0444a9485c113179
SHA512 ed0aa92263b53f6b65820303a08d31c7d54c422425aeae90ea52e08c54e10392acf33fdbb12e9ceea954df9a3cab1b13d4cc39c5a46198c364c6de3017d9dc87

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_Hover.png

MD5 d94d4858a788fc9c9e4372a9847660f4
SHA1 863d2d93f6909c19ee666e0b73e5a1914343c221
SHA256 6dc00a8eef3d4d1394655073304c749b499e4ebe34ba292b3aa1e81f53a2efdf
SHA512 f734a7c10005bd83e56e4f00139375404524c94c8a906d71bcd67dc590d91a9d9caeaef702a67540c7a627100a371c663a4d2c0cc6610b429e2618e1869f61d3

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_HOV.png

MD5 fa74861595b2d7f8029238da227c9ed1
SHA1 c2103a895f32dcb9e8f1b8a7f647d38821b2df1b
SHA256 f22ecceffd5edb6c5818da84a7753190a2f1a050d7a137676c6baf155955ac02
SHA512 7ec53735e6f498db76f25e742d512a58729dc3889ed6c5aa78844fa9178b8ced9de960d238258f161c3dfa5217bd2c575488b868910ec55bb5d887469ef7989b

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnSearch_click.png

MD5 d5c86709860616b2a77328be90005dd7
SHA1 8e3051d9b74eeea2641ca29510e8dd75e8f6dbe4
SHA256 4f3d3d8f8544b6f5d973443d28972712d9f869f745544822a7af63d66cb9806f
SHA512 c2149278520b60989638870a3095b82f85eb7329f67741c99e832c483e2a2a7159e9f5294223d504eb98f0d1b185a57834d43da0681684a7b4152929cbdaa6de

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinNormal.png

MD5 0f8c32a24cdd495cf044885babc2a284
SHA1 b554b4ed413de5050d7ba05f5f9135fd9a8bad66
SHA256 ce9610d0d6f603ed290e3eac9813fe6428f85575399f1d2f3b79ec2b80bc5700
SHA512 88f4ca39e9acf4d4e17d003e1bb043a2cb4784d3c06fccb061f4e78033ab814ce301d23ae2a71ff454e8ab8f82557bb5385cb6ac927950aab955ce9ca459b0c3

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnMinHover.png

MD5 3d5ce2154e2739d8372cd19ef6894d54
SHA1 a50b1d7dce90ace6de2f64420cc501d4ae044ff0
SHA256 bcc19a19510a08c675266e240a2262c92f1bb214f333cdd3c12e50a84f97f881
SHA512 382f29d7c19f22c34a9fea304028535835fe2693fc6c86834d3b2ca915a3e14b88cc84cbb368543312f6080f53479039557418efe65e2909ff5b07e06c593684

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseNormal.png

MD5 5c58e41384824810c9233b4e20544bbb
SHA1 19a38a15c08df0c87fc96fb2ff1218cb11397bb7
SHA256 b6f7642aa16976177755b14a93dbdb3245eadc5f31cd28abbd97d31b4939a189
SHA512 1ee8e676ea4702c7196f123c327aa0cbffc4553f389816dc7a8ade555b7f8c07e5b4b80bcc8ef6546e85e9b5255f20cd81cde91faf509f7d4fc0f35421af364c

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseHover.png

MD5 77c53a33af5d9060edc64d742581c78d
SHA1 a6ca1ead89f69b55cfa2557a2607e056d7b98ad5
SHA256 b8ee599130d00563db4e4c0cf66b07d626d00e28edc35d9e96734d73c11e56f5
SHA512 16bc887a618d565e5a5a93c98bce80510138a1c6687a027b16aa52233154bdead4224d4fbe76b2c48d13e210e426c6c86c250a27e7b4b7e695a9af59e8a8f506

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BtnCloseDisable.png

MD5 a7a050294a34df2b6598b06c0f1b46ee
SHA1 ad0a456db2e13852af75b30f8a84495dd8414b1d
SHA256 a37bc8a0d719e97f6bba561f05056c90beafef08dc5cf77ca0604caf833b82ae
SHA512 3d1bbf0957bc2df884b0716ecaeaf616f83f803a006cb0b03f66102520d99e98833d4448c407b75dc5a67505f0c7cc23a919a4b58881bd4c1691c5257299df36

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Mov.png

MD5 62cfbca60f27d4b42253c96e1753bfbe
SHA1 496690bcb841f2c95b1b1d3ad2f8a70c7a3dee76
SHA256 4e2ef52fdf819e5d5825857600bb1ebad672a16873f4f55cc02c4b78c04d01e9
SHA512 ea87b367f8dd7a0670ae3171dd7a6f957682a661528e9f1330921c8273dd6df952e529aed59c21be33f0f733483266468809dcf0a5c38137610849ca2489c4a2

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindPhone_Hov.png

MD5 f061cd973c3245b935f8ca0e7fa2df41
SHA1 b843b3013d90a3b54f54796f36d0b3ae64e0684a
SHA256 4047e046f0f25b0f41d3cdc6578e252d35d5b2db9d44f91fbe5400b14073c8d9
SHA512 05047a6b3c235dbf1c086ea97759f888efc88dbd25eef984de53aab304e0091f40f0014b6edea4368f813f4d4dc0cd04d35cd1fe0dbaee3a9ddd31b675cac186

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BindingAccountTips.png

MD5 782b458a7a130a168e2348bb6b6d1ec8
SHA1 bf958b123c4c07ffda0d47939747464deba924a5
SHA256 37bea36b1180d7b0a2a2734a46b3ced630c997a461024dbd395e12706ba29599
SHA512 3b765d00dbf554f5b4037b27a6ee5a3cfcbc26d33a6b336f5a37fd085de24ac5bf26edf0e6855ece7184799a1e216bc072fe516356a419e9a9d26846c58ce32f

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_mov.png

MD5 17ded5e0a173363a18f2e998cf05882f
SHA1 121c6c1c92e0538cc4a1964eea2a6de7784a6ff7
SHA256 5a6d97e4f5fd2cd4ff81595bce200b8b9bb0af8c87e0a5a1ad33e2ba8592631b
SHA512 12d6cf34bb4f1c3482421cc986d2776d6724e3b97f257a2cfa17f373b688742c23d8a7ea682b8bc19c5b6162e2bf9627c415e3dc822a7beed2bdc2799bcb6b6c

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\BarPay_hov.png

MD5 f3506a23a8eab8def532ec1124fc122b
SHA1 5dab7891775c289e860aa2b144483209e8673b13
SHA256 4d2fe7c86523d8e72de46e925aa1ea473e43b46534088c2372ebd5cd2db6a02f
SHA512 1095e4cce712836bb0f1b45f83a919f44c7becc8c51f950fec2a1e4034f8d6004372e23f100e51e309a7a406c51b4fd0821cc92f8245b720e094ce6b9cbc0856

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\png_res\ArrowLine.png

MD5 bc5022a5719a200d8cb4df3b5d95337d
SHA1 33b3389c08cb110d2882ce7c87c09f6ac768e91a
SHA256 79c208d9481d9ad70b6375aaa875c1933fa6a5aff1a20ca69ae9e2d28fd16253
SHA512 71d564c909621d9260a257daaee9bdb019a8fe24f81db319ba7bf31b6e81e5db7fafde7b76c181a615bd872fd702ab60d463ee340b8b8124bb524ded20cc9245

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\skins\default\control\mainframe.png

MD5 b702f688b22f0d326be0496338307f0d
SHA1 3a69c7a925bef885ad3491fe552a613dde803aad
SHA256 97aec0db2dcaf6d20a1ed9e8cb2d8bdde456ea0bbee9bb9275bfb284dd059a52
SHA512 bd30e9c6518072b5954d69824d084a99011f24cbc386e4be15a3d55bf5f69cc11f1ff4693699b2291278ea7d19665348e847f6c0ba8737fe46ef837dfca3d102

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyWebGameClient.exe

MD5 4c3d98b2b8e9e4064e5947d64c4ec613
SHA1 6b8c3f2ee10d8f830f8678e5245cc2a35d18ac28
SHA256 46f0604a4450ef9f828364e21a1441bdd4fa7a229964aa61bf16279150c9ba55
SHA512 10025f9d34b952b09037f5f269583d74c3792cbd386eee2ba3e143f8b04636cf662e1c154f286a86343d0f27a1bece456442daa7eec84670e741c08048aada2a

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\QyGameClient.exe

MD5 85d1912c6c543f4cf7b69ebb76372b5c
SHA1 f43303d60f2baf0d17ae6d14b8d98b6b1152d696
SHA256 b9f7db9f09ad85025a61617ea56089ac92a2f1c9feccd9b3273f88abf8e769b3
SHA512 91f568d0a95625da13da7c416e0813b922f30c280a80e04229365fc121ddec0da9afb4a1f64c63405521d463cebe6ace0c5a6dda4da5bf57a39d50729eac176a

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\LobbyServerList1.xml

MD5 45811f4d5463405dae043f7e9b9ba846
SHA1 886a410881900f0237ed619bfca6583da8ef919a
SHA256 a0635bc8344e41759e0a53f0720435952f57fe68df229ac4831fb9300bdc4593
SHA512 cbaa251953dc1bd3d67c176702a23482472449078344d7d26051589e1b5350f5a85cf120453bc6fa66f6a8c6b8db80bd52c4b2bd67dd53d5a1df02c7dd8d1736

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\bgline.jpg

MD5 e50052189fe327cffc4920d2cbfe7e5a
SHA1 917e438ed6c14579b4c923bed88b0938a5719312
SHA256 49de719c563b90541a46fd3db53057cd6e1c854f69359b09453b7c6233707ecd
SHA512 e98a96a9a3086768ce81e2152a7ad98c8f0c08308521ade743940ecc23170ff6309d722869543593f8fea742d2b0f95602a594ddff9894881043654d69008a58

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow4.png

MD5 55b2b0485d8cb14277abed24471c8ec6
SHA1 121aca27f33646990d96a7b602671a0d01f6a4b5
SHA256 41e8a39560fe7c5d41be57668b697ff6d163794c1fe0d178bd7ff603395e5666
SHA512 d0330c27c501f78cb3dc07df0b2b757851420a88002ee1ccaa5ec3fe29d42fb59bcd26b2fad40bf771e611e2ce7e98fbe7a72c7edd0e58cc5a78075d392cf751

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\img\arrow3.png

MD5 4b7ff428e1010f5b4b924a381ecc6a9f
SHA1 c64a6c92c9ce90dc5f51fcb61d1fa7aaf55765bb
SHA256 6da80486fc24fe096983626c22d7ade8e72667205ae9ab88eafb1b5e896f7d47
SHA512 aeb5d028c20c69cc04422c1cbcb0ec9ee72557553cc8230c9129b7baa70c6ad3263d91c9d5c62c69792f321182564d6f52e167e18bbbe4370564790596561d39

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\error_togame.html

MD5 5926b1d339e58bf3ebc876939ea4c2c5
SHA1 64394e162c82bc19812c62881ca1545288e56516
SHA256 5bbaa9feff7fbe44b794df4b493c587303588d74d138cdb50504ed5b6e3c8669
SHA512 a8f7374e80214bc9ba4e493e8706e59f55f07ccc31601ed550f0d1787e1c5dc6695f4fbf75e7e2b66c031fb44e391af6d65ea619c3286aedf3d12c819b3751c8

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\ClientGadgetSDK.exe

MD5 9b4a17d36d4730907fbd6d8969ad4533
SHA1 547f1198f277c267627083ab3a6f083931a88f85
SHA256 7a201389575d3c6f60a638dcd6f8c1c41687b51bc7be541ebc271330e1875be6
SHA512 870012f8ee3b07e5b45abdce7c0bbaaca5d963412332669ba1ceb4c6b9c6077740b6336dcd8ea802c10254e73173de00a3e2f1c6e3e6202b397477cc38e96ce2

C:\Program Files (x86)\IQIYI Video\Common\QyGameClient\AoreAudioVolume.dll

MD5 a53ff1a83e51f4915a6a61ee92f408d3
SHA1 15f9bbc83652f057f933ad2dfa02c9713884d328
SHA256 c81aedcb12656accfdbda1d1572311c9a0f9954c0036c0074235f42b6c0567de
SHA512 be5d2b9c05d28c49ad3b8be847f322bbf23b06e9966418f57698e463c9bd112e9ad27081029fee422212013924beedf010074bcce5683308039ccbeee072f436

C:\Users\Admin\AppData\Local\Temp\nsd7467.tmp\UtilsPlugin.dll

MD5 877ba4f17e960ddcf0c2fa2df62b6710
SHA1 c452ce34ed1b5043bb26ec938d170fffb14b53c9
SHA256 7481df00348a7279b044cf12f7188b2c15e6a1862e5ed2ea8e7e2b0dc6c027ae
SHA512 0ae63c05641c234d53573e69eb143582916c4c976fc11d78efe0310b8fc04b0491838abd94b8c7b9ee5f77ddf41bfdeef61227c87a6da427c68b9feae6ada612

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\skin\btn1.png

MD5 d271a47cd14ebb209b06ea235a91d144
SHA1 df6d11259e8b54247d052a64b2fdeb86908ff751
SHA256 09fda339a9d73d4bd0c728084eda60967139cf45c96e81fdd63ef562597c37ed
SHA512 a074342fcdad77884e7b3c0360dcdf5798e3b1dca4484df23cd85b0283da0920fc867fddd41bd3d8eb4b1200e43c9b34114ba479ae9d4e874f46ba4808705ef0

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\vmPage\1.0.6.55\skin\no_up_and_down.png

MD5 de4109c2374280da714e9dcdb3d3ad9e
SHA1 ce6657dd563c51c684277a4213fb2be052a13f38
SHA256 03b3fa0f39cc032f3f0fa0748810bca79d925e64ec5c2df0d3898580b1d7b203
SHA512 99160096e9ef20e984d09d6abd34a0522543e00b582254f337a3f61ead89ec933fa8f2618bc1deb32f7bd44c821ddc1ce9b60392fe65374cd1912262a632a205

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\LogoLIB.ico

MD5 094fad0a9eb6e39e00f6452da2e0a596
SHA1 053e9e4ae140cc3fec5a500c6941e0181e6ad143
SHA256 8429febe04859faa258bb06bfba94eb969ff7e80da207bac6417a22cc83548de
SHA512 b5d41ab5c040b0a001aaf399e9e7fd9646eb5d79268fa5f5258fb22a178b311f46e46c48c75495a003ea15949327700b7011602d726d92cf7e348f83e3ec5867

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\QyMaster.exe

MD5 9e8e028857769d11281f83f1438d8a35
SHA1 a6a23b4e3fc495ba235a5b35c35c8fe05ef2f55d
SHA256 169e700568cb68e2511589aca9be8ad26bcd1ae52d0d109120576934c8af94c0
SHA512 42c9874e7b8eaa50888f4f533bd93c11c8277c8435583f06c764a5858f47c34ff5d8fc982540b5c06cb2ee03fb406931eb4db8170c18d0c1bb3f5bdd52d8b9e4

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\nsExec.dll

MD5 2d1656be5aab3f3e6873cb5d0c046717
SHA1 32facbec7603c0d3a2198c390399711f68a96de7
SHA256 63133db6770f8ae0a5b38ddeafafbdc61cd6bc2ab0b6f3c307c0904f29d8a218
SHA512 d55426322c315a211c4de778eabd676fe2353ebff15f8725eb4e5dce03bb6b92f8a180e5093c2bdb324329bff72b4b1ed37d9d8155ce4c98926e0cbaa1c62ea1

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PPStream.ini

MD5 ac586c92252426fae9959004843ceb14
SHA1 a8e298b90947e2f77ec96ea40147ad7ca972bd69
SHA256 ec5ac1e92154da579549a4e9e20123dbf873ee1b3d6de86afec8400a8c9f054f
SHA512 6cc06283db7652bb31e05fe959b273c5d90d658a1de659a6ee36d50fd92cc1e7a209d5465c3c75dd4ee0f39bcc7079c7f002f60c727102284c0854eb80e77551

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\PSNetwork.ini

MD5 3221fa8864ba8b73d2b5fbd437a289a0
SHA1 0b210cd735603be096e676cc0dc9d4c5c1de63f7
SHA256 8ffc6af8e58191176ef82385aa12d25c0379d3b9ccc3a3ce1d041f3c52d61914
SHA512 220a1f69d939f7a67c94a70e88acab7be105a7ed4fece40890c0b8650b4f356d3d7cdd348e380673a4cac25cc16e8c1324aa9fb64efb3b7337401876ad13ef4f

C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

MD5 09ffbb3e74dfd38ca67a76fcff1cef28
SHA1 9f68e75a068863be493c4f7e413c5ff4bc9a416e
SHA256 226441f6130bc4c537c454451f51098acbda7008cc62ba141b6454258da9c938
SHA512 1da610373ba987b9d101fcfbc4bf09dab0175e35d4c904e9d5a9fa05722228f0cac1e233c4d66ef2b2b347deb44b20b9a43122682cb8418fb3afea0155cf2dc8

C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

MD5 d50d79b220673124cb44b72489544744
SHA1 1772e4ee8363770f3c2c4abc3fb5eb4cdf91337a
SHA256 0a3b06852f5b2ae089bf41592bb7fe68322819bf8527da4116198629ad923cf1
SHA512 b851e72cdef99e220eb85e6538a86e741ac8236df256aa7bd4c6aa1eaa916dddd29cee08e7ab6e913d138247aa0a1831b9913a1461036879461325329234454e

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

MD5 2ead05e1cee75f9ebdd5f9ac04cba9e9
SHA1 5c37cff83b68982eac4e8b6ad8a4a00143890a04
SHA256 0f318d57f8a2101da3b9c6b6c92e072afdf30150d4e628db68d4502a50b5bbfc
SHA512 ef73d57044c0b860839ad2226a4b61da16191e94a11584cb015c85f9ba6bf7202bad73baf2302426b1a1e3981b292b3eb4774643c31af2d7a12312025270e203

C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

MD5 f0887f97458ed7ea8fbc1f8cb12d8c1a
SHA1 8836d8164e11b0e6ca681a366ed34a90c96f64a3
SHA256 400c006720436792b19842d78e7caef837239e3d171065e5f1f12ba908106670
SHA512 7218cf4f665ec170ba79677a102fba834568d14980b4f34f1e3692f27b1d7a65c3125ed0c7396eaa9312c25626feafb9f9d9a1fddc0936ae4fbe0144c3e78880

C:\Users\Admin\AppData\Roaming\IQIYI Video\LStyle\browseradapter.ini

MD5 34764672f4e39d82ba5a428c52220530
SHA1 1afa8fae65db6663f3560ed5907c95bdf0725723
SHA256 9d4f31189ac600d688add6b0c5fcfeb06fb7c0c7ed0ca0898e31075e3ac7de3d
SHA512 66bd88a757b552c1311e6c31941657b94a03c14c2e32cb5f726836b3afc6b4b217736d8320752c56de6e1f081140aff01cad99523d79a6de7a6953424fc33f3c

C:\Users\Admin\AppData\Local\Temp\nst441E.tmp\config.ini

MD5 6407ab4354903e636dee95503d8cc59d
SHA1 88fb51b1fbc4aaac280153a75deba47df39b8ea5
SHA256 e7f4dbe32eea2f5c18808909cd86a07501d903a486d1f6658228d3f62aee48d3
SHA512 768be9d4d3901c7a5346259f8912229e8a8fb24688fbffae71502097925505b035b9e5e06626733dd1774ea25b8322111246ce47d7467f375c7fe7f9ec586b50

C:\Users\Public\QiYi\QiyiHCDN\Config\PSNetwork.ini

MD5 52df5374ca9a73db7998100b6c72a9a7
SHA1 500b6ae06664b9cbd784dc4ee84b2df278609150
SHA256 242a34a6b3edf2ffac59bf556f4b7354e6806c6bbb8c62526f9305b7779a351b
SHA512 f503f07e91419098bdf47b8faa667f1cb03001f9f440f8a6642dc4dce5d5e32fce515debb66f4eb56c0007c30b628e0ac5fc3d3efe1bfe551277bd5edee15f2a