e4e0f491d1a623421f29cf888401e02de72c8c7eeebc2519140bb91cdd7ab447

Analysis

max time kernel
154s
max time network
159s
platform
windows10_x64
resource
win10-en
submitted
06-09-2021 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QQPCDownload1726.exe
Size

1.2MB
MD5

010ce02a531123766140c241b62dba0a
SHA1

3d7cfa3422b5dc2776f54c088de6bc513f71c757
SHA256

e4e0f491d1a623421f29cf888401e02de72c8c7eeebc2519140bb91cdd7ab447
SHA512

51cb6807506c79500d2fbd96c073a5926a3442af6fed21bdb5981d4996a2a072046ed883d7dac7a5795461e800e6ff0ec2de97583a33527b63bf50eeb1c59066

Score

10^/10

adware bootkit discovery evasion persistence stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall\ = "{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall\ = "{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall	regsvr32.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

Processes:

QQPCTray.exeQQPCRealTimeSpeedup.exeQQPCMgr_Setup.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\TAOKernelEx64_ev.sys	QQPCTray.exe
File opened for modification	C:\Windows\system32\Drivers\TAOKernelEx64_ev.sys	QQPCTray.exe
File created	C:\Windows\system32\Drivers\TAOAcceleratorEx64_ev.sys	QQPCRealTimeSpeedup.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAcceleratorEx64_ev.sys	QQPCRealTimeSpeedup.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAcceleratorEx64_ev.sys	QQPCTray.exe
File created	C:\Windows\system32\Drivers\TFsFltX64_ev.sys	QQPCMgr_Setup.exe

Executes dropped EXE 39 IoCs

Processes:

QQPCMgr_Setup.exeQMBluerayInsHlp.exeQMBluerayInsHlpx64.exeQQPCSoftCmd.exeQQPCRTP.exeQMProxyHelper64.exeQMSuperScan.exeQMCheckNetwork.exeQMCheckNetwork.exeQMMiYu.exeGameAssist_Setup.exeQQPCTray.exeQQPCRTP.exeQQPCRTP.exeQQPCRtp.exeQQPCTray.exeQQPCTray.exeUpdateTrayIcon.exeInstallUninstallCube.exeQMProxyHelper64.exeQQRepair.EXEVolSnapshotX64.exeQQPCPatch.exeQQRepair.EXEQQPCRealTimeSpeedup.exeQQPCTray.exeqmdl.exeQQRepair.exeQQPCPatch.exeQMBlueScreenFixSetup_13.6.20672.243__1594805313978.exeQMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exeQQPCSoftMgr.exeQQPCTxtExt.exeQQPCExternal.exeQQPCSoftCmd.exeqbclient.exeQQPCExternal.exeqbclient.exeqbclient.exe

pid	process
1988	QQPCMgr_Setup.exe
3556	QMBluerayInsHlp.exe
2660	QMBluerayInsHlpx64.exe
2784	QQPCSoftCmd.exe
1876	QQPCRTP.exe
4072	QMProxyHelper64.exe
3120	QMSuperScan.exe
352	QMCheckNetwork.exe
2312	QMCheckNetwork.exe
1704	QMMiYu.exe
4192	GameAssist_Setup.exe
4240	QQPCTray.exe
4264	QQPCRTP.exe
4368	QQPCRTP.exe
4448	QQPCRtp.exe
4580	QQPCTray.exe
4648	QQPCTray.exe
4664	UpdateTrayIcon.exe
4696	InstallUninstallCube.exe
3616	QMProxyHelper64.exe
4244	QQRepair.EXE
4152	VolSnapshotX64.exe
2780	QQPCPatch.exe
4308	QQRepair.EXE
764	QQPCRealTimeSpeedup.exe
4308	QQPCTray.exe
5324	qmdl.exe
5652	QQRepair.exe
5672	QQPCPatch.exe
5812	QMBlueScreenFixSetup_13.6.20672.243__1594805313978.exe
652	QMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exe
5868	QQPCSoftMgr.exe
6064	QQPCTxtExt.exe
6080	QQPCExternal.exe
4280	QQPCSoftCmd.exe
5984	qbclient.exe
5888	QQPCExternal.exe
7032	qbclient.exe
6568	qbclient.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UpdateTrayIcon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	UpdateTrayIcon.exe

Loads dropped DLL 64 IoCs

Processes:

QQPCDownload1726.exeQMBluerayInsHlp.exeQMBluerayInsHlpx64.exeregsvr32.exeregsvr32.exeQQPCSoftCmd.exeQQPCRTP.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeQMProxyHelper64.exeQMSuperScan.exe

pid	process
3952	QQPCDownload1726.exe
3556	QMBluerayInsHlp.exe
3556	QMBluerayInsHlp.exe
3556	QMBluerayInsHlp.exe
2660	QMBluerayInsHlpx64.exe
2660	QMBluerayInsHlpx64.exe
2660	QMBluerayInsHlpx64.exe
408	regsvr32.exe
2276	regsvr32.exe
2276	regsvr32.exe
2276	regsvr32.exe
2276	regsvr32.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
2784	QQPCSoftCmd.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
1876	QQPCRTP.exe
3820	regsvr32.exe
1852	regsvr32.exe
1852	regsvr32.exe
1852	regsvr32.exe
3896	regsvr32.exe
748	regsvr32.exe
748	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
4052	regsvr32.exe
3268	regsvr32.exe
3268	regsvr32.exe
1896	regsvr32.exe
1920	regsvr32.exe
1920	regsvr32.exe
1920	regsvr32.exe
4072	QMProxyHelper64.exe
4072	QMProxyHelper64.exe
3120	QMSuperScan.exe
3120	QMSuperScan.exe
3120	QMSuperScan.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5620 icacls.exe

pid	process
5620	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QQRepair.EXEQQRepair.exeQQPCMgr_Setup.exeQQPCRtp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTRAY.EXE\" /regrun /qqrepair"	QQRepair.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTRAY.EXE\" /regrun /qqrepair"	QQRepair.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQDisabled	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTray.exe\" /regrun"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QQPCTray.exe\" /regrun"	QQPCRtp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

QQRepair.EXEQQPCRealTimeSpeedup.exeQQRepair.exeqbclient.exeqbclient.exeqbclient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQRepair.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQPCRealTimeSpeedup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQRepair.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qbclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qbclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qbclient.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Writes to the Master Boot Record (MBR) 1 TTPs 10 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

QQPCMgr_Setup.exeGameAssist_Setup.exeQQPCTray.exeQQPCTray.exeqbclient.exeQQPCDownload1726.exeQMSuperScan.exeQQPCRtp.exeqbclient.exeqbclient.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQPCMgr_Setup.exe
File opened for modification	\??\PhysicalDrive0	GameAssist_Setup.exe
File opened for modification	\??\PhysicalDrive0	QQPCTray.exe
File opened for modification	\??\PhysicalDrive0	QQPCTray.exe
File opened for modification	\??\PhysicalDrive0	qbclient.exe
File opened for modification	\??\PhysicalDrive0	QQPCDownload1726.exe
File opened for modification	\??\PhysicalDrive0	QMSuperScan.exe
File opened for modification	\??\PhysicalDrive0	QQPCRtp.exe
File opened for modification	\??\PhysicalDrive0	qbclient.exe
File opened for modification	\??\PhysicalDrive0	qbclient.exe

Drops file in System32 directory 64 IoCs

Processes:

QQPCMgr_Setup.exeGameAssist_Setup.exeQQPCRtp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\ucrtbase.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	QQPCRtp.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	QQPCRtp.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\ucrtbase.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\QMLogEx\log.ini	QQPCRtp.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll	GameAssist_Setup.exe
File created	C:\Windows\system32\ucrtbase.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\system32\concrt140.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\ucrtbase.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll	QQPCMgr_Setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

QQPCMgr_Setup.exeGameAssist_Setup.exeQQPCTray.exeQQPCSoftMgr.exeQQPCPatch.exeQQPCRtp.exe

description	ioc	process
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\NodisturbSGList.etf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\api-ms-win-core-rtlsupport-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl287.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\AppCtrlInfo\FileUnlockerCtrl.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1023.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl307.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl563.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\api-ms-win-crt-runtime-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\api-ms-win-crt-process-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\qqpcweiyundiskjmp.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\SysCleanPage\SysCleanPage.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TAVCache.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQSysMon_ev.sys	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMUpdate\api-ms-win-crt-heap-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DataProxy.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GarbageCleaner.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMUpdate\QQPCUpdate.rdb	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exe	QQPCTray.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\SysSpeedUp\SysSpeedUp.rdb	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMMalCore.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCfix.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCHwNetwork.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\RefuseSystem.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\api-ms-win-core-debug-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\RICHED20.DLL	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\SoftMgr\xImage.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl559.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\AppUICtrlInfo\QMDocProtectUICtrl.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TAO\MXConfig.etf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\AppLaunch.prf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\SysCleanPage\syscleanpage.tpc	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMDns.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qmsoftmgrupdate\DataUpdateFile\12.tmp	QQPCSoftMgr.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\RefuseSystem.dat.bak_11423	QQPCPatch.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1402.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\api-ms-win-core-debug-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\FileGroupUpdate\Sections\11410\QMDnsPluginCtrl.xml	QQPCPatch.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\SysHomePage\GarbageSoftInfo.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\config\NetRepairPage.js	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMTrayPlugin\qmrtpplugin\QMRtpPlugin.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TAVE.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TAOKernel.sys	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\QMDL.exe	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMDns.exe.src_11410	QQPCPatch.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\script\pb_1021.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMTrayPlugin\qmudiskmgr\USBKey.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\AndroidAssistHelper.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMProxyAccLsp.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\api-ms-win-core-timezone-l1-1-0.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCStub.exe	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\sqlite.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TsFltMgr.sys	QQPCMgr_Setup.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\FileGroupUpdate\Sections\11440\TVL00001.tvl	QQPCPatch.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\IEStartPageConfig.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DownloaderManager.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl391.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMProxyAccLsp64.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\QMNetMon\zlib.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl200014.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\RefuseInject.dll	GameAssist_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\malware\logo\plugin_949.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\GameRouterFileList\rl335.etf	GameAssist_Setup.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\WSFDatabase.db-journal	QQPCRtp.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMNetworkMgr.ini	QQPCTray.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QQPCTray.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QQPCTray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QQPCTray.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

QQPCTray.exeqbclient.exeqbclient.exeQQPCMgr_Setup.exeqbclient.exeQQPCExternal.exeQQPCExternal.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\StatusBarWeb = "1"	QQPCTray.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode	qbclient.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode	qbclient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppName = "QQPCClinic.exe"	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode	qbclient.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions	QQPCMgr_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions\WarnOnOpen = "0"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppPath = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\"	QQPCMgr_Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	QQPCTray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\BrowserMachineCode\MachineGuid = "1d18ebb2b5071a973da41e0cf381dca4"	qbclient.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode	QQPCExternal.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserMachineCode	QQPCExternal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\Policy = "3"	QQPCMgr_Setup.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

QQPCRtp.exeQQPCTray.exeQQPCMgr_Setup.exeQQPCRealTimeSpeedup.exeQMSuperScan.exeQQPCTray.exeQQPCSoftCmd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\LRTLastLaunchDate = 7bf44d1529b06266	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\LRTCloseTipCnt = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TrojanFileMonBlackCount = 7b74ea37	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\Area2_Garbage = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_44 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44f66fbf052b8cb103fa5e917a4beb61b7ed0058ab80ea5fb90928	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\RealtimeSpeedupStartRocket = 7a74ea37	QQPCRealTimeSpeedup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_14 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e061772dd7ccaa34d527be9ac	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_2 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\SystemStartupOverPercent = 6574ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	QQPCRtp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_35 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\OppAdcBlackDownSwitchFlag = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\NetMonShowMinibar = 7a74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Tencent\QQ	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TAOBusinessCfg_flag = 4a74dc37a8128567ac05df9ec8ff8c7618176ae34e92735637c3e522872e33172edd2dcafe4d5b7bffac3644ce6fc505718ce903f25ec77a41eb74b79b0052ab8dea0db94e286fbc5266ca27158257fb3c858795ebcc	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_41 = 3874d037c712e267fc05809e9cffdb765a172ee31b9218562ac3f722b62e1f174cdd2ecaf24d	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_56 = 3874d037c712e267fc05809e9cffdb765a172ee31b92395636c3f7228e2e251769dd7bcaa34d4e7b	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\BlackURLPercent = 9377ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_23 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_35 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\SetupSpeedupPluginName = 28749a37fe12d067f1059b9e88ffe67642173ee32c922e5627c38422e12e50171bdd18cac64d3d7b9aac5744aa6ffc05448cdc03975efe7a25eb41b7ab0031abecea3ab97a285fbc3066fa27268264fb0f85b29588cc759b3f7004efa619474724b78ed85c720471e0adebe88e7c8a1bdaffcbd64477fd679cab032d7bb2471c35de251fafb834069fbb98cab5486f99f94ef26ce321a267a7194810070b1d6bafb1ae779af7daa18d01665d1934bc67d088c99700a6166931ced9c54096df49f21c2013c747f11229c945bb48186366146d5452544c6f79e7853d664892bc6d7ca36c7ac1bf6de1b7cc349dd22a183dffbc1c76196491851e138d294fbab8d725d1b17395d15e67c0915b44ab17df61bd48580c993c0c2657c58b7e06ebff1882e388c9ab7f833ba156e841c453c3f0870adecb958ebc79d20c5635af22aa75c053e2450ba01fb5bce37284bc2fed57ead61a021607da0b1be9f655da6f5fde5c158e59186a606c6d570767020135b5d8a7c42f395bd2559b9f8565e71447dc5c2f8e45500ffdec30a8a39bcebb722c1575cbdf99b13bdc8c1769d5c7f0cd01a168ece5819c96cdb8ba964fb4063e27714293ba9ae719d82879f94eb71d7c866614ec2e9c26b8a1708f38171482a0e78674da4a8bdfcafa58d3637cfd48ac0eafde243fb3c02739a65e387b2904baf275f3ba8f7ee29a20a3908e30bad892d56790db4dde60bc93	QQPCRealTimeSpeedup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\SysHPLogRecentNum_traceclear = 7b74ea379b12b5679505ee9ef8ffb4762d175de347924b5653c38422e12e50171bdd18cac64d3d7b9aac5744aa6ffc05448cdc03975efe7a25eb41b7ab0031abecea3ab97a285fbc	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\ExitOnClose = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\QMCfgQMNInterval = 7874	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defLastSccUrlCfgVersion = 7e19a24f	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\FTSysSpeedupTipsCheckLeft = 7a	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\FtSysNewAutoCleanSwitch = 7b	QQPCTray.exe
Key created	\REGISTRY\USER\QMConfig	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpeedupSkinTipsLastVersion = 7474ea37	QQPCSoftCmd.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TAVServerConfig = 3d21b57bf27fdc13d36c82fbab96ce1310246cd772a5796e63c9c277be6339795db474af9524471ea79e5d02ff30b36b27e98973fb319f1e63822dd296333bedb9b56ed60e4933e9400a954642c40d976ab881a5b8c633ce60257483c978230148d6e9e56d784224bff89b84e11dee4b9fb6a5b02b319106fb9632273de718515cb0766adcee556aeadea5fabf0e3ac6bf279e09b651ce08c67d097463792003dbc5de4db5d8a9c0e0710a383446d904b5e1bff22ecb771a45ababeb31e7f12a9d710f70a02edc7040a76add21740639660837245e0a3a26ace0445b7ba0da5d4d935c43f9865ad8d3af56a8b11a2a5bcad82b477c01a7e62a72b51145fced8870a1dd1cf4b50e2289ff3d2bed7bbe068079524acc6359563baaea1a559b9a7de6debaf9a13cc57cfe1dbb02a83cb694c163b2aec6e7c61c9e653b5cdb1f9f47f461da7d3b902fbfffa535dbf9418c3586b353667a6289687a87cb65d02c1999035cea357d39030d031e6913677343d4b49af51a330f9303dec0d428a47828a9386ae022396198bf53c7d1fef3894415204cf9eaae870bd6d8563f9098bb9e42cd079981c4f2f1a4d6dfc52cdb745b1a407aa483aad321e9114bf31af64b39d92762855cfd63d6c619e15d4477edd282bb45ec7bbbe9fbc86fe05576a909fa4bf08a565adda46257c137561e7a67d58010ce8bbc4ad0ab1794a2b600b08cd38322cf8f1d9525d2f4a93975106055bda45daf178729dd1590dc39f4e32a7996b471fcd91760c53187dadd4b756b32c550a1be306cc926d0bc7d87c25f79852d60b81ba9b25fe4e6be832f695e74516e4be1aba8f1d3e3745b0d3dd99b933d3c0d77980bf0c08a3075493d8f1ebccb05c8d1c7c888d6a644f2f519cadebd2407f064d1e71d7f10a1ce68ce961b4299bba558d0b4e599618d3825617d293449f8d955c702154a09355211b414ace8c6fbf0d16ba0570c6d5eac041d188e631702a7368058c97193fc19f8d4d61bacde4af5a91e042a96f8ec6c0ebfb6a5598429a83667bc9cad144a37990e65da8a9a5655124b606fb1da77453379fbe76811a8c4a52b40581eb3235ee2791492db66772945bc681f92761590fbd02a07148238a4d6134b1ce60ac4efe6a54072fdbaf6e1019b30303602bb1fb5085fac97a0b54951c11d94e6c7a486bc92ce53cb92fc26d7308cf128da5c71cd59ca16ca8136a94f7935c59ad10ccfdc966be20ddf609579d13002cec291d610f7e58e6083d9b24fddb33417702bb0ff605ce0e8f9f58bd822cfdfc73214b6fcb822dc4ed117d65e3ffb1cc133	QQPCRtp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_25 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c175fdd7dcab54d567beeac3844da6f	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_59 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa19054751b7fcd832725871a2ad9ee8fc7ce41b	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_59 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa19054751b7fcd832725871a2ad9ee8fc7ce41b	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\FTSysAutoCleanTraceConfig = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSoftMgrIPRegionInfoReportTime = f2cddf569b12b567	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSoftMgrTestConfigValid = 7a74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_21 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7dad83972697190ad87e8ef7cfe1bbfffb8d6	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_59 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa19054751b7fcd832725871a2ad9ee8fc7ce41b	QMSuperScan.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\ScanFinishAutoShutDown = 7b74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\SoftWare	QQPCRtp.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\DrRtp\Hips	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\SysHPLogCurrentNum_traceclear = 5b74ea379412b567	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\FTSysSlowCardTipsCheckLeft = 7a	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_16 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e14177edd6bcaad4d497bf5ac2744	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defQMAPUIBkgValue = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defAliLnkProcStatus = 7b74ea37	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defAdcNewVerDefaultOffFlag = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_34 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa190f474db7fdd828726b7192ad92e8	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_45 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea6eb91f2832bc40669627478210fb6a85c195	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\LSPCheckNetworkEntry = 7f74ea37	QMSuperScan.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_16 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e14177edd6bcaad4d497bf5ac2744	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\SysHP\SysHPGarbageSubItems = 4c74de37a012	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_19 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7c0d83972707197ad84e8fc7ce11bfaff98d62c779267eeab772d18b2321c41de561f	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg	QQPCRealTimeSpeedup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_28 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defDocProVolSnapSpaceMaxNoCom = 71	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_54 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c174bdd71caa54d497befac2544cf6f8f05	QMSuperScan.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeQQPCMgr_Setup.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3303E77E-EAF6-4840-8208-5D950B2B61E7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\ = "CTSWebSiteMon Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.qmgc	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMRealTimeSpeedup.QMRealTimeSpeedupShellContextMenuExtension.1\CLSID\ = "{C5617F6A-39BB-436D-91CF-61C1B45DD688}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TSWebSiteMon.CTSWebSiteMon.1\CLSID\ = "{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\NumMethods\ = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\NumMethods\ = "3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qmgcfiles\DefaultIcon	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\AppID = "{5D7991DD-038B-49D4-8C8B-00119981499C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\TypeLib\ = "{445E3964-15B0-472A-95F4-6242DD2EA066}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2A79C5-48F1-4182-BCF9-E92857BDA980}\InfoTip = "使用电脑管家强力卸载功能卸载软件"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}\ = "IBasic"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5617F6A-39BB-436D-91CF-61C1B45DD688}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\ = "QQ保险柜文件(.qbox)"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QMContextUninstall.DLL\AppID = "{1E9BD312-7C8C-4422-906D-897F6D7714F2}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TSWebSiteMon.CTSWebSiteMon\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}\TypeLib\ = "{C049F583-D724-4BAB-8F47-F13BCA41B808}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\ = "QMContextScanMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\shell\	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QMContextScan.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\npQMExtensionsIE.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5617F6A-39BB-436D-91CF-61C1B45DD688}\ = "QQPCMgr Real Time Speedup Shell Context Menu Extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu.1\ = "QMContextUninstallMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\InProcServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.6.20672.243\\QMContextUninstall64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\TypeLib\ = "{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMRealTimeSpeedup.QMRealTimeSpeedupShellContextMenuExtension.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\shell\command	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qmgcfiles\ShellEx\IconHandler	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMRealTimeSpeedup.QMRealTimeSpeedupShellContextMenuExtension\ = "QQPCMgr Real Time Speedup Shell Context Menu Extension"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{5D7991DD-038B-49D4-8C8B-00119981499C}\ = "TSWebSiteMon"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QMContextUninstall	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{5D7991DD-038B-49D4-8C8B-00119981499C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\TypeLib\ = "{593BE60A-1C6A-44F9-946D-A5EAB2D53511}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}\VersionIndependentProgID\ = "TSWebSiteMon.CTSWebSiteMon"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E2A79C5-48F1-4182-BCF9-E92857BDA980}\Shell	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}\1.0\0\win64	regsvr32.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

QQPCRtp.exeqbclient.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	QQPCRtp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	qbclient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	qbclient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	qbclient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

QQPCDownload1726.exeQQPCMgr_Setup.exeQMCheckNetwork.exeGameAssist_Setup.exe

pid	process
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
1988	QQPCMgr_Setup.exe
352	QMCheckNetwork.exe
352	QMCheckNetwork.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe
4192	GameAssist_Setup.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

QQPCTray.exeQQPCRtp.exe

pid	process
628
628
628
628
628
628
628
4580	QQPCTray.exe
628
628
628
628
628
628
628
628
628
628
628
628
628
628
4448	QQPCRtp.exe
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
628
4448	QQPCRtp.exe
628
628
628
628
4448	QQPCRtp.exe
628
628
628
628
628
628
628
628
628
628

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

QQPCMgr_Setup.exeQQPCTray.exeGameAssist_Setup.exeQQPCTray.exeQQPCTray.exeInstallUninstallCube.exeQMSuperScan.exeQQRepair.EXEQQPCRtp.exevssvc.exeQQPCRealTimeSpeedup.exeQQPCTray.exeqmdl.exeQQRepair.exe

description	pid	process
Token: SeBackupPrivilege	1988	QQPCMgr_Setup.exe
Token: SeRestorePrivilege	1988	QQPCMgr_Setup.exe
Token: SeBackupPrivilege	1988	QQPCMgr_Setup.exe
Token: SeRestorePrivilege	1988	QQPCMgr_Setup.exe
Token: SeDebugPrivilege	1988	QQPCMgr_Setup.exe
Token: 33	4240	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4240	QQPCTray.exe
Token: SeDebugPrivilege	4192	GameAssist_Setup.exe
Token: 33	4580	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4580	QQPCTray.exe
Token: 33	4648	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4648	QQPCTray.exe
Token: SeDebugPrivilege	4696	InstallUninstallCube.exe
Token: SeDebugPrivilege	4580	QQPCTray.exe
Token: SeShutdownPrivilege	4580	QQPCTray.exe
Token: SeCreatePagefilePrivilege	4580	QQPCTray.exe
Token: SeDebugPrivilege	4580	QQPCTray.exe
Token: SeLoadDriverPrivilege	4580	QQPCTray.exe
Token: SeLoadDriverPrivilege	4580	QQPCTray.exe
Token: SeDebugPrivilege	3120	QMSuperScan.exe
Token: SeLoadDriverPrivilege	4244	QQRepair.EXE
Token: SeDebugPrivilege	4448	QQPCRtp.exe
Token: SeLoadDriverPrivilege	4448	QQPCRtp.exe
Token: SeDebugPrivilege	4448	QQPCRtp.exe
Token: SeBackupPrivilege	4580	QQPCTray.exe
Token: SeRestorePrivilege	4580	QQPCTray.exe
Token: SeLoadDriverPrivilege	4448	QQPCRtp.exe
Token: SeDebugPrivilege	4448	QQPCRtp.exe
Token: SeDebugPrivilege	4448	QQPCRtp.exe
Token: SeLoadDriverPrivilege	4448	QQPCRtp.exe
Token: SeDebugPrivilege	4448	QQPCRtp.exe
Token: SeLoadDriverPrivilege	4448	QQPCRtp.exe
Token: SeBackupPrivilege	1688	vssvc.exe
Token: SeRestorePrivilege	1688	vssvc.exe
Token: SeAuditPrivilege	1688	vssvc.exe
Token: SeDebugPrivilege	4580	QQPCTray.exe
Token: SeDebugPrivilege	764	QQPCRealTimeSpeedup.exe
Token: SeBackupPrivilege	4580	QQPCTray.exe
Token: SeRestorePrivilege	4580	QQPCTray.exe
Token: 33	4308	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4308	QQPCTray.exe
Token: SeDebugPrivilege	764	QQPCRealTimeSpeedup.exe
Token: SeDebugPrivilege	4580	QQPCTray.exe
Token: SeManageVolumePrivilege	5324	qmdl.exe
Token: SeLoadDriverPrivilege	4308	QQPCTray.exe
Token: SeLoadDriverPrivilege	5652	QQRepair.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

QQPCDownload1726.exeUpdateTrayIcon.exeQQPCTray.exe

pid	process
3952	QQPCDownload1726.exe
3952	QQPCDownload1726.exe
4664	UpdateTrayIcon.exe
4580	QQPCTray.exe
4580	QQPCTray.exe
4580	QQPCTray.exe
4580	QQPCTray.exe
4580	QQPCTray.exe
4664	UpdateTrayIcon.exe
4664	UpdateTrayIcon.exe
4580	QQPCTray.exe
3952	QQPCDownload1726.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

QQPCDownload1726.exeQQPCTray.exe

pid process

3952 QQPCDownload1726.exe
3952 QQPCDownload1726.exe
4580 QQPCTray.exe
4580 QQPCTray.exe
4580 QQPCTray.exe
4580 QQPCTray.exe
3952 QQPCDownload1726.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

QQPCDownload1726.exeQQPCSoftMgr.exeQQPCSoftCmd.exe

pid	process
3952	QQPCDownload1726.exe
5868	QQPCSoftMgr.exe
5868	QQPCSoftMgr.exe
5868	QQPCSoftMgr.exe
4280	QQPCSoftCmd.exe
5868	QQPCSoftMgr.exe
5868	QQPCSoftMgr.exe
5868	QQPCSoftMgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

QQPCDownload1726.exeQQPCMgr_Setup.exeQMBluerayInsHlp.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3952 wrote to memory of 1988	3952	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 3952 wrote to memory of 1988	3952	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 3952 wrote to memory of 1988	3952	QQPCDownload1726.exe	QQPCMgr_Setup.exe
PID 1988 wrote to memory of 1896	1988	QQPCMgr_Setup.exe	cacls.exe
PID 1988 wrote to memory of 1896	1988	QQPCMgr_Setup.exe	cacls.exe
PID 1988 wrote to memory of 1896	1988	QQPCMgr_Setup.exe	cacls.exe
PID 1988 wrote to memory of 3556	1988	QQPCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 1988 wrote to memory of 3556	1988	QQPCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 1988 wrote to memory of 3556	1988	QQPCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 3556 wrote to memory of 2660	3556	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 3556 wrote to memory of 2660	3556	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 1988 wrote to memory of 408	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 408	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 408	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 408 wrote to memory of 2276	408	regsvr32.exe	regsvr32.exe
PID 408 wrote to memory of 2276	408	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 2784	1988	QQPCMgr_Setup.exe	QQPCSoftCmd.exe
PID 1988 wrote to memory of 2784	1988	QQPCMgr_Setup.exe	QQPCSoftCmd.exe
PID 1988 wrote to memory of 2784	1988	QQPCMgr_Setup.exe	QQPCSoftCmd.exe
PID 1988 wrote to memory of 2136	1988	QQPCMgr_Setup.exe	Netsh.exe
PID 1988 wrote to memory of 2136	1988	QQPCMgr_Setup.exe	Netsh.exe
PID 1988 wrote to memory of 2136	1988	QQPCMgr_Setup.exe	Netsh.exe
PID 1988 wrote to memory of 1876	1988	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 1988 wrote to memory of 1876	1988	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 1988 wrote to memory of 1876	1988	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 1988 wrote to memory of 1852	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 1852	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 1852	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 3820	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 3820	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 3820	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 3896	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 3896	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 3896	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 748	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 748	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 748	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 3820 wrote to memory of 4052	3820	regsvr32.exe	regsvr32.exe
PID 3820 wrote to memory of 4052	3820	regsvr32.exe	regsvr32.exe
PID 1988 wrote to memory of 1896	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 1896	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 1988 wrote to memory of 1896	1988	QQPCMgr_Setup.exe	regsvr32.exe
PID 3896 wrote to memory of 3268	3896	regsvr32.exe	regsvr32.exe
PID 3896 wrote to memory of 3268	3896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1920	1896	regsvr32.exe	regsvr32.exe
PID 1896 wrote to memory of 1920	1896	regsvr32.exe	regsvr32.exe
PID 1852 wrote to memory of 2748	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 2748	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 2748	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 3532	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 3532	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 3532	1852	regsvr32.exe	reg.exe
PID 1988 wrote to memory of 4072	1988	QQPCMgr_Setup.exe	QMProxyHelper64.exe
PID 1988 wrote to memory of 4072	1988	QQPCMgr_Setup.exe	QMProxyHelper64.exe
PID 1852 wrote to memory of 3556	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 3556	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 3556	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 2276	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 2276	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 2276	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 1384	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 1384	1852	regsvr32.exe	reg.exe
PID 1852 wrote to memory of 1384	1852	regsvr32.exe	reg.exe
PID 1988 wrote to memory of 3120	1988	QQPCMgr_Setup.exe	QMSuperScan.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

QQPCTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	QQPCTray.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255"	QQPCTray.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\QQPCDownload1726.exe
"C:\Users\Admin\AppData\Local\Temp\QQPCDownload1726.exe"
2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
"C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe" /S ##silence=1&handle=458824&update=1&supply=1726&forceinstall=1&qqpcmgr=0&DownloadSetupInOne=1
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243" /t /e /c /g SYSTEM:f
4⤵
PID:1896

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlp.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlp.exe" /install
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3556

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlpx64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMBluerayInsHlpx64.exe" /install
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /i "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\QMGCShellExt64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\system32\regsvr32.exe
/s /i "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\QMGCShellExt64.dll"
5⤵
- Loads dropped DLL
- Modifies registry class
PID:2276

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe" /command=SetSimpleVersionConfig /SimpleVersion=2 /From=Installer
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2784

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7445e8\firewallLog.txt"
4⤵
PID:2136

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe" -i
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\npQMExtensionsIE.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\qq.com" /f
5⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore" /v Flags /t reg_dword /d 4 /f
5⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\baidu.com" /f
5⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\xunlei.com" /f
5⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\sogou.com" /f
5⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\kugou.com" /f
5⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\*" /f
5⤵
PID:1460

C:\Windows\SysWOW64\reg.exe
reg delete "hkcr\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9922}" /f
5⤵
PID:3572

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextScan64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextScan64.dll"
5⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
PID:3268

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextScan.dll"
4⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
PID:748

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextUninstall64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextUninstall64.dll"
5⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Modifies registry class
PID:1920

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3820

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMProxyHelper64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMProxyHelper64.exe" /Uninstall
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4072

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMSuperScan.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\QMSuperScan.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:352

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMCheckNetwork.exe" /AllChain
6⤵
- Executes dropped EXE
PID:2312

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMMiYu.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMMiYu.exe" /closemiyu
4⤵
- Executes dropped EXE
PID:1704

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GameAssist_Setup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GameAssist_Setup.exe" /S ##silence=1&supplyid=3500
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138" /t /e /c /g SYSTEM:f
5⤵
PID:4392

C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\QMProxyHelper64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.6398.138\QMProxyHelper64.exe" /Uninstall
5⤵
- Executes dropped EXE
PID:3616

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /loadexit /superfetch:1
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe" -e
4⤵
- Executes dropped EXE
PID:4264

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRTP.exe" -s
4⤵
- Executes dropped EXE
PID:4368

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /regrun
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7445e8\UpdateTrayIcon.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7445e8\UpdateTrayIcon.exe" -t QQPCTray.exe -c 1 -p 1 -d "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
PID:4664

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\InstallUninstallCube.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\\InstallUninstallCube.exe" "/verb=EndInstall" /sync=0000027c /pid=1988 "/temp=C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7445e8\" "/version=13.6.20672.243" /silence=1 /result=1
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.EXE
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.EXE" /ext=5 /sid=-2147221502
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:4296

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:4116

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:4960

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:4800

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:652

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2780

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.EXE
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.EXE" /ext=5 /sid=-2147221502
3⤵
- Executes dropped EXE
PID:4308

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /showui
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQRepair.exe" /master
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:5652

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:5812

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:5908

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:6036

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:6120

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:5456

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCPatch.exe"
4⤵
- Executes dropped EXE
PID:5672

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftMgr.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftMgr.exe" /parent=user7000
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTxtExt.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTxtExt.exe"
4⤵
- Executes dropped EXE
PID:6064

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextUninstall64.dll"
4⤵
PID:6036

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMContextUninstall64.dll"
5⤵
- Modifies system executable filetype association
- Modifies registry class
PID:5564

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCExternal.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCExternal.exe" /browser /factory_type=1 /id=1011 /url=https://s.pcmgr.qq.com/soft/v3/secindex-v3-16.html?version=13.6.20672.243&guid=1D18EBB2B5071A973DA41E0CF381DCA4&from=0&featurever=7 /browserstyle=-2147221492 /nLeft=0 /nTop=0 /nWidth=0 /nHeight=0 /hWndParent=66224 /wbmode=1 /strMutual=OpenDetailPage=5326,GetNotInstalledSoft=5335,DomReady=5342,GetStatusByIds=5331,StartDownloadSoft=5330,RunSoft=5332,Refresh=5329,CurUrl=5337,AutoSearch=5338,ReadDataFile=5339,WriteDataFile=5340,OpenGamePage=5369,ShowRightTitle=5336 /fScaleFactor=1.000000 /hWndSrc=2949780 /procid=5868 /threadid=408
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:6080

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qbclient.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qbclient.exe" -host=tab -scope=6080 -cred=992 -group=0 --groupid=0 --no-sandbox --force-device-scale-factor=1.000000 --client-id=QQPCMgr --enable-npapi --singleprocess_mode=1 --nodiskcache=1 --qbfeature=16400 /prefetch:1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:5984

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCSoftCmd.exe" /command=CreateSoftLink
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCExternal.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCExternal.exe" /browser /factory_type=1 /id=1011 /url=https://s.pcmgr.qq.com/soft/v3/secindex-v3-16.html?version=13.6.20672.243&guid=1D18EBB2B5071A973DA41E0CF381DCA4&from=0&featurever=7 /browserstyle=-2147221492 /nLeft=0 /nTop=0 /nWidth=0 /nHeight=0 /hWndParent=66224 /wbmode=1 /strMutual=OpenDetailPage=5326,GetNotInstalledSoft=5335,DomReady=5342,GetStatusByIds=5331,StartDownloadSoft=5330,RunSoft=5332,Refresh=5329,CurUrl=5337,AutoSearch=5338,ReadDataFile=5339,WriteDataFile=5340,OpenGamePage=5369,ShowRightTitle=5336 /fScaleFactor=1.000000 /hWndSrc=2949780 /procid=5868 /threadid=5908
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:5888

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qbclient.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qbclient.exe" -host=tab -scope=5888 -cred=844 -group=0 --groupid=0 --no-sandbox --force-device-scale-factor=1.000000 --client-id=QQPCMgr --enable-npapi --singleprocess_mode=1 --nodiskcache=1 --qbfeature=16400 /prefetch:1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
PID:7032

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qbclient.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qbclient\qbclient.exe" -host=tab -scope=5888 -cred=1804 -group=0 --groupid=0 --no-sandbox --force-device-scale-factor=1.000000 --client-id=QQPCMgr --enable-npapi --singleprocess_mode=1 --nodiskcache=1 --qbfeature=16400 /prefetch:1
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
PID:6568

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat"
1⤵
- Loads dropped DLL
- Modifies registry class
PID:4052

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRtp.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRtp.exe" -r
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCTray.exe" /elevated /regrun
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:4580

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRealTimeSpeedup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QQPCRealTimeSpeedup.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe "C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat" /s
3⤵
PID:1452

C:\Windows\system32\regsvr32.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\TSWebMon64.dat" /s
4⤵
- Modifies registry class
PID:4440

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qmdl.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\qmdl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5324

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low
4⤵
- Modifies file permissions
PID:5620

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMBlueScreenFixSetup_13.6.20672.243__1594805313978.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMBlueScreenFixSetup_13.6.20672.243__1594805313978.exe" /S
3⤵
- Executes dropped EXE
PID:5812

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Plugin\QMRealTimeSpeedupSetup_13.6.20672.243__1594805313978.exe" /S
3⤵
- Executes dropped EXE
PID:652

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\VolSnapshotX64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\VolSnapshotX64.exe" 00000003000000010501010000000000000205010000000000000003050150000000
2⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\pic\Both_Disconnected.png
MD5
00ef699da2be626beb8957d69783cf45

SHA1
a381db99b4c39b6af39e39820adab2d38cb5ac18

SHA256
1efc1cdd056be89f2f37253f3845c99708fb6e60ab243179390996915c4be02b

SHA512
8ce2d3be5e9a00b5372c2640ebe3fc8dba492437964a5961b904cb978cea1284a9684d0ac2868e2052d677051023093332a09c9a675b0916b3468ee78929048d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\pic\Check_Router.png
MD5
aa19bfbfedc591a531e1e6bd775f296b

SHA1
a93012d5ed23695c0c2701a4e7ceb430b55f741b

SHA256
fecd26a1fd8bca2f88a758c0df90bf8cb6d9476b61a89806ffb06399037eb502

SHA512
2223a33209c040fd96b13f7bce314116b410864dfa9f9a119271f01de4460c4f18935c6e6ae0cba78bf4399b7b926b8636796b52630122513244c73420bc0497

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\ClinicData\pic\Check_Wireless.png
MD5
752f6ed337ee1f8e8c944400757fa52f

SHA1
9237b59a2d0c9dc2ed06bb61e444ff5dae1027ba

SHA256
433c2f423344f967de20e933cc9134ad7b2fa3e669d144b620500946960b3ec1

SHA512
2945980632b15e3dbcc49b5c7342f81397f97e9862a841e21fb027d297c448ae70b7c36475fecc8de9ff6f698071d006cdcad98d5f6cd9de01d84f236641af02

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\174CFEBD82149B585C07A945C7A94AB6.png
MD5
174cfebd82149b585c07a945c7a94ab6

SHA1
991499483f23b1f4225475144f9aa8c9fede4cc9

SHA256
542b03ae170144603bc5ab52d47e9649aeb87df9d025743b21b6602bd3cf7250

SHA512
b961ce8878149c95d390230dbff6d6a45436e164094b8a4f57e95623c1d46b4663e57e5606c945547175514a66a5f3ea81f677878a04223d3f0da4ea8da228fc

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\30FF47F04BAD25FB17B32A76EADB240B.png
MD5
30ff47f04bad25fb17b32a76eadb240b

SHA1
e40ae4a17b71d27a0bad91b094f110db533a3f5e

SHA256
c54d8eda61ee3ef782cdcf77ad3a56f01df73200bd880b78a7034ae2dc42d178

SHA512
9076236acd816281fcd59c007c6f2c7b5f8de30cc560c8ffba77f287fe2299dc543aba8e26f503544ca1d76121c8ad12960762f6d890cd27d5e5a7f7f5988402

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\33EEE547ACCEC775CBD9D3FE34EADA49.png
MD5
33eee547accec775cbd9d3fe34eada49

SHA1
79bbcef6851ade8cd1c8bfc306cebc31891f7308

SHA256
d0e611a3cc8d039ba58db6bd8b7e3730fcf8a84570ffe271597390e9082cd4f9

SHA512
bf082db2cb3fcffccfa820760cdf6c7fcc995b33543b0a107b4d7198d694503e575673d6dbb8e7740cf8869bf173e9dcf2b09dbcccdcaa3c7fcd65bb74f2f1bb

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\518D8DC197284461A560F05A4D67F39E.png
MD5
518d8dc197284461a560f05a4d67f39e

SHA1
c47499885631f46840818f159c6ee5ecf44debc0

SHA256
2ee41da793d054eb2eb1459265d4ec61cef71523e416e10922bfd9391dc6fc79

SHA512
20b715e5465be878045a61ca343ed268c36545230540f319259d54c3c1ff44633a6f7c6f4a4cc10ce29ec197b9d5f9eb1d4458ac61653b4cf62c4cf3fcad9277

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\55A6E0FBB236D9876050466F65150A82.png
MD5
55a6e0fbb236d9876050466f65150a82

SHA1
ead1e125e09111b5b70456de224a98da65e02407

SHA256
69996ee525fc2993bede7e0246308fa434ad6a147fecfaea6ec2aef2502bdadc

SHA512
a78133876c3ac6ba0fcc52b53aa753bf6775f3c95144c08531ecab4b9abe746233f550b1a89c6d6eafe16f2263745486b536fdc27375246031463a4c8a61f48d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\574A7650A7C42D9564DDC2F09318F994.png
MD5
574a7650a7c42d9564ddc2f09318f994

SHA1
b9a2f0b8c0ffeb40330b150cc9fd984134b2d313

SHA256
3be907261254d9bc5db4abe8c1daccf84c24270bc796c5cf6f35549de73b4b9f

SHA512
0b211e43fe7f382b1187750c45a3179ed6916b15e301acf45380353614ca9e3b8408d7526c7255cf4307fcc05aa34e29ff5e8c20026e2aa020632b843aa0c9a2

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\5963F88CAC90027875B790F084AB2F50.png
MD5
5963f88cac90027875b790f084ab2f50

SHA1
139aa8c85aff31dacceb01127a838f343d9fdacb

SHA256
d34ad7b5cd5cf5506d4ef40a1691948e6782a659fed89224676cee30f65a1e68

SHA512
fca239f4d5d3165461d6160e6ab1a8c4400a4e01319db9781f09156dd7eca84d987f6227a94dff8342b62dd341abdb85527597409ea5bb779c8bf16b10fe994f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\67A80AD380340715C89E6A7839079A56.png
MD5
67a80ad380340715c89e6a7839079a56

SHA1
8faec70622bbbc684e33e8bc7b47d9b28ff39fa6

SHA256
9515c45e831d0f41478b526248c072977b726ccca753db27d11800bcf9e43104

SHA512
495045ab4b0489946219f48350cd28e531e7fe205f2c93c24aab4b469c5e86cc1f31c679f4657b2a0c834897fcbf3595153dd396c3791dd70fb08176160f80b4

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\6C89F1E0D917E59F1F6508EC4B8F4020.png
MD5
6c89f1e0d917e59f1f6508ec4b8f4020

SHA1
6781f40633d001a9ce0a1de5aad0d41124f486b0

SHA256
c082d7bf27352014ca026a94829497690af8d693facddd8a48f057715b6bfef8

SHA512
ef2da06fa8b283354aceebdf8395f1831696b591783634498e8ec1fcce70921d3aac52f8040ba972e09747dfa8f7c5fdaeaaf7913215cf1cba352377d136d97c

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\6F41F4914A42AE92A487D6C8266A00D2.png
MD5
6f41f4914a42ae92a487d6c8266a00d2

SHA1
0689d4af84eaf48db145cd84324ba139da60e5b0

SHA256
5494de5204ccd8679aa6bbf47336895b77ee7ee41678f6eb94446f0442e37d60

SHA512
dbb140fa6082b3d0e372d506961f4f77275d1524dc8e6875ad9e125525ef994f7075ef24b45cd6800c239f8c294431f5e7e66da379a3437dfdc74cdbe603b504

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\75470F0D685F3B8240A5CBF5E20434BC.png
MD5
75470f0d685f3b8240a5cbf5e20434bc

SHA1
1fa9845e0c9f06294f00114c74db7949459af778

SHA256
ed938e0a94f550ca0e69dd37bb9f1f0c7223cdaafb6a5ba52bdb27d34f6e4ddc

SHA512
1c85fec104a1a5ae5584b500ff191c33451529786eb4b04014d7449a66cde0d4eba638e3c2a3a022adfc23be099c4fa89c44d2b57692ae38990c14c36d61cb81

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\858FBD4B558F0E5AD8FF38489EDB4434.png
MD5
858fbd4b558f0e5ad8ff38489edb4434

SHA1
c387cadca2fe2800008fc5688beb65954df9171f

SHA256
5afe9c09459804b3d478302140bb078c48011c2e1380949df5b42bfb434745d3

SHA512
b5b4eb18960568cf69c5ed522bee1dba9dae7307b99b018d2ddcca3b8fd1171f1aa9318c12e42900bce964813912645a65eb5eabc5369629fe7850463038e64b

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\98756B2953BB5BD65CF206154E47CF96.png
MD5
98756b2953bb5bd65cf206154e47cf96

SHA1
89785cfa73221ae120ddaf4aff78d65cf15cc7df

SHA256
b64286991d5a6ffcf5dc28d6935858e39cf63ebfb5586aaa703df87be60791b3

SHA512
5ed65569a7d33227eae4f82ecfb9f3db89e7a4b371ba52e3fb739ca2d27440644cc90fdeda29daf4fc2f61175f1e0d48937e6e86a5414d2bc01dec3bbfdc7b19

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\98B357546E6446308A46CC818071F1A2.png
MD5
98b357546e6446308a46cc818071f1a2

SHA1
02414d2b40733d351a61a88ca593de3c27da36c3

SHA256
15521c05470a9bb5688f375f866cfb92722c9e099e8160031ca7bba33f9ec19d

SHA512
2476c18cc08e9c46abbaf6eee480bc2287495ae6a7401ba0fca7368e734256562f65cc438c9ac6e7246925ac9eac3b95a5cb423fc132da2a5f3847066a208d4f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\98FBBCD596E587F39275FD127B3BC772.png
MD5
98fbbcd596e587f39275fd127b3bc772

SHA1
18dd3f4759a042b85178b0f11fc9876bac495f8f

SHA256
d8261dd59bb488fd88c326b8229f58cb97d54f8fb289c069e697aedd716d29ba

SHA512
2622b10af8e6a4a47acbc2dfa1a326e8efaa465395d6c8705f2b2b881dafdbf903ecbb8aa957373636f1c6e3a48744a3b870b2b1f6de356c356f4afac6dc0e2e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\992D6B931FC570214F4A06152FF7B6F9.png
MD5
992d6b931fc570214f4a06152ff7b6f9

SHA1
ec3c4b94cffaf19cacf92a6399989919115e0a7d

SHA256
b311a858bf773354c019ed7322af14e0322673c656955ff7fce727130a047bda

SHA512
b599bc19831644bd1c96f819b3a8011ece78f926629f5fa87c136879dc3d9d10efd94ea47cdde0a061f0db9f83913a113b3a072643c075f0b551cb95ae7cbdd8

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\9D6C00A64695C74D3963715E2189124E.png
MD5
9d6c00a64695c74d3963715e2189124e

SHA1
f5c95ae62abed2b8487011eeab67aa107b5704fb

SHA256
04219886a42560177a86391c108aef621044aa34233c3421a87a8f0aa0217f92

SHA512
1edc3d624ae9b2b5eb32130abe8bb4053e1e5131dc1c7c12a9d9244d335f23dddb861c59b62cdb6a73cb9d67d69b094487e4f1aeb3a895274cc9a6959a3c6a83

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\A9F6A4D231496119A95ED90CFDE77021.png
MD5
a9f6a4d231496119a95ed90cfde77021

SHA1
45814350e647e71f417ff6eaccc586327f2f61f9

SHA256
0b6bfe7c30f504f6afd9ae28ac0f2e4fcc58f89ebb7fb299c917666f7af82e9d

SHA512
c8f7de4d40cd1e1c54f90dfde9d30d199d74061a759e1c7262a5a68e89db300ce1675d6610099103ccb309da432223fd3343ab4838c88488c25d67c15ee2d20a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\ABB57EDD592C6DC7158188880CC24F80.png
MD5
abb57edd592c6dc7158188880cc24f80

SHA1
be703a0cc146eaf52504c70ebe7e5b11289b998f

SHA256
ac98b4fafc3cec42c52b803aa600e20b87a7b62d69720e50992bfcb1f68c9fb0

SHA512
8e0deb5122eab44d3f24a8448449e3142f7702495bc9c6627a1d480e78f9913ada19edadd86b7da68f27c6b7a53e545c2feede7a081f16b5ed2b150984afb1ab

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\DB377F81C4E4BF04554D8828CD33135F.png
MD5
db377f81c4e4bf04554d8828cd33135f

SHA1
19f2af6d65f537e06d18518fe60d1576a38f14c4

SHA256
f7ab59c19680c56107e5f61b809e56802b9f4385343087ddb83ffd748681d8be

SHA512
0574de86297632e5500fc13336e4db4f507b18e9450aff7f56830a6fda8c593d0f6d73bcb8a390b282ff780a918ec5f42a86d09b3f18a4ca7413e905293cb7a5

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\E15F2E82435E1BFD4BF74924006C0A0E.png
MD5
e15f2e82435e1bfd4bf74924006c0a0e

SHA1
26d73c51beef305aa8a4dc43f6392985e39bf41d

SHA256
6ac797727505b2af2b7dc9904bb56934e4893fa9f0431bff9eeccae55f752c44

SHA512
6619bc9899b2ed27a8343ebbece1ec6cd058178800a350a2062051f7fb7dd9355f70e880c8058d4fc79b5fa2ba95b8565d4901a743995d3188ed181dea79f5d2

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\DefaultSkin\F283FD745D47E96E9E9A5E925935FBBE.png
MD5
f283fd745d47e96e9e9a5e925935fbbe

SHA1
a5dbc044f5c6661765ae4c748623be08d97a5c86

SHA256
b1a53b3b63f6fcfc0ea9e2ab2a4bfbb3ab0b5b32b8b54b6bf3b476903ebb090f

SHA512
cad9f0a48bb13f078abc37b4e789f206ff1175082e30c5084c12b697152e78c574acbf171a265c59d7e06830bdea5658aab85cd6371ce8e4f114c4c3ed595b30

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GuideCloudData\GuidePic01.png
MD5
47eba2d8ba3ebfe18da726228fd8df00

SHA1
bf74a756a65d6f06169f2dfdd94905b4b16838b2

SHA256
602f2d4a056a3d86cf1b1fa20d753a6a224df7aafc726be119f1b43b9841067e

SHA512
b4ab06d56bff74c783a17f051e538ef911e97f546ec8ee0b82a5e4d8b787a0912b7c604cfbf3ce3dd94b9fd50ab9b0ffe64d3ad56bada3aaf6285c9425f45161

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\GuideCloudData\GuidePic02.png
MD5
732710fb89bebf3ca3bf4ed67fbee046

SHA1
af88b1b6d5e939e48f70df3e9ae0fa3c7b8fefba

SHA256
1222426bc097d3d39701e2c62b81b23b1bda8dbf657e8fd1ed4f7c0e5f5cf69f

SHA512
e228535986cc5ae915afef12ec6a826522279f8b7ee8c6e8188384a53cd0988c2d4c18cf50a25972d59695e88a1e04f10578c955b8626ef98d5fe4c890dbb15a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Image\close.png
MD5
cd98f1b5efa05cd96201b58fc1567510

SHA1
f1897550f90bd0b7c4015850160b8b45f7bf9fb6

SHA256
54a7156af309bf1c7a42cbfddffc4114b7e03592075e56ca4810f66a0fa9eb4d

SHA512
bad88b9974d1a7cff50d38ba0caa222dc3e42efa32e88f6261be8f204a0957564e056f4aa0f8f1b1dbe5b637a927b878fdfc76b2f17bb1b3416df038063f47bf

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Image\net_err.png
MD5
76470b2d82ffcf43942beb58764e73f6

SHA1
acbc7e7da55294646ec4badcca23ddbc76b92197

SHA256
b3dd19ce0378ec68085e13952c2efffb7d520d906dde3609cd97f4b56451ae58

SHA512
8f3593dd699315864cede5534c6802ad5904f6e62f6952059c1376bac5b4b5229d619e9b2aa4eb1f66836bd4e1f5c042c0bf51bba1d1a1ade462b250cc29b0b4

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\Image\point.png
MD5
d1a50b8e94c6a1e05e7f56f5f8536667

SHA1
5f2d15204b4e69fb450e7b6eb3ff56d885de5c12

SHA256
6fad8542ce67198cab418e56eb2523e2a9937852dd557afb7ce0c77656e892b3

SHA512
512eeb1b6538fa8501184bdd4d30b8668199e90b12403f8deca9592aedc4d1193f6a940548429002508f8e10914b14a249de0feebc3aa4cf8540c736187db01d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\QMRealTimeSpeedupSkinCenter.zip
MD5
10e324f3650b35d8df841b5ec13018b0

SHA1
a1603383a45a8b0aaae803cc1f3161712124e186

SHA256
9dacf24bd588681415187d8bd173023cf5e2b8ec55ead1cb9ce74877bfeabb2e

SHA512
6a2169859fa6116b3aea67fdbcce4bfe9b226165d738f18bb2ff37f421566a0505271c66cb0dec64bf089e41e7823b2e00d5593d403dfef2d34e7cfd1feee495

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\business1_bkg.png
MD5
0b17268f47145b80380d887b00d60708

SHA1
d2e605dd314dd0c6076378b2a22a1fa53bca6f33

SHA256
a239f9bbafd79d24a65d5c38eb3d286ce6a3ab958f3210b36cd3ed0034360d9b

SHA512
8741f100d0b4b9fb4e41f323d4aa8247e7f8387b59f7b080e0d465019bf2c8be25a4d98d186d105296600562039f0f87c8c4f10be9a4304072abf3b1fe3938fe

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\business2_bkg.png
MD5
bf69d3ed4a10c1459c87e321a7b1954a

SHA1
7ec754a6585d4cfdddaa158b06577875001dd643

SHA256
f1ffee9b85a18eb32e672d6978c6b207b6fc2e4069a30c9260aa08d50f74af67

SHA512
e5b356cc5abcefb40a9cf1fea72ed556849ebcf42418b09ddba7eaa7b29f87b7284294d969e638fd1b73b2b3578c7261900cb0a6e1d70f7c99f2f3c47d98103d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\business3_bkg.png
MD5
e985346b6202b2e47aebab7984704df5

SHA1
19a08f12412de93929701c630017159ecbbf0186

SHA256
e7d9811d5532c3cfeb631bf9c7fdecfb41ad1adcd92e91ad3177cfd581a102c0

SHA512
66f6a7810f857afc035a5341ef0243850975b2812720ebdacc9469ddcf810f02d60002b0fd0c8346bceab9230de00accbdb98a0735bc2f71071c73faab8d86a8

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\detail1_bkg.png
MD5
98883b3a4c465581e9e84b983af85a60

SHA1
442aa3aab390db8d5c1396827e0525e22931505d

SHA256
94f9c17cbd41e933c9336f91e064859ade1b0eb6710830046666e96a8446a9fc

SHA512
00f7bef97b9ff73c83c37b0d57f709746d76e7017e8b36e3f261f9e12099d46fbcccb6c797cd8ac6fd119681cc0031e27ed0c7edacce8165a2df05791b009271

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\detail2_bkg.png
MD5
c4f4f9e7b81664f82893219c7fe9b50e

SHA1
d4f348cb193d7aeb13a873b156d4a50ae2aae878

SHA256
9ffe00c24e05dc231b144697efd3d5305f3276742de6af046cd389e9cd12782e

SHA512
20b7610e61a2bdc1ddaea5883f831b403d1a3e9480c800f073fd9cf5a29f836bc69522bff0d93e31a8606132b6825b34cf667ed00aa243496893da9d986bd2df

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\BusinessInfo\res\detail3_bkg.png
MD5
e64e9d653455a42d218475da741d84d7

SHA1
22e1f65d6c1a37b5b13dbe85d15f0ff4261d4080

SHA256
6baeb29f7e88f17b265f93b11685cd397573abf0f38ea7da67365d08fb670e8d

SHA512
d612081c9a2ace92886f71423ebd6948ac10740048e26c830d730cf8332ae53f0ff45c379beff0529a45bffe1f392d30e27876a1a30614dd1cc35f88ee32552b

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\Anyun3killer.png
MD5
01c6fccd8173e4298bed38b168c74e79

SHA1
ef1ce6a0564c5f292cd1daf59df258ccd10a4a9b

SHA256
9a723d7b8d569764947c849643babd7051368697d881894d54437f46da088ecc

SHA512
5a15c3eff14052d745c0aadc5fcb104f033a852651bc020654dc3e3d90e933851666ab7f32c937995f1c7c705e3ad30d2f5a43f704028f1cfee3b0c9550ef67f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\AppMarketPlugin.png
MD5
8d6e585aed5e0b9557901f2106fa6b55

SHA1
ed148aef3f5e8808dd33436f50a8fc131352217e

SHA256
35aee7196e14e414938fff76615882f3d8d2ddcaf3dc8a5ce7af83bd5b7b8137

SHA512
08b5a56766181f8802f54a45635dffa15762ce2719a8a53000bef1c4c126cc1c910e8f00d2e51369e6431e2b7a8ebf90f82fcb20e857d2a43e2685931bb4ee66

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\DeepSpeedup.png
MD5
115889be846e8470c9c8e83d543632a0

SHA1
74a783dd7b5c687804b970631d5fb3e33200a62a

SHA256
3d7e287598d2c94948925bc1fe9f0056ff5ad4695d73932c5a842e81e55ff3da

SHA512
1fbca4b3651cefffd3a6f82849d00eef3204a5c9f8264a503581c2c38cf644a41b1ce61de3e177d123e3bcd9545dbdd15c4a00dc1f1ae1302040965af007c24d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\Default.png
MD5
33ba276c85ab8b60b5f3bfd4b2efb68a

SHA1
2dd91887547b6041b3ca6b1adc2732636dcafbfc

SHA256
974f079592b94c54e2797a51d0cb507bd79daf995d1688e8f977c9fc99488e64

SHA512
b4b4b5d0c0a70de2d153a15eacca8e43b1ed4701e16e64f3a3a5c28769ab923e356b5c81abc0cc2bdd67c50d9f9048edaf10b8a5e858f24b9bbc9957617f5dfb

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\DesktopMgrPlugin.png
MD5
7233a2685245b00a058a309e90f3d6f1

SHA1
8d764b3018a4de2cba5edec30c65b4c5255baffb

SHA256
7443b0a1fd6c2c08903e528f7ae37267b28be9f45fe34dbf474d05b31ad70df9

SHA512
dd14c42a78e5cf22f10cda9a122c73c614c56efc2fa65073597c700be1648d57bf56846798a53d7cfef1e26c06fdb212a704fc6162af55deef226de53e8314e2

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\DocManagerPlugin.png
MD5
4553295da6e2c8f48701a93772d5684b

SHA1
41104767ee12c8a3dde494d8830e5315fce2fe95

SHA256
5289fe95a8ac51d14c0f4df616f607ada6989bc2371a7ae425e14f8c0b090644

SHA512
0e5f4c43f4bcf8fee7e0714de808d0e9b30990e6e7f68d7daccb1a8dc1044554fe41561f51c624ab3304e15f218116a8e9cc91c911020ec7aad2d9249da1a704

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\DownloaderMgrUI.png
MD5
680e35bb0777f6035fa6f820dee94bf5

SHA1
49ac84a28c3ee1df2a9e20b5ee2156ef6f1a5f33

SHA256
83e13d5b278892a80fc249a777d0b680a26e1022698736543b2cb8cfb375fdfd

SHA512
9ba89c700eb5f550db7052358052fd33831e4ca1acc558fb318624f23a492f48ebfce552a22a3fb09f48420c439e6d8633e199e836a109a8e727aa0a3504a997

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\FileSmash.png
MD5
6726047aea1db423af7016de0a4d501d

SHA1
effc1edfc70932c92489459d22e8973e4722780f

SHA256
371c6f598ee98dd04e34d452641948349da8deeae6a8d053b1fc5a17cd706e98

SHA512
19663cf34dd5002ad244fcbf5cd67a89d414f64ebabcee687e4bb0b951b6d3685f2d58e1fd178c496753c85d39d7c9cb81475eaedc8f1fae1d2b67f43e2b43ae

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\FileUnlocker.png
MD5
01f0601b0903b434590def63d3bbc5c8

SHA1
34580495bc3a28343868f6d8d059faaac67c4fe6

SHA256
185c1da99559f930b23b2f7c71f82136584c05402ccff4c276eacf311a3fd1f2

SHA512
2fe2bb37e663623ab4f3f61e5d25ed2b25426b02ea3c9afd9b1b870f2aae71e6e9c3dbe589ad8af0298846cf2d88bb98703e105d0cfb3277876684fbc5763ba4

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\GameBoxPlugin.png
MD5
c041db206c5213ba992396b8aeff4a71

SHA1
bbaaeab2af3cdf8a06e91058069bb7b064600e77

SHA256
cb44459b6b3f118d9efa11c73d823d78e5a415a6350ad57cabae10e04e8a88d8

SHA512
ecbe874031aef7e12c047459483ca629e2bc0c937f6c68582ca807315b26a40ca303e50fbe42d2562315b41d0038e929fd6f12aadfed84c903a396c527c7fbd9

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\GameLobbyPlugin.png
MD5
5c38dfc27a0a30843f98906cb7a79eeb

SHA1
bc55429ade291dc157f6c079f3ecf56c1d257133

SHA256
ea81b1463d682d69388ec570a7b2d6225f4c47b68e8cd51d45cd3591e2f956db

SHA512
1f6efde1080ebfdec06bd1762fc810cc03973539005197df2e353383adc9153846103b983451113a0ef7a600f4c91c824c4da8e7645624615bf109ce052211fb

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\Ghost2Fix.png
MD5
8784363bd46f3ba4555c9d1f4ea27165

SHA1
79387184069333e17c9490eddae19891784675d8

SHA256
81b69ca392f2a00d2f7ead5564ba326b219bbc64c27ef2f9416518a0adfabeab

SHA512
932ab7dffb1f39b415470777bc9952cf4c0898a34bd90d397b64f2704d4e8af4592446e26d5d5107f17f9dc1ee31ef1550806bb2bcb49bb1983305dea52ea98a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\HWPlugin.png
MD5
2a725dc96a8165124dca0b0c33738ad8

SHA1
e84183338458a19e888e0f38ca4b3713d60742ce

SHA256
b12028dd34cbe97d61215211b0a8dc4b367f9f3f1b3e9abe18cd12ff2c3af972

SHA512
b8476ae9414a3a2d81081250a8799eee38787e6a53bca99ad7ba7f6a019b1e49be941eede185dd46a3d010e9d6d2a678d05be8aad01f77641ee0aa13931c0b6d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\IEStartPage.png
MD5
5165f30600eaffb6b3647a0b8b128e83

SHA1
9d2ad9bec172ab7ee39678e3ccc319e715f74eb1

SHA256
04288731b43616f4080180d6db2129a01a0afbf2f79caf6929e82c7b5ff56e9b

SHA512
217a013edc82d93299208f151cc43f6c9f9cfd72af9c524c551dffe718b0db9e52cb089436f9cbe3c39665c219b8ca9fbe0023aa4b73ce18c745cb0d3283024a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\MenuManager.png
MD5
246fc4e9249d6030106d88eb0dcefa80

SHA1
321ce5a63b98f616cc685b6377e268b125d38a12

SHA256
7dfd36ba36007f122dee2d6cc95b30c5788ab6ed864d796ceeaee870390d2c5c

SHA512
5c59dba5a2ba49d3b829f43d9480d57f98ebbcf50589852cc361687910f5f8947d4e0b50245c7c3b0409a0ab8f37073ae655e0da6fd34f28ea294730244d664c

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\NetMon.png
MD5
436dd7c73a0646566ceb228943fdf7c4

SHA1
d23b20be23ac7f28c031169e0f741149d86908fd

SHA256
39202cea292e796a4479c41c8304fed75a5eb3d28520c3c327847234cbbcb6c0

SHA512
0d12817437f9f85c46e79a8430a078352e493376b592dd11b4a0075facf694d67d971f3a44fcda81ff70ae45bd8ae91e41e273dade0521c835338ca6093fd5b9

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\PCmgrFileRecovery.png
MD5
da0d2ffe0a36c254f5d5f8415c795355

SHA1
7f086f4d65635a055f61f7568bd7758990248996

SHA256
b1b24d83fc76f828fde5d7e71ce6af6aed110c688dce18f7c3b31c48ef00e4ee

SHA512
b8cb0e56aea004b1dc10d54db6f540820eeb2e2ea882921aecd783c6fcf4abefce6dce77d21ca7d5245162ad2698a9dccce890f31d006e76fabbce6e6e6d1cfd

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\apps\Logo\iToolsPlugin.png
MD5
4457eddb396ebd9c694c90f67a777536

SHA1
2d19e6bf912744a9e8753afbe2b0baa757545cd0

SHA256
dd722d2d43c76ba44379abc6caea378679ebd4d2d8c40f4e18351d9b0f51ae3b

SHA512
8e4327ba752619322e4c0686fbc96b48035002280bf3b12c0f6072a7425cd8239ec011da948524ea4b7f07a3cc3e9034fb6238c2af83d27d9870e9ca8203d3bd

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\gjddFlowAS
MD5
77c524427249e3428aa92b04df1dff36

SHA1
6a3e8c096d7fdb515a5ef13aa54d624526c181f7

SHA256
8c14d4eee6b31aef7d69f4b6f7d25ce5e806e4dff43fa625aa97031895cd92d2

SHA512
e59d11abc625c77ac2852a94b9ce38d445245910898e78ead627d024275990461a476d2fc7da7a82ad911845c7eb30d3f1cb15a0084c2efc7329c49a51a4b4ab

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\DeepSpeedup\DeepSpeedup.png
MD5
835724ecb0801f3bf31aea78714dfbc5

SHA1
592d9d5ff01bcfe5f90f54915d70bd1b2a6fa009

SHA256
b1ef4a867773f3ec8bc977c388eaf2e2fbdcc8989dcb71c643d64e1a60b8575c

SHA512
4112fd24e8359a67981fcdf2609be59f81ca69134c0f501ced60a5271a36fe6dc47919385cb11622e0fc0b23ff8448b4dafa561bed628d705bac45e6bd8d587f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\DownloaderMgrUI\DownloaderMgrUI.png
MD5
471dd520a6651137366c2e743c9d9820

SHA1
d678ad5471d9b98396ce88854aedb4dac2c4e389

SHA256
75817f28fc05b328a9fb8b60af281e42d8da449d5f0078a9e3ac9b3411a05520

SHA512
782ea3ca032da42d195e3893bb6f933d382120eac4846a0ef8d25630a27b2ff382dcc60ad52d1e313e75a77dae252c1d731f3091c30d2d4b93473c668d75f84a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\NewPlugin.png
MD5
bcd506e9f8084299abccd33cbb9e50e9

SHA1
a0bd2f0ccff362f67ef398b1972f2d755dd155d0

SHA256
214091f5080b3b20bdeaaae6bf684ddbf4775a4811358f5d67c166b62a4f143f

SHA512
569e81387434183efafe88499c6c24b03fd8b00c35c81124916c7a3efbabe687ad1918ac4b34621c2499d35d8521de15d1b0ae0f6596e592e39c438cf3a6a8a8

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\13.6.20672.243\plugins\adplugin\QMAdFilter(big).png
MD5
32a70a73d13b4bf5b367fbd9c5e763c6

SHA1
022972b58915ddc1073b2679e8aabd1a58e7f6af

SHA256
261a335d6513a99040892637a1dd7fed6a6b8a5cd79d241162425421c936a0db

SHA512
c75e01037e5bd41e3b4c726afbab119f04cadca99bce58a1ae6e06c1ed619bacb878f96bfb07fd0706ddf5fb5e10d867e3383f3e539d047f94d2e8bde19a57d8

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db
MD5
aaa5ecd8e5c04a0eff3225ddc907b7e1

SHA1
f389131b7e1614bde62825a3b41e25204f22ca84

SHA256
b3524a4231fddeeada48234c9d251867a423b9b67fbf9b7b44a8976d8cc01889

SHA512
2ec867c03083a5567299df9c1f3909c71b7aad0a5fa609b5f3298a0b10e8e74261ef56e074dfd524a1fdde81cad6b42f08dd308ccdb5a5f699ae4bd9056986e3

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
MD5
3efe337c046834114a5b907387541e79

SHA1
8d3e67228db1ab0cf77de409546cf056a6dfb97b

SHA256
cd6a75706684e2365fad82397bcb711f87e1f4b6899539fa4b6ee28e1dca150c

SHA512
c2ab461ffba1b4855b00ba56f82abd88970c6484df257e5f2eb3270afea19dc89b3ae7e233e84044e6cc04b24fe5ae7bf83749653819199264b5b124bdf7a4a4

Download Submit
C:\Users\Admin\AppData\Roaming\tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
MD5
3efe337c046834114a5b907387541e79

SHA1
8d3e67228db1ab0cf77de409546cf056a6dfb97b

SHA256
cd6a75706684e2365fad82397bcb711f87e1f4b6899539fa4b6ee28e1dca150c

SHA512
c2ab461ffba1b4855b00ba56f82abd88970c6484df257e5f2eb3270afea19dc89b3ae7e233e84044e6cc04b24fe5ae7bf83749653819199264b5b124bdf7a4a4

Download Submit
\Users\Admin\AppData\Local\Temp\TencentDownload\~f73ef4c\QQPCDownload.dll
MD5
aa142942435b567595a71eb4eb402579

SHA1
790ed6f6e5016b8873ce1817bcc96024a0e768de

SHA256
73a934147b27437f91517ed9ed7eb20fb54e222a1bf2047f201ac668455c0f1e

SHA512
e8a9d760bfac910500a56aea8e3849bc3e73c3a0065557dc1da2495d785ba58c428a168a97faebfaa638aa3e285e7141f3937156dc1d26caad1792929dba8708

Download Submit
memory/352-207-0x0000000000000000-mapping.dmp

Download
memory/352-211-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/352-229-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/408-183-0x0000000000000000-mapping.dmp

Download
memory/652-278-0x0000000000000000-mapping.dmp

Download
memory/652-239-0x0000000000000000-mapping.dmp

Download
memory/748-193-0x0000000000000000-mapping.dmp

Download
memory/764-248-0x0000000000000000-mapping.dmp

Download
memory/764-250-0x000000006FFC0000-0x000000006FFD0000-memory.dmp

Filesize
64KB

Download
memory/764-251-0x000000006FFB0000-0x000000006FFC0000-memory.dmp

Filesize
64KB

Download
memory/1384-203-0x0000000000000000-mapping.dmp

Download
memory/1452-249-0x0000000000000000-mapping.dmp

Download
memory/1460-206-0x0000000000000000-mapping.dmp

Download
memory/1704-210-0x0000000000000000-mapping.dmp

Download
memory/1852-189-0x0000000000000000-mapping.dmp

Download
memory/1876-190-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1876-188-0x0000000000000000-mapping.dmp

Download
memory/1896-195-0x0000000000000000-mapping.dmp

Download
memory/1896-120-0x0000000000000000-mapping.dmp

Download
memory/1920-197-0x0000000000000000-mapping.dmp

Download
memory/1988-116-0x0000000000000000-mapping.dmp

Download
memory/2136-187-0x0000000000000000-mapping.dmp

Download
memory/2276-184-0x0000000000000000-mapping.dmp

Download
memory/2276-202-0x0000000000000000-mapping.dmp

Download
memory/2312-209-0x0000000000000000-mapping.dmp

Download
memory/2412-205-0x0000000000000000-mapping.dmp

Download
memory/2660-182-0x0000000000000000-mapping.dmp

Download
memory/2748-198-0x0000000000000000-mapping.dmp

Download
memory/2780-242-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/2780-243-0x000000006FFD0000-0x000000006FFE0000-memory.dmp

Filesize
64KB

Download
memory/2780-240-0x0000000000000000-mapping.dmp

Download
memory/2784-185-0x0000000000000000-mapping.dmp

Download
memory/2784-186-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3120-204-0x0000000000000000-mapping.dmp

Download
memory/3268-196-0x0000000000000000-mapping.dmp

Download
memory/3532-199-0x0000000000000000-mapping.dmp

Download
memory/3556-201-0x0000000000000000-mapping.dmp

Download
memory/3556-181-0x0000000000000000-mapping.dmp

Download
memory/3572-208-0x0000000000000000-mapping.dmp

Download
memory/3616-230-0x0000000000000000-mapping.dmp

Download
memory/3820-191-0x0000000000000000-mapping.dmp

Download
memory/3896-192-0x0000000000000000-mapping.dmp

Download
memory/4052-194-0x0000000000000000-mapping.dmp

Download
memory/4072-200-0x0000000000000000-mapping.dmp

Download
memory/4116-235-0x0000000000000000-mapping.dmp

Download
memory/4152-236-0x0000000000000000-mapping.dmp

Download
memory/4192-212-0x0000000000000000-mapping.dmp

Download
memory/4240-213-0x0000000000000000-mapping.dmp

Download
memory/4244-231-0x0000000000000000-mapping.dmp

Download
memory/4264-215-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4264-214-0x0000000000000000-mapping.dmp

Download
memory/4280-282-0x000000006FFC0000-0x000000006FFD0000-memory.dmp

Filesize
64KB

Download
memory/4296-234-0x0000000000000000-mapping.dmp

Download
memory/4308-244-0x0000000000000000-mapping.dmp

Download
memory/4368-216-0x0000000000000000-mapping.dmp

Download
memory/4392-217-0x0000000000000000-mapping.dmp

Download
memory/4440-252-0x0000000000000000-mapping.dmp

Download
memory/4580-226-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/4580-220-0x0000000000000000-mapping.dmp

Download
memory/4648-222-0x0000000000000000-mapping.dmp

Download
memory/4648-228-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/4664-223-0x0000000000000000-mapping.dmp

Download
memory/4696-224-0x0000000000000000-mapping.dmp

Download
memory/4800-238-0x0000000000000000-mapping.dmp

Download
memory/4960-237-0x0000000000000000-mapping.dmp

Download
memory/5324-260-0x0000000003480000-0x000000000350C000-memory.dmp

Filesize
560KB

Download
memory/5324-256-0x0000000000000000-mapping.dmp

Download
memory/5324-261-0x0000000004000000-0x00000000042EE000-memory.dmp

Filesize
2.9MB

Download
memory/5324-257-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/5324-259-0x000000006FFD0000-0x000000006FFE0000-memory.dmp

Filesize
64KB

Download
memory/5456-270-0x0000000000000000-mapping.dmp

Download
memory/5620-262-0x0000000000000000-mapping.dmp

Download
memory/5652-263-0x0000000000000000-mapping.dmp

Download
memory/5672-272-0x0000000000000000-mapping.dmp

Download
memory/5672-276-0x000000006FFD0000-0x000000006FFE0000-memory.dmp

Filesize
64KB

Download
memory/5812-277-0x0000000000000000-mapping.dmp

Download
memory/5812-266-0x0000000000000000-mapping.dmp

Download
memory/5868-279-0x0000000000000000-mapping.dmp

Download
memory/5888-286-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/5908-267-0x0000000000000000-mapping.dmp

Download
memory/5984-284-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/6036-268-0x0000000000000000-mapping.dmp

Download
memory/6080-283-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/6120-269-0x0000000000000000-mapping.dmp

Download
memory/6568-288-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/7032-287-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download