e4e0f491d1a623421f29cf888401e02de72c8c7eeebc2519140bb91cdd7ab447

Analysis

max time kernel
152s
max time network
189s
platform
windows7_x64
resource
win7v20210408
submitted
06-09-2021 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QQPCDownload1726.exe
Size

1.2MB
MD5

010ce02a531123766140c241b62dba0a
SHA1

3d7cfa3422b5dc2776f54c088de6bc513f71c757
SHA256

e4e0f491d1a623421f29cf888401e02de72c8c7eeebc2519140bb91cdd7ab447
SHA512

51cb6807506c79500d2fbd96c073a5926a3442af6fed21bdb5981d4996a2a072046ed883d7dac7a5795461e800e6ff0ec2de97583a33527b63bf50eeb1c59066

Score

10^/10

adware bootkit discovery evasion persistence stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

conhost.exeregsvr32.exeQMMiYu.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	conhost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall\ = "{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}"	QMMiYu.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Drops file in Drivers directory 7 IoCs

Processes:

QQPCTray.exeQQPCRealTimeSpeedup.exeQQPCTray.exeQQPCMgr_Setup.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\TAOKernel64.sys	QQPCTray.exe
File opened for modification	C:\Windows\system32\Drivers\TAOKernel64.sys	QQPCTray.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAccelerator64.sys	QQPCRealTimeSpeedup.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAccelerator64.sys	QQPCTray.exe
File created	C:\Windows\system32\Drivers\TFsFltX64.sys	QQPCMgr_Setup.exe
File created	C:\Windows\system32\Drivers\TAOAccelerator64.sys	QQPCTray.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAccelerator64.sys	QQPCTray.exe

Executes dropped EXE 32 IoCs

Processes:

QQPCMgr_Setup.exeQMBluerayInsHlp.exeQMBluerayInsHlpx64.exeQQPCSoftCmd.exeQQPCRTP.exeRemNPX.exeQMProxyHelper64.exeQMSuperScan.exeQMCheckNetwork.exeQMCheckNetwork.exeQMMiYu.exeGameAssist_Setup.exeQQPCTray.exeQQPCRTP.exeQQPCRTP.exeQQPCRtp.exeQQPCTray.exeQQPCTray.exeUpdateTrayIcon.exeInstallUninstallCube.exeQMProxyHelper64.exeQQPCRealTimeSpeedup.exeVolSnapshotX64.exeQQRepair.EXEqmdl.exeQMBlueScreenFixSetup_13.6.20672.243__1594805313978.exeQQPCPatch.exeQMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exeQQPCTray.exeQQRepair.exeQQPCLeakScan.exeQQPCPatch.exe

pid	process
1508	QQPCMgr_Setup.exe
1688	QMBluerayInsHlp.exe
1080	QMBluerayInsHlpx64.exe
1580	QQPCSoftCmd.exe
1828	QQPCRTP.exe
880	RemNPX.exe
1900	QMProxyHelper64.exe
1592	QMSuperScan.exe
1636	QMCheckNetwork.exe
1836	QMCheckNetwork.exe
1600	QMMiYu.exe
1852	GameAssist_Setup.exe
1328	QQPCTray.exe
1348	QQPCRTP.exe
1828	QQPCRTP.exe
1512	QQPCRtp.exe
1352	QQPCTray.exe
880	QQPCTray.exe
1704	UpdateTrayIcon.exe
2064	InstallUninstallCube.exe
2448	QMProxyHelper64.exe
2652	QQPCRealTimeSpeedup.exe
2976	VolSnapshotX64.exe
3024	QQRepair.EXE
3092	qmdl.exe
3780	QMBlueScreenFixSetup_13.6.20672.243__1594805313978.exe
3808	QQPCPatch.exe
3852	QMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exe
4068	QQPCTray.exe
3420	QQRepair.exe
3012	QQPCLeakScan.exe
3704	QQPCPatch.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

QQPCDownload1726.exeQQPCMgr_Setup.exeQMBluerayInsHlp.exeQMBluerayInsHlpx64.exeregsvr32.exeregsvr32.exeQQPCSoftCmd.exe

pid	process
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1508	QQPCMgr_Setup.exe
1688	QMBluerayInsHlp.exe
1688	QMBluerayInsHlp.exe
1688	QMBluerayInsHlp.exe
1688	QMBluerayInsHlp.exe
1080	QMBluerayInsHlpx64.exe
1080	QMBluerayInsHlpx64.exe
1080	QMBluerayInsHlpx64.exe
1900	regsvr32.exe
1776	regsvr32.exe
1776	regsvr32.exe
1776	regsvr32.exe
1508	QQPCMgr_Setup.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1580	QQPCSoftCmd.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3228 icacls.exe

pid	process
3228	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QQRepair.exeQQPCMgr_Setup.exeQQPCRtp.exeQQRepair.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTRAY.EXE\" /regrun /qqrepair"	QQRepair.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QQDisabled	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTray.exe\" /regrun"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTray.exe\" /regrun"	QQPCRtp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTRAY.EXE\" /regrun /qqrepair"	QQRepair.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

QQPCRealTimeSpeedup.exeQQRepair.exeQQRepair.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQPCRealTimeSpeedup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQRepair.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQRepair.EXE

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

QQPCDownload1726.exeQQPCMgr_Setup.exeQMSuperScan.exeGameAssist_Setup.exeQQPCRtp.exeQQPCTray.exeQQPCTray.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQPCDownload1726.exe
File opened for modification	\??\PhysicalDrive0	QQPCMgr_Setup.exe
File opened for modification	\??\PhysicalDrive0	QMSuperScan.exe
File opened for modification	\??\PhysicalDrive0	GameAssist_Setup.exe
File opened for modification	\??\PhysicalDrive0	QQPCRtp.exe
File opened for modification	\??\PhysicalDrive0	QQPCTray.exe
File opened for modification	\??\PhysicalDrive0	QQPCTray.exe

Drops file in System32 directory 64 IoCs

Processes:

QQPCMgr_Setup.exeGameAssist_Setup.exeQQPCRtp.exe

description	ioc	process
File created	C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\concrt140.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\QMLogEx\log.ini	QQPCRtp.exe
File created	C:\Windows\SysWOW64\ucrtbase.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\ucrtbase.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll	QQPCMgr_Setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

GameAssist_Setup.exeQQPCMgr_Setup.exeQQPCTray.exeQQPCTray.exeQQPCPatch.exe

description	ioc	process
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\Uninst.exe	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\libimagequant.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DocProCloudCfg.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1098.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\tpk\1.0.0.1\tpk.ini	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\StartupMgrDll.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\DeepSpeedup.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMUpdate\api-ms-win-core-memory-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\api-ms-win-core-file-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1086.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMDeepSpeedupMsgFlowRes\Default\SuperSpeedup_1_1.rdb	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMRecommenderRes\bootmgr_2.png	QQPCTray.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\NetMon.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\AppCtrlInfo\SysGarbageJmpCtrl.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\QQPCClinic.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\config\ClinicTrayConfig.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\snapshot_blob.bin	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl350.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1029.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1401.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qmudisk_ev.sys	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\malware\logo\plugin_11.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\SoftMgr\arkIOStub.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMAntiInject.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qmspeedupplugin\speeduprocket\QMSpeedupRocketTrayInjectHelper64.exe	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMAdFilter.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\bugreport.exe	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\tapinstall_x86.exe	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\AndroidServer\1.0.0.588\AdbCmdServer.dll	QQPCTray.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\FileGroupUpdate\Sections\11440\TVL00001.tvl	QQPCPatch.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1028.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TAO\MonitorConfig.etf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TxArp5_m.inf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\api-ms-win-crt-multibyte-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl456.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\AndroidServer\1.0.0.588\atl100.dll	QQPCTray.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1027.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\QMProxyAccDnsHelper64.dll	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\tpk\1.0.0.1\def\virscr05.def	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\tsmsc.DAT	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMClinicsettingcenter\QMClinicSettingCenter.tpc	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\libimagequant.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\api-ms-win-core-memory-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl503.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\SysOptimize\QMTraceClear.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMSysRepLibDown.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\SmartInstall.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\SuperKillModules.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl346.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMGameAppPluginInfo.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCClinic.rdb	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMUpdate\libjpegturbo.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl535.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\AppCtrlInfo\FileUnlockerCtrl.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\FileGroupUpdate\DownloadCache\TVL00000.tvl.zip	QQPCPatch.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\AndroidServer\1.0.0.588\AsyncTask.dll	QQPCTray.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl318.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\AppUICtrlInfo\QQPCLeakScanUICtrl.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\tlds.txt	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\libexpat.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\QMSSO\Bin\SSOPlatform.dll	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\QMAntiFraud.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\api-ms-win-crt-utility-l1-1-0.dll	QQPCMgr_Setup.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QQPCTray.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QQPCTray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QQPCTray.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

QQPCMgr_Setup.exeQQPCTray.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\Policy = "3"	QQPCMgr_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions\WarnOnOpen = "0"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppPath = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions	QQPCMgr_Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	QQPCTray.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\StatusBarWeb = "1"	QQPCTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppName = "QQPCClinic.exe"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute	QQPCMgr_Setup.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

QQPCTray.exeQQPCMgr_Setup.exeQQPCTray.exeQQPCRtp.exeQMMiYu.exeQMSuperScan.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\Area2_RtpScanNum = 7b74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_27 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ded82e726d718ead9fe8eb7cf81bfaff98d62c779267eeab772d18b2321c41de561f	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_35 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	QQPCRtp.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg	QMMiYu.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defScc_AdGroupLastCount_adg_newssub = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSoftMgrIPRegionInfoReportTime = b9a1df569b12b567	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defQMBusinessTrayIcon = 7b74ea379b12b5679505ee9ef8ffb4762d175de347924b5653c38422e12e50171bdd18cac64d3d7b9aac5744aa6ffc05448cdc03975efe7a25eb41b7ab0031abecea3ab97a285fbc3066fa27268264fb0f85b29588cc759b3f7004efa619474724b78ed85c720471e0adebe88e7c8a1bdaffcbd64477fd679cab032d7bb2471c35de251fafb834069fbb98cab5486f99f94ef26ce321a267a7194810070b1d6bafb1ae779af7daa18d01665d1934bc67d088c99700a6166931ced9c54096df49f21c2013c747f11229c945bb48186366146d5452544c6f79e7853d664892bc6d7ca36c7ac1bf6de1b7cc349dd22a183dffbc1c76196491851e138d294fbab8d725d1b17395d15e67c0915b44ab17df61bd48580c993c0c2657c58b7e06ebff1882e388c9ab7f833ba156e841c453c3f0870adecb958ebc79d20c5635af22aa75c053e2450ba01fb5bce37284bc2fed57ead61a021607da0b1be9f655da6f5fde5c158e59186a606c6d570767020135b5d8a7c42f395bd2559b9f8565e71447dc5c2f8e45500ffdec30a8a39bcebb722c1575cbdf99b13bdc8c1769d5c7f0cd01a168ece5819c96cdb8ba964fb4063e27714293ba9ae719d82879f94eb71d7c866614ec2e9c26b8a1708f38171482a0e78674da4a8bdfcafa58d3637cfd48ac0eafde243fb3c02739a65e387b2904baf275f3ba8f7ee29a20a3908e30bad892d56790db4dde60bc93c0571043033acfc1609e27b01aea21a1e40bc0e9630ad7c2188eb8510fb542c2b4bc29190e0ff55ae2ff73248c7987d414f3a71617f34c0cd17fe0dc2b8194c8e243546642655e7bd1a1ebb090ab31044a4fb8e2da534a6c1bf16fb9aefe55073f5ce3238ffb35c292818fd782d43181814dbab5f44a619507a5da2c7544e0982d91c75601f5d4d03c83d784f731ff514a13145d4d74c1d301865450154266117ddb61c8bba59a9e8119c9387e042ad5392a12da224147f877f631bb10c09f789684a472c3ac2381d0233220c2b9ba2951ebe6ee0ae748c66615d5f3df7d3e4ea4366f99ccdd09167d250606d68f0721520d9eae0665cdb6d34a2c652c82156ed27352c78436326a30c82d71f31479f5c6e1204141dd68e195663f5f8769ac8ab4c02d1394d4cbd636ac06000632b159e0570fe9d4d5c10430b953e18bfa918cfac791038ed189529a51f4a241a0394cfc69fd25fdb507917d4d3f86dc96539bacfd288e68be0ed310a34376f3f39b9e719982fd03e2b7ed3bb4de5178055f8dcc506cd0d8f3bdeab64583b0a06d41c6b0d743b828a372eb6a0cc92cf103f89e9dbf5be69c044e31c6c3116d289129622a3d2d6c2f7f4c74793d2370a7755f569e2a9a1bced3f46bfb2154b64f5b2d32ec060e32b1d988c85d6a92c7ebcf65fb7f5ac9b41ad066504de12c1f9d21d4206f4a96774693b5acc6e60beb8b66eada9f53b77e14543339517d2af1436496f0bb0fbba09e8aa52cdc1ceb39e27ad1eae401679262e3da01602ae08e42c5f6dc71df649a6937f8a3ad0be6cb66415d819abd08e36035f624343dafde20fbbfb28e76f0f7c2f54f220f4e79bef8982dadd5ff5a410ed9d3cb9e24f4e2a0c713823028307213151bc3a5fc55a5423c3655ebbd8cc3dc96110cd428b116a8b4b0170f9cb8f93c059479908d46eaaa6b004fe6d91f57e31a1be15d1d1eab1e835c9c33f33caf8107638bb1a9be2801e3b981e2834d337d6cbb669215002279f2414f8fea893af2300e2449daf3120f8effcca2e9ba7ba9d3fe11c05b28e59f7a5ffb0d3bd4c80b96ffeeeb692eb1f58da3518620ee179e5a2625f5ce51209c3c42350726706eefd105ba8cee35d6d33d47339f444ba53a1b254de49a9006ff110e10ea4a2bb64985ae4ed0ce71ae5f2fdd5054512a5ab1e9ab3037d9a3f4cddf41811d65badb299d53e8848c3f152d773e37ed06c7f43e99423057c410b374ae4d1aab17009128c29a8ecae8cac6befc325417660b3524540b19741b94be24d8568df1ceccac33eaa65704711f213577ccb236ccbe7b59fafb962a13995ec227fb1750c9556fb7613dac102bc77ef8710b5b8e452b6d4ed74c47a51b7a8f7db76ddf94dc171b770ecbf76eb6e3e37e5666581fbfda76c5834496277ebf8a9c36a85025dae85d9059f106dbf16a5ccf08db4b46d579a28912a93d9bcf62e024ba1dfbb679d826b57b6d2ebe2d87a6bda1f55159b7766189bf4f9f1f520f83615bddebc9e41915426f24acee423ed8551fe5b0c2045403b9065c3d7cc47493ec585d7c3f2dcad190a774c39767572ef7842836de90243e81c40d7e385595da4f26e20a6a1e908ea5f47cc6051fb939ba44b7daa1f14d3fe73bc558b6d9a1c85ec001ab0f17e7c2d377ef1b7a89810c60cf4b681045ff9c1f541568d187761554b5cc219f8b237b90f42c2997f1ed14bbd0e2ef082bc19109961b9cf45d66bdff40616379f428b01d0441d45e4ab1c2d22e333a2de46061a5123a7a1c37ed689ce02098fae601315de23785e22fe7346c8ae00bf02d31b59c9644c0dba2b758959372f9b22e5f09178f32e01c5ab0b86cd23c6de3df73f7e50c4354fb900aaa9c2243608df479c9273feaa7ac4f00ec383bd8aa5c27e7ee6beda9eadf01a9889ca1fe86d22081b5c55e73f5ac31edf001ed5778607e5ea99192af8060d8fdaec3ce02a14442bfcfe44393dbed90e2402d2161457f39586140c61ad415e84690c6652acf68d0cd156d3f8698a9beef2a31d63739a10ad14aefb6bd7adff3561efbe00c85cc794a15dc5fa2ac5527fcb0af7abdac350d20da5112056c3f13f191a997e881322500bb10f9e60282cd54d42c013f25c07e36debb44c80e35a495ec90ce1d3d01768bbd9141823cd94a4c233dd7733f4203d332dbf4281202253f4ce7c658f167789a2cbb044b2399c862ec726973ff3a8e774fcfe6b6c0929154040a98d0c8a2654b347a82312e7959f11d788046f55a7c4f620e53cfde00db04ce58413be615cf0a5e9f8a06dadef4f3a727d57d59a86406f4302f0b57d59b644716257ab10c3ac5e579ebea2fe4bca87830f33743f6ddff7e1a3b5fefb46e0e063e7cbf85c6440d186f19526fa4d392b723ad4a10cd466caba2d35ce9a3b582a56a61be6b91ae714127c7fc1023d6cc2674a30d6088306134c0fce4051093929a041b0c0ed4031f3657139d2c2bb685aa1006ce7e062e1529bb7519183d007ff0c1620376fa5f74d2e78ca649682681c51c14f11c29f966894a55777bddd1df3bf71e0545d1b710910b0ef4a991f1c4bd4e6dcc558a9fbc6b70a3670e4fc90b2741f39df1b6deadf00d9d8e31cd5b5b983379ba716c4f07d3c2f4c12cba0a54091cd913d21576e9cbc1fb10bf29197019223ac13bea2f475b7b839459cf369f9de39ed657b5cbfa5b509747e505aebeef0e275ec57df35bddfc368999aecb84e9f0607cb436f2b7082af2ca09052ea42a3ad0b57823683590bf1ceed2fee9bfd78881afed76c51b80bcb85f94fa522f18445c592351f82204046a8892b310d8fc470d07a57f3c71dceb613a42c43bfba2fb7182d9da3c29df6743e47ac900d37d9d696d86f6aba42feff93c91f49b429e5b1c92a61d44e3cd18bb1e054ab7a88aa06465943c3ab45f787d638ef2306a078862b6d54120a16015642a197560328b	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defPerfModeCount = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\FileMonInstallRiskCount = 7b74ea37	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defVulNetCfg_SwitchValidZLVers = 3a74a637d712b567	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_33 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7cdd833726b718bad82e8eb7cf91b	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_39 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e001772dd7bcab24d487be8ac3244d96f	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_34 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa190f474db7fdd828726b7192ad92e8	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_42 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_41 = 3874d037c712e267fc05809e9cffdb765a172ee31b9218562ac3f722b62e1f174cdd2ecaf24d	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_22 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_24 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadb8e8fa7ceb1ba8ffbfd631778d67	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_13 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e1d176edd6bcaaf4d5e7b	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\FtSysRemainGarbageCleanSwitch = 7a	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_2 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\SaveUploadFile	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_22 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_28 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a	QMSuperScan.exe
Key created	\REGISTRY\USER\.DEFAULT\SoftWare\Tencent\QQ	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_38 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\GrayURLPercent = 7174ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\QMLastStartTime = cfa1df569b12b567	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defVulNetCfg_NetSetUninstallKbListTime = 7b74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defRecommenderDatMd5 = 4b748f37a3128467f605dd9e9dff86761f173ee37692285631c3e722d92e32172fdd28caf64d587bffac6144936fca05778cbf03a05ece7a1ceb73b7ce0006ab	QQPCTray.exe
Set value (data)	\REGISTRY\USER\NETFLOWCFG\QQPCMgr\Netflow\Config\NormalConfigMinibarPos = 848b15c864ed4a98	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defVulNetCfg_bVulPopTipDisable = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defVulNetCfg_CallVulInterval = 4e74da37b6128367a505ee9e	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_13 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e1d176edd6bcaaf4d5e7b	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\DLPScanFileTimeLimit = 1b9eea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_19 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7c0d83972707197ad84e8fc7ce11bfaff98d62c779267eeab772d18b2321c41de561f	QMSuperScan.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\CheckUpdateState = 7b74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	QQPCRtp.exe
Key created	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\TAVServerConfig = 3d21b57bf27fdc13d36c82fbab96ce1310246cd772a5796e63c9c277be6339795db474af9524471ea79e5d02ff30b36b27e98973fb319f1e63822dd296333bedb9b56ed60e4933e9400a954642c40d976ab881a5b8c633ce60257483c978230148d6e9e56d784224bff89b84e11dee4b9fb6a5b02b319106fb9632273de718515cb0766adcee556aeadea5fabf0e3ac6bf279e09b651ce08c67d097463792003dbc5de4db5d8a9c0e0710a383446d904b5e1bff22ecb771a45ababeb31e7f12a9d710f70a02edc7040a76add21740639660837245e0a3a26ace0445b7ba0da5d4d935c43f9865ad8d3af56a8b11a2a5bcad82b477c01a7e62a72b51145fced8870a1dd1cf4b50e2289ff3d2bed7bbe068079524acc6359563baaea1a559b9a7de6debaf9a13cc57cfe1dbb02a83cb694c163b2aec6e7c61c9e653b5cdb1f9f47f461da7d3b902fbfffa535dbf9418c3586b353667a6289687a87cb65d02c1999035cea357d39030d031e6913677343d4b49af51a330f9303dec0d428a47828a9386ae022396198bf53c7d1fef3894415204cf9eaae870bd6d8563f9098bb9e42cd079981c4f2f1a4d6dfc52cdb745b1a407aa483aad321e9114bf31af64b39d92762855cfd63d6c619e15d4477edd282bb45ec7bbbe9fbc86fe05576a909fa4bf08a565adda46257c137561e7a67d58010ce8bbc4ad0ab1794a2b600b08cd38322cf8f1d9525d2f4a93975106055bda45daf178729dd1590dc39f4e32a7996b471fcd91760c53187dadd4b756b32c550a1be306cc926d0bc7d87c25f79852d60b81ba9b25fe4e6be832f695e74516e4be1aba8f1d3e3745b0d3dd99b933d3c0d77980bf0c08a3075493d8f1ebccb05c8d1c7c888d6a644f2f519cadebd2407f064d1e71d7f10a1ce68ce961b4299bba558d0b4e599618d3825617d293449f8d955c702154a09355211b414ace8c6fbf0d16ba0570c6d5eac041d188e631702a7368058c97193fc19f8d4d61bacde4af5a91e042a96f8ec6c0ebfb6a5598429a83667bc9cad144a37990e65da8a9a5655124b606fb1da77453379fbe76811a8c4a52b40581eb3235ee2791492db66772945bc681f92761590fbd02a07148238a4d6134b1ce60ac4efe6a54072fdbaf6e1019b30303602bb1fb5085fac97a0b54951c11d94e6c7a486bc92ce53cb92fc26d7308cf128da5c71cd59ca16ca8136a94f7935c59ad10ccfdc966be20ddf609579d13002cec291d610f7e58e6083d9b24fddb33417702bb0ff605ce0e8f9f58bd822cfdfc73214b6fcb822dc4ed117d65e3ffb1cc133	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defVulNetCfgForceInstallNoSmtIgnore = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\LSPCheckNetworkEntry = 7f74ea37	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_33 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7cdd833726b718bad82e8eb7cf91b	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	QQPCRtp.exe
Key created	\REGISTRY\USER\NETFLOWCFG\QQPCMgr\Netflow	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defPerfModeCount = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_30 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadb8e8fa7ceb1ba8ffbfd631778d67	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_41 = 3874d037c712e267fc05809e9cffdb765a172ee31b9218562ac3f722b62e1f174cdd2ecaf24d	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\LRTCloseTipCnt = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_5 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e141774dd7bcab34d507bffac3944de6f8f05	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\TrojanRecommendStatusBar = 7a74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_7 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbcbcac1480e998b4e866c9621d267	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\QMCONFIG\QQDoctor	QQPCTray.exe
Key created	\REGISTRY\USER\NetflowCfg\QQPCMgr\Netflow\Config	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	QQPCRtp.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeQMMiYu.exeregsvr32.exeQQPCMgr_Setup.exeregsvr32.execonhost.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\ProgID	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMRealTimeSpeedup.QMRealTimeSpeedupShellContextMenuExtension.1\ = "QQPCMgr Real Time Speedup Shell Context Menu Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qmgcfiles\Shell\open\Command	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E2A79C5-48F1-4182-BCF9-E92857BDA980}\DefaultIcon\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCSoftMgr.exe"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\npQMExtensionsIE.DLL\AppID = "{D611A85B-A248-4A35-9A6F-BEC94DD62480}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\npQMExtensionsIE.Basic\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\CLSID\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu\ = "QMContextScanMenu Class"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\Programmable	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\ProgID\ = "TSWebSiteMon.CTSWebSiteMon.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\TSWebMon64.dat"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5617F6A-39BB-436D-91CF-61C1B45DD688}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command\ = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCFileOpen.exe\" \"%1\""	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3303E77E-EAF6-4840-8208-5D950B2B61E7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QMContextScan64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu\CurVer	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QMContextUninstall64.dll"	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5617F6A-39BB-436D-91CF-61C1B45DD688}\VersionIndependentProgID\ = "QMRealTimeSpeedup.QMRealTimeSpeedupShellContextMenuExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E2A79C5-48F1-4182-BCF9-E92857BDA980}\Shell	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\ = "电脑管家网页防火墙"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\ProgID	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E2A79C5-48F1-4182-BCF9-E92857BDA980}	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\VersionIndependentProgID	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3303E77E-EAF6-4840-8208-5D950B2B61E7}\ = "ICTSWebSiteMon"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMRealTimeSpeedup.QMRealTimeSpeedupShellContextMenuExtension\CLSID\ = "{C5617F6A-39BB-436D-91CF-61C1B45DD688}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5617F6A-39BB-436D-91CF-61C1B45DD688}\ = "QQPCMgr Real Time Speedup Shell Context Menu Extension"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5617F6A-39BB-436D-91CF-61C1B45DD688}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCMgrRepairIEExtensions	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TSWebSiteMon.CTSWebSiteMon	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243"	QMMiYu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C049F583-D724-4BAB-8F47-F13BCA41B808}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}\ = "IBasic"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TSWebSiteMon.DLL\AppID = "{5D7991DD-038B-49D4-8C8B-00119981499C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\npQMExtensionsIE.Basic.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0\0\win32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QMContextUninstall64.dll"	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}\1.0\0\win64\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\TSWebMon64.dat"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\ = "电脑管家网页防火墙"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\ = "CTSWebSiteMon Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\ = "QMContextScanMenu Class"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\QMContextScan	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\CLSID\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TSWebSiteMon.CTSWebSiteMon.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu\ = "QMContextUninstallMenu Class"	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\ProgID\ = "QMContextUninstall.QMContextUninstallMenu.1"	QMMiYu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0\FLAGS\ = "0"	QMMiYu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qmgcfiles	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMRealTimeSpeedup.QMRealTimeSpeedupShellContextMenuExtension.1\CLSID\ = "{C5617F6A-39BB-436D-91CF-61C1B45DD688}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TSWebSiteMon.CTSWebSiteMon\CurVer\ = "TSWebSiteMon.CTSWebSiteMon.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}	regsvr32.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

QQPCTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	QQPCTray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	QQPCTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	QQPCTray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	QQPCTray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	QQPCTray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	QQPCTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	QQPCTray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	QQPCTray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

QQPCDownload1726.exeQQPCMgr_Setup.exeQMCheckNetwork.exeGameAssist_Setup.exeQQPCRtp.exeUpdateTrayIcon.exeQQPCTray.exe

pid	process
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1508	QQPCMgr_Setup.exe
1636	QMCheckNetwork.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1852	GameAssist_Setup.exe
1512	QQPCRtp.exe
1512	QQPCRtp.exe
1704	UpdateTrayIcon.exe
1704	UpdateTrayIcon.exe
1704	UpdateTrayIcon.exe
1352	QQPCTray.exe
1352	QQPCTray.exe
1352	QQPCTray.exe
1512	QQPCRtp.exe
1512	QQPCRtp.exe
1512	QQPCRtp.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

QQPCTray.exeQQPCRtp.exe

pid	process
464
464
464
464
464
464
464
1352	QQPCTray.exe
464
464
464
464
1512	QQPCRtp.exe
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
1512	QQPCRtp.exe
1512	QQPCRtp.exe
464
464
464
464
464
464
464
464
464
464
464
464
464
464
464
1512	QQPCRtp.exe
464
464
464
464
464
464

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

QQPCMgr_Setup.exeQQPCTray.exeGameAssist_Setup.exeQQPCTray.exeQQPCTray.exeInstallUninstallCube.exeQMSuperScan.exeQQPCRtp.exeQQPCRealTimeSpeedup.exeQQRepair.EXEvssvc.exeqmdl.exeQQPCTray.exeQQRepair.exe

description	pid	process
Token: SeBackupPrivilege	1508	QQPCMgr_Setup.exe
Token: SeRestorePrivilege	1508	QQPCMgr_Setup.exe
Token: SeBackupPrivilege	1508	QQPCMgr_Setup.exe
Token: SeRestorePrivilege	1508	QQPCMgr_Setup.exe
Token: SeDebugPrivilege	1508	QQPCMgr_Setup.exe
Token: 33	1328	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	1328	QQPCTray.exe
Token: SeDebugPrivilege	1852	GameAssist_Setup.exe
Token: 33	1352	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	1352	QQPCTray.exe
Token: 33	880	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	880	QQPCTray.exe
Token: SeDebugPrivilege	2064	InstallUninstallCube.exe
Token: SeDebugPrivilege	1352	QQPCTray.exe
Token: SeDebugPrivilege	1352	QQPCTray.exe
Token: SeLoadDriverPrivilege	1352	QQPCTray.exe
Token: SeDebugPrivilege	1592	QMSuperScan.exe
Token: SeDebugPrivilege	1512	QQPCRtp.exe
Token: SeLoadDriverPrivilege	1512	QQPCRtp.exe
Token: SeDebugPrivilege	1512	QQPCRtp.exe
Token: SeLoadDriverPrivilege	1352	QQPCTray.exe
Token: SeBackupPrivilege	1352	QQPCTray.exe
Token: SeRestorePrivilege	1352	QQPCTray.exe
Token: SeDebugPrivilege	1352	QQPCTray.exe
Token: SeLoadDriverPrivilege	1512	QQPCRtp.exe
Token: SeDebugPrivilege	1512	QQPCRtp.exe
Token: SeDebugPrivilege	2652	QQPCRealTimeSpeedup.exe
Token: SeDebugPrivilege	1512	QQPCRtp.exe
Token: SeDebugPrivilege	1512	QQPCRtp.exe
Token: SeLoadDriverPrivilege	1512	QQPCRtp.exe
Token: SeLoadDriverPrivilege	1512	QQPCRtp.exe
Token: SeBackupPrivilege	1352	QQPCTray.exe
Token: SeRestorePrivilege	1352	QQPCTray.exe
Token: SeLoadDriverPrivilege	3024	QQRepair.EXE
Token: SeDebugPrivilege	2652	QQPCRealTimeSpeedup.exe
Token: SeBackupPrivilege	2152	vssvc.exe
Token: SeRestorePrivilege	2152	vssvc.exe
Token: SeAuditPrivilege	2152	vssvc.exe
Token: SeDebugPrivilege	1352	QQPCTray.exe
Token: SeManageVolumePrivilege	3092	qmdl.exe
Token: SeDebugPrivilege	1352	QQPCTray.exe
Token: 33	4068	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4068	QQPCTray.exe
Token: SeLoadDriverPrivilege	4068	QQPCTray.exe
Token: SeLoadDriverPrivilege	3420	QQRepair.exe
Token: SeDebugPrivilege	4068	QQPCTray.exe
Token: SeDebugPrivilege	4068	QQPCTray.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

QQPCDownload1726.exeUpdateTrayIcon.exeQQPCTray.exe

pid	process
1936	QQPCDownload1726.exe
1936	QQPCDownload1726.exe
1704	UpdateTrayIcon.exe
1704	UpdateTrayIcon.exe
1352	QQPCTray.exe
1352	QQPCTray.exe
1352	QQPCTray.exe
1352	QQPCTray.exe
1352	QQPCTray.exe
1704	UpdateTrayIcon.exe
1704	UpdateTrayIcon.exe
1352	QQPCTray.exe
1936	QQPCDownload1726.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

QQPCDownload1726.exeQQPCTray.exe

pid process

1936 QQPCDownload1726.exe
1936 QQPCDownload1726.exe
1352 QQPCTray.exe
1352 QQPCTray.exe
1352 QQPCTray.exe
1352 QQPCTray.exe
1936 QQPCDownload1726.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QQPCDownload1726.exe

pid process

1936 QQPCDownload1726.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

QQPCDownload1726.exeQQPCMgr_Setup.exeQMBluerayInsHlp.exeregsvr32.exe

description	pid	process	target process
PID 1936 wrote to memory of 1508	1936	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1936 wrote to memory of 1508	1936	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1936 wrote to memory of 1508	1936	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1936 wrote to memory of 1508	1936	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1936 wrote to memory of 1508	1936	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1936 wrote to memory of 1508	1936	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1936 wrote to memory of 1508	1936	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1508 wrote to memory of 936	1508	QQPCMgr_Setup.exe	cacls.exe
PID 1508 wrote to memory of 936	1508	QQPCMgr_Setup.exe	cacls.exe
PID 1508 wrote to memory of 936	1508	QQPCMgr_Setup.exe	cacls.exe
PID 1508 wrote to memory of 936	1508	QQPCMgr_Setup.exe	cacls.exe
PID 1508 wrote to memory of 1688	1508	QQPCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 1508 wrote to memory of 1688	1508	QQPCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 1508 wrote to memory of 1688	1508	QQPCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 1508 wrote to memory of 1688	1508	QQPCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 1688 wrote to memory of 1080	1688	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 1688 wrote to memory of 1080	1688	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 1688 wrote to memory of 1080	1688	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 1688 wrote to memory of 1080	1688	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 1508 wrote to memory of 1900	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1900	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1900	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1900	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1900	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1900	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1900	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1900 wrote to memory of 1776	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1776	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1776	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1776	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1776	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1776	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1776	1900	regsvr32.exe	regsvr32.exe
PID 1508 wrote to memory of 1580	1508	QQPCMgr_Setup.exe	QQPCSoftCmd.exe
PID 1508 wrote to memory of 1580	1508	QQPCMgr_Setup.exe	QQPCSoftCmd.exe
PID 1508 wrote to memory of 1580	1508	QQPCMgr_Setup.exe	QQPCSoftCmd.exe
PID 1508 wrote to memory of 1580	1508	QQPCMgr_Setup.exe	QQPCSoftCmd.exe
PID 1508 wrote to memory of 1644	1508	QQPCMgr_Setup.exe	Netsh.exe
PID 1508 wrote to memory of 1644	1508	QQPCMgr_Setup.exe	Netsh.exe
PID 1508 wrote to memory of 1644	1508	QQPCMgr_Setup.exe	Netsh.exe
PID 1508 wrote to memory of 1644	1508	QQPCMgr_Setup.exe	Netsh.exe
PID 1508 wrote to memory of 1828	1508	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 1508 wrote to memory of 1828	1508	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 1508 wrote to memory of 1828	1508	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 1508 wrote to memory of 1828	1508	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 1508 wrote to memory of 880	1508	QQPCMgr_Setup.exe	RemNPX.exe
PID 1508 wrote to memory of 880	1508	QQPCMgr_Setup.exe	RemNPX.exe
PID 1508 wrote to memory of 880	1508	QQPCMgr_Setup.exe	RemNPX.exe
PID 1508 wrote to memory of 880	1508	QQPCMgr_Setup.exe	RemNPX.exe
PID 1508 wrote to memory of 1676	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1676	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1676	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1676	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1676	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1676	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1676	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 908	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 908	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 908	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 908	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 908	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 908	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 908	1508	QQPCMgr_Setup.exe	regsvr32.exe
PID 1508 wrote to memory of 1084	1508	QQPCMgr_Setup.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

QQPCTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	QQPCTray.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255"	QQPCTray.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\QQPCDownload1726.exe
"C:\Users\Admin\AppData\Local\Temp\QQPCDownload1726.exe"
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
"C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe" /S ##silence=1&handle=327986&update=1&supply=1726&forceinstall=1&qqpcmgr=0&DownloadSetupInOne=1
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243" /t /e /c /g SYSTEM:f
4⤵
PID:936

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlp.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlp.exe" /install
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlpx64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlpx64.exe" /install
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /i "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\QMGCShellExt64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\regsvr32.exe
/s /i "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\QMGCShellExt64.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:1776

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe" /command=SetSimpleVersionConfig /SimpleVersion=2 /From=Installer
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f757ed1\firewallLog.txt"
4⤵
PID:1644

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe" -i
4⤵
- Executes dropped EXE
PID:1828

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f757ed1\RemNPX.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f757ed1\RemNPX.exe"
4⤵
- Executes dropped EXE
PID:880

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\npQMExtensionsIE.dll"
4⤵
- Modifies registry class
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\qq.com" /f
5⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore" /v Flags /t reg_dword /d 4 /f
5⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\baidu.com" /f
5⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\xunlei.com" /f
5⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\sogou.com" /f
5⤵
PID:584

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\kugou.com" /f
5⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\*" /f
5⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg delete "hkcr\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9922}" /f
5⤵
PID:1828

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat"
4⤵
PID:908

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat"
5⤵
- Modifies registry class
PID:1708

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextScan64.dll"
4⤵
PID:1084

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextScan64.dll"
5⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1688

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextUninstall64.dll"
4⤵
PID:964

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextUninstall64.dll"
5⤵
PID:1600

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextScan.dll"
4⤵
PID:1096

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMProxyHelper64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMProxyHelper64.exe" /Uninstall
4⤵
- Executes dropped EXE
PID:1900

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMSuperScan.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\QMSuperScan.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMMiYu.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMMiYu.exe" /closemiyu
4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1600

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GameAssist_Setup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GameAssist_Setup.exe" /S ##silence=1&supplyid=3500
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138" /t /e /c /g SYSTEM:f
5⤵
PID:964

C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\QMProxyHelper64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\QMProxyHelper64.exe" /Uninstall
5⤵
- Executes dropped EXE
PID:2448

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /loadexit /superfetch:1
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe" -e
4⤵
- Executes dropped EXE
PID:1348

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe" -s
4⤵
- Executes dropped EXE
PID:1828

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /regrun
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f757ed1\UpdateTrayIcon.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f757ed1\UpdateTrayIcon.exe" -t QQPCTray.exe -c 1 -p 1 -d "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1704

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\InstallUninstallCube.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\InstallUninstallCube.exe" "/verb=EndInstall" /sync=00000130 /pid=1508 "/temp=C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f757ed1\" "/version=13.6.20672.243" /silence=1 /result=1
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.EXE
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.EXE" /ext=5 /sid=-2147221502
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:2688

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3320

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3348

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3380

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3416

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3448

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3516

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3548

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3576

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3604

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3632

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3660

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3688

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3720

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3748

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3808

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /showui
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.exe" /master
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3540

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3588

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3624

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3648

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3636

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3664

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3700

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3480

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3744

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3764

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:4016

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3516

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TSSysKit
4⤵
PID:3580

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start TsDefenseBt
4⤵
PID:3656

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3680

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe"
4⤵
- Executes dropped EXE
PID:3704

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCLeakScan.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCLeakScan.exe" /start=desktop /hwnd=787024 /runtype=homepagestub /hwndContainer=787024
3⤵
- Executes dropped EXE
PID:3012

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe" /AllChain
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12210853051305108179-237369030-4294088231050619239-1212687173-8871700501146008866"
1⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1096

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRtp.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRtp.exe" -r
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /elevated /regrun
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:1352

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRealTimeSpeedup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRealTimeSpeedup.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat" /s
3⤵
PID:2716

C:\Windows\system32\regsvr32.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat" /s
4⤵
- Modifies registry class
PID:2780

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qmdl.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qmdl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low
4⤵
- Modifies file permissions
PID:3228

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMBlueScreenFixSetup_13.6.20672.243__1594805313978.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMBlueScreenFixSetup_13.6.20672.243__1594805313978.exe" /S
3⤵
- Executes dropped EXE
PID:3780

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exe" /S
3⤵
- Executes dropped EXE
PID:3852

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\VolSnapshotX64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\VolSnapshotX64.exe" 00000003000000010501010000000000000205010000000000000003050150000000
2⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\pic\Both_Disconnected.png
MD5
00ef699da2be626beb8957d69783cf45

SHA1
a381db99b4c39b6af39e39820adab2d38cb5ac18

SHA256
1efc1cdd056be89f2f37253f3845c99708fb6e60ab243179390996915c4be02b

SHA512
8ce2d3be5e9a00b5372c2640ebe3fc8dba492437964a5961b904cb978cea1284a9684d0ac2868e2052d677051023093332a09c9a675b0916b3468ee78929048d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\pic\Check_Router.png
MD5
aa19bfbfedc591a531e1e6bd775f296b

SHA1
a93012d5ed23695c0c2701a4e7ceb430b55f741b

SHA256
fecd26a1fd8bca2f88a758c0df90bf8cb6d9476b61a89806ffb06399037eb502

SHA512
2223a33209c040fd96b13f7bce314116b410864dfa9f9a119271f01de4460c4f18935c6e6ae0cba78bf4399b7b926b8636796b52630122513244c73420bc0497

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\pic\Check_Wireless.png
MD5
752f6ed337ee1f8e8c944400757fa52f

SHA1
9237b59a2d0c9dc2ed06bb61e444ff5dae1027ba

SHA256
433c2f423344f967de20e933cc9134ad7b2fa3e669d144b620500946960b3ec1

SHA512
2945980632b15e3dbcc49b5c7342f81397f97e9862a841e21fb027d297c448ae70b7c36475fecc8de9ff6f698071d006cdcad98d5f6cd9de01d84f236641af02

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\174CFEBD82149B585C07A945C7A94AB6.png
MD5
174cfebd82149b585c07a945c7a94ab6

SHA1
991499483f23b1f4225475144f9aa8c9fede4cc9

SHA256
542b03ae170144603bc5ab52d47e9649aeb87df9d025743b21b6602bd3cf7250

SHA512
b961ce8878149c95d390230dbff6d6a45436e164094b8a4f57e95623c1d46b4663e57e5606c945547175514a66a5f3ea81f677878a04223d3f0da4ea8da228fc

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\30FF47F04BAD25FB17B32A76EADB240B.png
MD5
30ff47f04bad25fb17b32a76eadb240b

SHA1
e40ae4a17b71d27a0bad91b094f110db533a3f5e

SHA256
c54d8eda61ee3ef782cdcf77ad3a56f01df73200bd880b78a7034ae2dc42d178

SHA512
9076236acd816281fcd59c007c6f2c7b5f8de30cc560c8ffba77f287fe2299dc543aba8e26f503544ca1d76121c8ad12960762f6d890cd27d5e5a7f7f5988402

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\33EEE547ACCEC775CBD9D3FE34EADA49.png
MD5
33eee547accec775cbd9d3fe34eada49

SHA1
79bbcef6851ade8cd1c8bfc306cebc31891f7308

SHA256
d0e611a3cc8d039ba58db6bd8b7e3730fcf8a84570ffe271597390e9082cd4f9

SHA512
bf082db2cb3fcffccfa820760cdf6c7fcc995b33543b0a107b4d7198d694503e575673d6dbb8e7740cf8869bf173e9dcf2b09dbcccdcaa3c7fcd65bb74f2f1bb

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\518D8DC197284461A560F05A4D67F39E.png
MD5
518d8dc197284461a560f05a4d67f39e

SHA1
c47499885631f46840818f159c6ee5ecf44debc0

SHA256
2ee41da793d054eb2eb1459265d4ec61cef71523e416e10922bfd9391dc6fc79

SHA512
20b715e5465be878045a61ca343ed268c36545230540f319259d54c3c1ff44633a6f7c6f4a4cc10ce29ec197b9d5f9eb1d4458ac61653b4cf62c4cf3fcad9277

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\55A6E0FBB236D9876050466F65150A82.png
MD5
55a6e0fbb236d9876050466f65150a82

SHA1
ead1e125e09111b5b70456de224a98da65e02407

SHA256
69996ee525fc2993bede7e0246308fa434ad6a147fecfaea6ec2aef2502bdadc

SHA512
a78133876c3ac6ba0fcc52b53aa753bf6775f3c95144c08531ecab4b9abe746233f550b1a89c6d6eafe16f2263745486b536fdc27375246031463a4c8a61f48d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\574A7650A7C42D9564DDC2F09318F994.png
MD5
574a7650a7c42d9564ddc2f09318f994

SHA1
b9a2f0b8c0ffeb40330b150cc9fd984134b2d313

SHA256
3be907261254d9bc5db4abe8c1daccf84c24270bc796c5cf6f35549de73b4b9f

SHA512
0b211e43fe7f382b1187750c45a3179ed6916b15e301acf45380353614ca9e3b8408d7526c7255cf4307fcc05aa34e29ff5e8c20026e2aa020632b843aa0c9a2

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\5963F88CAC90027875B790F084AB2F50.png
MD5
5963f88cac90027875b790f084ab2f50

SHA1
139aa8c85aff31dacceb01127a838f343d9fdacb

SHA256
d34ad7b5cd5cf5506d4ef40a1691948e6782a659fed89224676cee30f65a1e68

SHA512
fca239f4d5d3165461d6160e6ab1a8c4400a4e01319db9781f09156dd7eca84d987f6227a94dff8342b62dd341abdb85527597409ea5bb779c8bf16b10fe994f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\67A80AD380340715C89E6A7839079A56.png
MD5
67a80ad380340715c89e6a7839079a56

SHA1
8faec70622bbbc684e33e8bc7b47d9b28ff39fa6

SHA256
9515c45e831d0f41478b526248c072977b726ccca753db27d11800bcf9e43104

SHA512
495045ab4b0489946219f48350cd28e531e7fe205f2c93c24aab4b469c5e86cc1f31c679f4657b2a0c834897fcbf3595153dd396c3791dd70fb08176160f80b4

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\6C89F1E0D917E59F1F6508EC4B8F4020.png
MD5
6c89f1e0d917e59f1f6508ec4b8f4020

SHA1
6781f40633d001a9ce0a1de5aad0d41124f486b0

SHA256
c082d7bf27352014ca026a94829497690af8d693facddd8a48f057715b6bfef8

SHA512
ef2da06fa8b283354aceebdf8395f1831696b591783634498e8ec1fcce70921d3aac52f8040ba972e09747dfa8f7c5fdaeaaf7913215cf1cba352377d136d97c

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\6F41F4914A42AE92A487D6C8266A00D2.png
MD5
6f41f4914a42ae92a487d6c8266a00d2

SHA1
0689d4af84eaf48db145cd84324ba139da60e5b0

SHA256
5494de5204ccd8679aa6bbf47336895b77ee7ee41678f6eb94446f0442e37d60

SHA512
dbb140fa6082b3d0e372d506961f4f77275d1524dc8e6875ad9e125525ef994f7075ef24b45cd6800c239f8c294431f5e7e66da379a3437dfdc74cdbe603b504

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\75470F0D685F3B8240A5CBF5E20434BC.png
MD5
75470f0d685f3b8240a5cbf5e20434bc

SHA1
1fa9845e0c9f06294f00114c74db7949459af778

SHA256
ed938e0a94f550ca0e69dd37bb9f1f0c7223cdaafb6a5ba52bdb27d34f6e4ddc

SHA512
1c85fec104a1a5ae5584b500ff191c33451529786eb4b04014d7449a66cde0d4eba638e3c2a3a022adfc23be099c4fa89c44d2b57692ae38990c14c36d61cb81

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\858FBD4B558F0E5AD8FF38489EDB4434.png
MD5
858fbd4b558f0e5ad8ff38489edb4434

SHA1
c387cadca2fe2800008fc5688beb65954df9171f

SHA256
5afe9c09459804b3d478302140bb078c48011c2e1380949df5b42bfb434745d3

SHA512
b5b4eb18960568cf69c5ed522bee1dba9dae7307b99b018d2ddcca3b8fd1171f1aa9318c12e42900bce964813912645a65eb5eabc5369629fe7850463038e64b

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\98756B2953BB5BD65CF206154E47CF96.png
MD5
98756b2953bb5bd65cf206154e47cf96

SHA1
89785cfa73221ae120ddaf4aff78d65cf15cc7df

SHA256
b64286991d5a6ffcf5dc28d6935858e39cf63ebfb5586aaa703df87be60791b3

SHA512
5ed65569a7d33227eae4f82ecfb9f3db89e7a4b371ba52e3fb739ca2d27440644cc90fdeda29daf4fc2f61175f1e0d48937e6e86a5414d2bc01dec3bbfdc7b19

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\98B357546E6446308A46CC818071F1A2.png
MD5
98b357546e6446308a46cc818071f1a2

SHA1
02414d2b40733d351a61a88ca593de3c27da36c3

SHA256
15521c05470a9bb5688f375f866cfb92722c9e099e8160031ca7bba33f9ec19d

SHA512
2476c18cc08e9c46abbaf6eee480bc2287495ae6a7401ba0fca7368e734256562f65cc438c9ac6e7246925ac9eac3b95a5cb423fc132da2a5f3847066a208d4f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\98FBBCD596E587F39275FD127B3BC772.png
MD5
98fbbcd596e587f39275fd127b3bc772

SHA1
18dd3f4759a042b85178b0f11fc9876bac495f8f

SHA256
d8261dd59bb488fd88c326b8229f58cb97d54f8fb289c069e697aedd716d29ba

SHA512
2622b10af8e6a4a47acbc2dfa1a326e8efaa465395d6c8705f2b2b881dafdbf903ecbb8aa957373636f1c6e3a48744a3b870b2b1f6de356c356f4afac6dc0e2e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\992D6B931FC570214F4A06152FF7B6F9.png
MD5
992d6b931fc570214f4a06152ff7b6f9

SHA1
ec3c4b94cffaf19cacf92a6399989919115e0a7d

SHA256
b311a858bf773354c019ed7322af14e0322673c656955ff7fce727130a047bda

SHA512
b599bc19831644bd1c96f819b3a8011ece78f926629f5fa87c136879dc3d9d10efd94ea47cdde0a061f0db9f83913a113b3a072643c075f0b551cb95ae7cbdd8

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\9D6C00A64695C74D3963715E2189124E.png
MD5
9d6c00a64695c74d3963715e2189124e

SHA1
f5c95ae62abed2b8487011eeab67aa107b5704fb

SHA256
04219886a42560177a86391c108aef621044aa34233c3421a87a8f0aa0217f92

SHA512
1edc3d624ae9b2b5eb32130abe8bb4053e1e5131dc1c7c12a9d9244d335f23dddb861c59b62cdb6a73cb9d67d69b094487e4f1aeb3a895274cc9a6959a3c6a83

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\A9F6A4D231496119A95ED90CFDE77021.png
MD5
a9f6a4d231496119a95ed90cfde77021

SHA1
45814350e647e71f417ff6eaccc586327f2f61f9

SHA256
0b6bfe7c30f504f6afd9ae28ac0f2e4fcc58f89ebb7fb299c917666f7af82e9d

SHA512
c8f7de4d40cd1e1c54f90dfde9d30d199d74061a759e1c7262a5a68e89db300ce1675d6610099103ccb309da432223fd3343ab4838c88488c25d67c15ee2d20a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\ABB57EDD592C6DC7158188880CC24F80.png
MD5
abb57edd592c6dc7158188880cc24f80

SHA1
be703a0cc146eaf52504c70ebe7e5b11289b998f

SHA256
ac98b4fafc3cec42c52b803aa600e20b87a7b62d69720e50992bfcb1f68c9fb0

SHA512
8e0deb5122eab44d3f24a8448449e3142f7702495bc9c6627a1d480e78f9913ada19edadd86b7da68f27c6b7a53e545c2feede7a081f16b5ed2b150984afb1ab

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\DB377F81C4E4BF04554D8828CD33135F.png
MD5
db377f81c4e4bf04554d8828cd33135f

SHA1
19f2af6d65f537e06d18518fe60d1576a38f14c4

SHA256
f7ab59c19680c56107e5f61b809e56802b9f4385343087ddb83ffd748681d8be

SHA512
0574de86297632e5500fc13336e4db4f507b18e9450aff7f56830a6fda8c593d0f6d73bcb8a390b282ff780a918ec5f42a86d09b3f18a4ca7413e905293cb7a5

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GF.dll
MD5
a288386bce7648101bcde13120496d8d

SHA1
323d85a2c66d38ae40aefd31a757290bbd555945

SHA256
bf10ac5e50aead363bed3e9e6c91ca90cddf2ae4e5014c16c1d81afa9c494c83

SHA512
7a55b05eae19b4d23a8b73848c1bbaccebcf28cdc1286a080b7175295c5f3e0c499b921762bc8f9973442bfe5c0a0a1692c1ce481a8d986d53e26d242ce854f0

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlp.exe
MD5
a8dc7bfce96b82fde777a21a76ccc9ba

SHA1
0f512385c2407d5a9054cdf97c0ca318727e2017

SHA256
6578d20118f089c46a77a4ea9074ac42a59562cfc3729064bcebbe4031ce8d27

SHA512
49d6f2d0aafd5579fed33eb7b7dbe20f94949cd1153d2cb5775acea491eb944aaee865eabea4c013dc1bdd40ad002a3858296f4b634f3d5845af910b65cf5e37

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlpx64.exe
MD5
ff80258f3d91837e1f78945cfacc4741

SHA1
5d2ceadaa81c9831b6463521619ee216d2b6ceca

SHA256
d125a26c7b1399e826bbcb9d2a620579ebaa36aa52b8816448648f7b0b4357ba

SHA512
59dbcdbc4a527ca92822e7d62530a9968d506e31385db6d97dce3f8733c03063947a502160adec29a11503613f9a44f6c0775624e559e75d8af07fb2b7a43333

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMGCShellExt64.dll
MD5
95fb8f5601905939ffbb92fd072b0c5d

SHA1
1c5f274ae91bb8d0d9fa5a822303c3c5865974d3

SHA256
e7f98599aee8e9367a170cc095f0daecba89592e2e0345a708f24a8b25be4e19

SHA512
15d2f4048014a7d78ac6da70ee1994d4e2efd6de5a507792630a75e840fe9ca6e497047e1509450e7a2451cd3cbf3835cce107b3dfd928dc329d547566b32f2e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMLogEx.dll
MD5
b6ded7a3f8c665bf7b412ed5ac4afa8f

SHA1
22f1a80e9016dad80f6a5fd15cf6f7edff388bba

SHA256
9103a37e398c21bc55e46426322b00e7fec3753fc309006183d014f617c0053e

SHA512
0a09dd5a975692bd258da07053fb423b31d6f2a5d4b81a080dab8643bf5f3eebdf93b160c7effc9d25ceab35df0964f60a34e51cea1728b6dc314921aab84639

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMRealTimeSpeedupSkinCenter.zip
MD5
10e324f3650b35d8df841b5ec13018b0

SHA1
a1603383a45a8b0aaae803cc1f3161712124e186

SHA256
9dacf24bd588681415187d8bd173023cf5e2b8ec55ead1cb9ce74877bfeabb2e

SHA512
6a2169859fa6116b3aea67fdbcce4bfe9b226165d738f18bb2ff37f421566a0505271c66cb0dec64bf089e41e7823b2e00d5593d403dfef2d34e7cfd1feee495

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe
MD5
d210e07048b53ca5cc665ba2104bba02

SHA1
b967b394a4c3be24613012076fadfcd60219d11b

SHA256
8e53a548b6ad1dc37ecfe2be1895fe10af487025d75cccd7393848039b531bc8

SHA512
13e662915a22b7592c59b848bf61bd9d73fbe68570c3c68e651ad25a001bbf3abc790757b22fc76bdd425e68f572e0706c71ddce14c57e3d0d804aea6534c17c

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\business1_bkg.png
MD5
0b17268f47145b80380d887b00d60708

SHA1
d2e605dd314dd0c6076378b2a22a1fa53bca6f33

SHA256
a239f9bbafd79d24a65d5c38eb3d286ce6a3ab958f3210b36cd3ed0034360d9b

SHA512
8741f100d0b4b9fb4e41f323d4aa8247e7f8387b59f7b080e0d465019bf2c8be25a4d98d186d105296600562039f0f87c8c4f10be9a4304072abf3b1fe3938fe

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\business2_bkg.png
MD5
bf69d3ed4a10c1459c87e321a7b1954a

SHA1
7ec754a6585d4cfdddaa158b06577875001dd643

SHA256
f1ffee9b85a18eb32e672d6978c6b207b6fc2e4069a30c9260aa08d50f74af67

SHA512
e5b356cc5abcefb40a9cf1fea72ed556849ebcf42418b09ddba7eaa7b29f87b7284294d969e638fd1b73b2b3578c7261900cb0a6e1d70f7c99f2f3c47d98103d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\business3_bkg.png
MD5
e985346b6202b2e47aebab7984704df5

SHA1
19a08f12412de93929701c630017159ecbbf0186

SHA256
e7d9811d5532c3cfeb631bf9c7fdecfb41ad1adcd92e91ad3177cfd581a102c0

SHA512
66f6a7810f857afc035a5341ef0243850975b2812720ebdacc9469ddcf810f02d60002b0fd0c8346bceab9230de00accbdb98a0735bc2f71071c73faab8d86a8

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\Anyun3killer.png
MD5
01c6fccd8173e4298bed38b168c74e79

SHA1
ef1ce6a0564c5f292cd1daf59df258ccd10a4a9b

SHA256
9a723d7b8d569764947c849643babd7051368697d881894d54437f46da088ecc

SHA512
5a15c3eff14052d745c0aadc5fcb104f033a852651bc020654dc3e3d90e933851666ab7f32c937995f1c7c705e3ad30d2f5a43f704028f1cfee3b0c9550ef67f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\AppMarketPlugin.png
MD5
8d6e585aed5e0b9557901f2106fa6b55

SHA1
ed148aef3f5e8808dd33436f50a8fc131352217e

SHA256
35aee7196e14e414938fff76615882f3d8d2ddcaf3dc8a5ce7af83bd5b7b8137

SHA512
08b5a56766181f8802f54a45635dffa15762ce2719a8a53000bef1c4c126cc1c910e8f00d2e51369e6431e2b7a8ebf90f82fcb20e857d2a43e2685931bb4ee66

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\gjddFlowAS
MD5
77c524427249e3428aa92b04df1dff36

SHA1
6a3e8c096d7fdb515a5ef13aa54d624526c181f7

SHA256
8c14d4eee6b31aef7d69f4b6f7d25ce5e806e4dff43fa625aa97031895cd92d2

SHA512
e59d11abc625c77ac2852a94b9ce38d445245910898e78ead627d024275990461a476d2fc7da7a82ad911845c7eb30d3f1cb15a0084c2efc7329c49a51a4b4ab

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\locales\en-US.pak
MD5
a1cb9e27ee2669a1db86cd8fe77b3ad4

SHA1
c8767540dbfe334cb9cdde1e94014396ea8edf7e

SHA256
08b5b82e2dace1588724c3b94764ed28ffe55de058a1d47d46813f4d18b76274

SHA512
0778ce300631d6b35e9a036f9f3197a3816c8bc0cbd34dbf4d532f130a0e8efc76da318fddcbd6a9995c7a6813169d23aff762b9f516996a8d411dd4badb6871

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\locales\zh-CN.pak
MD5
209d0123654178004247d355409824af

SHA1
cc896bf5f4d88d80fea89c2f623c8436932bffe3

SHA256
c893f1eab716005a5aece4ab73c4311d4063688aefb64d2c3ff42a306b59e453

SHA512
0704349d34c5760d0f6211594dd3b76368c40e7e878d27930c77cd9edf9ab02962eab17e5efbae7791dad5d62c344d47b176cb090adc9edf15ecd411addd5e1f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qb.pak
MD5
e4ec2b884bee4f0551b6feeb517b1e30

SHA1
9a090ab1932e6d6545a4d481a3db21d477fcbe56

SHA256
49559ccddf12544a97844fe36778603f368e3c575b7fc20983d8c945938c6e49

SHA512
6a9e85b961d0476dc6dfb82e5a9b22a2d2d5e12b8eca8937de5ec0420f593f90aced060c47f1ebc650599f5ec8290963273e998b24bbe6f6a13c3025d9fdab50

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qb_100_percent.pak
MD5
3434db08d3a1765a89ec8961902e3671

SHA1
32820e5e9cca80bb8168bb4df4847c8e093c9b9f

SHA256
4d35a90ad81b36a8dc8b782db67ade2e452ca0934cef9277f8524d4e1016c62b

SHA512
796f01dbbb6c88ba1fd5518869b1d3eea48d37d81985d5dcc4a91e1af0c8132cec786326f64edee0a37aff0d2a0ad8864841cd8a8aeede499bc70f7b18c2aa6e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qb_200_percent.pak
MD5
f4c0754bfa9725051b9c77a75f8bf3af

SHA1
0e552bc73673ec33d75a334689a3e71179361532

SHA256
f1f5643b7b91d04c0826327f8e94104d1b8200d7fede14b0ec2d58bf91e0e331

SHA512
b5f0b19bd51cb411df2d75c326c16ce554e5edb26fb6aebb76724863a4c260006d0b29acff64b46a08d0387d19714eaa1a9688d0155a1fa94ccf3630cc9049e9

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db
MD5
cf7e71ed80cc5c32dbeb92ae0a852088

SHA1
c1c712dcf7f8692d1ba5cd3de13624a746d5f065

SHA256
37be15583d51f3bac41546c88292207386832c971a7ce63d6e65ca5a69fbb513

SHA512
2f09aa296633a7074d05bdfe1f09ab20189d7ddf45bc97ca84eab22e864cc6c8dc4dd051536cebe92d27642335b598305949ad785a66cc86609b4a96d79c5c11

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
MD5
3efe337c046834114a5b907387541e79

SHA1
8d3e67228db1ab0cf77de409546cf056a6dfb97b

SHA256
cd6a75706684e2365fad82397bcb711f87e1f4b6899539fa4b6ee28e1dca150c

SHA512
c2ab461ffba1b4855b00ba56f82abd88970c6484df257e5f2eb3270afea19dc89b3ae7e233e84044e6cc04b24fe5ae7bf83749653819199264b5b124bdf7a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
MD5
3efe337c046834114a5b907387541e79

SHA1
8d3e67228db1ab0cf77de409546cf056a6dfb97b

SHA256
cd6a75706684e2365fad82397bcb711f87e1f4b6899539fa4b6ee28e1dca150c

SHA512
c2ab461ffba1b4855b00ba56f82abd88970c6484df257e5f2eb3270afea19dc89b3ae7e233e84044e6cc04b24fe5ae7bf83749653819199264b5b124bdf7a4a4

Download Submit
C:\Windows\SysWOW64\MSVCP140.dll
MD5
cfbdf284c12056347e6773cb3949fbba

SHA1
ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8

SHA256
bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f

SHA512
2f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f

Download Submit
C:\Windows\SysWOW64\VCRUNTIME140.dll
MD5
8e65e033799eb9fd46bc5c184e7d1b85

SHA1
e1cc5313be1f7df4c43697f8f701305585fe4e71

SHA256
be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4

SHA512
e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

Download Submit
C:\Windows\system32\MSVCP140.dll
MD5
b9abe16b723ddd90fc612d0ddb0f7ab4

SHA1
b323de242f21f39cf1cca4198ba1abb52e6aa0fb

SHA256
75fc76655631a4ae72d015b8e85f899537c603661ca35a3f29099b8e4c84716c

SHA512
2a66bddb9b6768419c6baacbf8bb19cda5662f5b1a1a3ca760b1d9d7ea7d65d19c29f48b7621362107eef819d692f1d2a55a6d7d0217ecea91eb6e150f6ab646

Download Submit
C:\Windows\system32\VCRUNTIME140.dll
MD5
238dae6c4bb494893d01b99f6effdb93

SHA1
b3c96c7187191a70c0088641542dec48bf4b5baf

SHA256
da9d322ab2d891a83312f194e70060b1e2d1e6ecd87a4cff5a8f727453c1c4b8

SHA512
01b3f320feae9bcf3f540ac369515ea73249ba39630c117127ff9d0de6307f5d062246b799e48627c9735a80b9a4e0a2f7f293df187ba607d91a6ae64796cd64

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GF.dll
MD5
a288386bce7648101bcde13120496d8d

SHA1
323d85a2c66d38ae40aefd31a757290bbd555945

SHA256
bf10ac5e50aead363bed3e9e6c91ca90cddf2ae4e5014c16c1d81afa9c494c83

SHA512
7a55b05eae19b4d23a8b73848c1bbaccebcf28cdc1286a080b7175295c5f3e0c499b921762bc8f9973442bfe5c0a0a1692c1ce481a8d986d53e26d242ce854f0

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlp.exe
MD5
a8dc7bfce96b82fde777a21a76ccc9ba

SHA1
0f512385c2407d5a9054cdf97c0ca318727e2017

SHA256
6578d20118f089c46a77a4ea9074ac42a59562cfc3729064bcebbe4031ce8d27

SHA512
49d6f2d0aafd5579fed33eb7b7dbe20f94949cd1153d2cb5775acea491eb944aaee865eabea4c013dc1bdd40ad002a3858296f4b634f3d5845af910b65cf5e37

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlpx64.exe
MD5
ff80258f3d91837e1f78945cfacc4741

SHA1
5d2ceadaa81c9831b6463521619ee216d2b6ceca

SHA256
d125a26c7b1399e826bbcb9d2a620579ebaa36aa52b8816448648f7b0b4357ba

SHA512
59dbcdbc4a527ca92822e7d62530a9968d506e31385db6d97dce3f8733c03063947a502160adec29a11503613f9a44f6c0775624e559e75d8af07fb2b7a43333

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMGCShellExt64.dll
MD5
95fb8f5601905939ffbb92fd072b0c5d

SHA1
1c5f274ae91bb8d0d9fa5a822303c3c5865974d3

SHA256
e7f98599aee8e9367a170cc095f0daecba89592e2e0345a708f24a8b25be4e19

SHA512
15d2f4048014a7d78ac6da70ee1994d4e2efd6de5a507792630a75e840fe9ca6e497047e1509450e7a2451cd3cbf3835cce107b3dfd928dc329d547566b32f2e

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMGCShellExt64.dll
MD5
95fb8f5601905939ffbb92fd072b0c5d

SHA1
1c5f274ae91bb8d0d9fa5a822303c3c5865974d3

SHA256
e7f98599aee8e9367a170cc095f0daecba89592e2e0345a708f24a8b25be4e19

SHA512
15d2f4048014a7d78ac6da70ee1994d4e2efd6de5a507792630a75e840fe9ca6e497047e1509450e7a2451cd3cbf3835cce107b3dfd928dc329d547566b32f2e

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMLogEx.dll
MD5
b6ded7a3f8c665bf7b412ed5ac4afa8f

SHA1
22f1a80e9016dad80f6a5fd15cf6f7edff388bba

SHA256
9103a37e398c21bc55e46426322b00e7fec3753fc309006183d014f617c0053e

SHA512
0a09dd5a975692bd258da07053fb423b31d6f2a5d4b81a080dab8643bf5f3eebdf93b160c7effc9d25ceab35df0964f60a34e51cea1728b6dc314921aab84639

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMLogEx64.dll
MD5
79d9ac3881a501f8db844f8a2465b406

SHA1
6031e13c9e475bde0e04cf8dd0b89afea1c28099

SHA256
d88dd8197a8df6d328254f4611dc87f32ec4e8d813af32d9f41c4d841856650a

SHA512
7697a1a085eb7f69dc9a00c1916fa425eb893bc965027a2e0dc59ad2b3f32f88dbaf4f6a04717112d40250343ed31f732ec1a72fbc581da057249ee3e9df77f1

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe
MD5
d210e07048b53ca5cc665ba2104bba02

SHA1
b967b394a4c3be24613012076fadfcd60219d11b

SHA256
8e53a548b6ad1dc37ecfe2be1895fe10af487025d75cccd7393848039b531bc8

SHA512
13e662915a22b7592c59b848bf61bd9d73fbe68570c3c68e651ad25a001bbf3abc790757b22fc76bdd425e68f572e0706c71ddce14c57e3d0d804aea6534c17c

Download Submit
\Users\Admin\AppData\Local\Temp\TencentDownload\~f74f9ca\QQPCDownload.dll
MD5
aa142942435b567595a71eb4eb402579

SHA1
790ed6f6e5016b8873ce1817bcc96024a0e768de

SHA256
73a934147b27437f91517ed9ed7eb20fb54e222a1bf2047f201ac668455c0f1e

SHA512
e8a9d760bfac910500a56aea8e3849bc3e73c3a0065557dc1da2495d785ba58c428a168a97faebfaa638aa3e285e7141f3937156dc1d26caad1792929dba8708

Download Submit
\Users\Admin\AppData\Roaming\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
MD5
3efe337c046834114a5b907387541e79

SHA1
8d3e67228db1ab0cf77de409546cf056a6dfb97b

SHA256
cd6a75706684e2365fad82397bcb711f87e1f4b6899539fa4b6ee28e1dca150c

SHA512
c2ab461ffba1b4855b00ba56f82abd88970c6484df257e5f2eb3270afea19dc89b3ae7e233e84044e6cc04b24fe5ae7bf83749653819199264b5b124bdf7a4a4

Download Submit
\Windows\SysWOW64\msvcp140.dll
MD5
cfbdf284c12056347e6773cb3949fbba

SHA1
ad3fa5fbbc4296d4a901ea94460762faf3d6a2b8

SHA256
bbecdfda2551b01aa16005c88305982c360a9fb9ba3d9be2fb15f2e9c6eb809f

SHA512
2f24eac94d51f8f28c8e6b6234ca2e481e0f8f1a73df62766ff4f5640480377fb2c4a469babedb87d303503994b469e570aaf725e16da6f9b2d6a77f15b4623f

Download Submit
\Windows\SysWOW64\vcruntime140.dll
MD5
8e65e033799eb9fd46bc5c184e7d1b85

SHA1
e1cc5313be1f7df4c43697f8f701305585fe4e71

SHA256
be38a38e22128af9a529af33d1f02dd24b2a344d29175939e229cf3a280673e4

SHA512
e0207fe2c327e7a66c42f23b3cbabc771d3819275dc970a9fa82d7af5f26606685644b8ea511f87ec511eb3a086a9506adec96c01c1b80b788c253bd0d459fbd

Download Submit
\Windows\System32\msvcp140.dll
MD5
b9abe16b723ddd90fc612d0ddb0f7ab4

SHA1
b323de242f21f39cf1cca4198ba1abb52e6aa0fb

SHA256
75fc76655631a4ae72d015b8e85f899537c603661ca35a3f29099b8e4c84716c

SHA512
2a66bddb9b6768419c6baacbf8bb19cda5662f5b1a1a3ca760b1d9d7ea7d65d19c29f48b7621362107eef819d692f1d2a55a6d7d0217ecea91eb6e150f6ab646

Download Submit
\Windows\System32\msvcp140.dll
MD5
b9abe16b723ddd90fc612d0ddb0f7ab4

SHA1
b323de242f21f39cf1cca4198ba1abb52e6aa0fb

SHA256
75fc76655631a4ae72d015b8e85f899537c603661ca35a3f29099b8e4c84716c

SHA512
2a66bddb9b6768419c6baacbf8bb19cda5662f5b1a1a3ca760b1d9d7ea7d65d19c29f48b7621362107eef819d692f1d2a55a6d7d0217ecea91eb6e150f6ab646

Download Submit
\Windows\System32\vcruntime140.dll
MD5
238dae6c4bb494893d01b99f6effdb93

SHA1
b3c96c7187191a70c0088641542dec48bf4b5baf

SHA256
da9d322ab2d891a83312f194e70060b1e2d1e6ecd87a4cff5a8f727453c1c4b8

SHA512
01b3f320feae9bcf3f540ac369515ea73249ba39630c117127ff9d0de6307f5d062246b799e48627c9735a80b9a4e0a2f7f293df187ba607d91a6ae64796cd64

Download Submit
\Windows\System32\vcruntime140.dll
MD5
238dae6c4bb494893d01b99f6effdb93

SHA1
b3c96c7187191a70c0088641542dec48bf4b5baf

SHA256
da9d322ab2d891a83312f194e70060b1e2d1e6ecd87a4cff5a8f727453c1c4b8

SHA512
01b3f320feae9bcf3f540ac369515ea73249ba39630c117127ff9d0de6307f5d062246b799e48627c9735a80b9a4e0a2f7f293df187ba607d91a6ae64796cd64

Download Submit
memory/584-170-0x0000000000000000-mapping.dmp

Download
memory/880-205-0x0000000000000000-mapping.dmp

Download
memory/880-214-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/880-141-0x0000000000000000-mapping.dmp

Download
memory/908-147-0x0000000000000000-mapping.dmp

Download
memory/936-69-0x0000000000000000-mapping.dmp

Download
memory/964-153-0x0000000000000000-mapping.dmp

Download
memory/964-195-0x0000000000000000-mapping.dmp

Download
memory/1080-116-0x0000000000000000-mapping.dmp

Download
memory/1084-149-0x0000000000000000-mapping.dmp

Download
memory/1096-150-0x0000000000000000-mapping.dmp

Download
memory/1100-168-0x0000000000000000-mapping.dmp

Download
memory/1328-166-0x0000000000000000-mapping.dmp

Download
memory/1328-185-0x0000000000000000-mapping.dmp

Download
memory/1348-189-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1348-190-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/1348-187-0x0000000000000000-mapping.dmp

Download
memory/1352-203-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/1352-202-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1352-217-0x000000000E920000-0x000000000EB78000-memory.dmp

Filesize
2.3MB

Download
memory/1352-204-0x000000006FFD0000-0x000000006FFE0000-memory.dmp

Filesize
64KB

Download
memory/1352-213-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1352-200-0x0000000000000000-mapping.dmp

Download
memory/1508-64-0x0000000000000000-mapping.dmp

Download
memory/1580-138-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1580-133-0x0000000000000000-mapping.dmp

Download
memory/1592-165-0x0000000000000000-mapping.dmp

Download
memory/1596-164-0x0000000000000000-mapping.dmp

Download
memory/1600-161-0x0000000000000000-mapping.dmp

Download
memory/1600-179-0x0000000000000000-mapping.dmp

Download
memory/1600-181-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1600-182-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-177-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-172-0x0000000000000000-mapping.dmp

Download
memory/1636-216-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1644-139-0x0000000000000000-mapping.dmp

Download
memory/1676-146-0x0000000000000000-mapping.dmp

Download
memory/1688-157-0x0000000000000000-mapping.dmp

Download
memory/1688-106-0x0000000000000000-mapping.dmp

Download
memory/1704-207-0x0000000000000000-mapping.dmp

Download
memory/1708-158-0x0000000000000000-mapping.dmp

Download
memory/1736-173-0x0000000000000000-mapping.dmp

Download
memory/1776-126-0x000007FEFBC41000-0x000007FEFBC43000-memory.dmp

Filesize
8KB

Download
memory/1776-125-0x0000000000000000-mapping.dmp

Download
memory/1828-194-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1828-192-0x0000000000000000-mapping.dmp

Download
memory/1828-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1828-145-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/1828-176-0x0000000000000000-mapping.dmp

Download
memory/1828-140-0x0000000000000000-mapping.dmp

Download
memory/1836-174-0x0000000000000000-mapping.dmp

Download
memory/1852-183-0x0000000000000000-mapping.dmp

Download
memory/1852-169-0x0000000000000000-mapping.dmp

Download
memory/1900-121-0x0000000000000000-mapping.dmp

Download
memory/1900-163-0x0000000000000000-mapping.dmp

Download
memory/1936-62-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1936-61-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/2000-171-0x0000000000000000-mapping.dmp

Download
memory/2064-210-0x0000000000000000-mapping.dmp

Download
memory/2448-215-0x0000000000000000-mapping.dmp

Download
memory/2652-218-0x0000000000000000-mapping.dmp

Download
memory/2652-231-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2688-232-0x0000000000000000-mapping.dmp

Download
memory/2716-220-0x0000000000000000-mapping.dmp

Download
memory/2780-222-0x0000000000000000-mapping.dmp

Download
memory/2976-226-0x0000000000000000-mapping.dmp

Download
memory/3012-275-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/3024-227-0x0000000000000000-mapping.dmp

Download
memory/3024-230-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/3092-237-0x000000006FFD0000-0x000000006FFE0000-memory.dmp

Filesize
64KB

Download
memory/3092-238-0x0000000002D80000-0x0000000002E0C000-memory.dmp

Filesize
560KB

Download
memory/3092-233-0x0000000000000000-mapping.dmp

Download
memory/3228-240-0x0000000000000000-mapping.dmp

Download
memory/3320-241-0x0000000000000000-mapping.dmp

Download
memory/3348-242-0x0000000000000000-mapping.dmp

Download
memory/3380-243-0x0000000000000000-mapping.dmp

Download
memory/3416-244-0x0000000000000000-mapping.dmp

Download
memory/3448-245-0x0000000000000000-mapping.dmp

Download
memory/3516-246-0x0000000000000000-mapping.dmp

Download
memory/3548-247-0x0000000000000000-mapping.dmp

Download
memory/3576-248-0x0000000000000000-mapping.dmp

Download
memory/3604-249-0x0000000000000000-mapping.dmp

Download
memory/3632-250-0x0000000000000000-mapping.dmp

Download
memory/3660-251-0x0000000000000000-mapping.dmp

Download
memory/3688-252-0x0000000000000000-mapping.dmp

Download
memory/3720-253-0x0000000000000000-mapping.dmp

Download
memory/3748-254-0x0000000000000000-mapping.dmp

Download
memory/3780-255-0x0000000000000000-mapping.dmp

Download
memory/4068-267-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download