98b6f22370f59fd9482bf2f6c622c2afc92a441917328b2337d4b4780ab7201a

Resubmissions

28-03-2022 02:35

220328-c3bd6acaaj 10

Analysis

max time kernel
305s
max time network
313s
platform
windows10_x64
resource
win10-20220223-en
submitted
28-03-2022 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe
Size

4.2MB
MD5

be67e31b7773601efa2095b71471aa7a
SHA1

9d4dcc899df653e48e6becb3b4001bf6d91f44be
SHA256

94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff
SHA512

2e125ba0b54b2745e4288b1fb2e4040b2228ad022d9d661400781ca837bd864f5a1eee4c360f2e3fd2dcd35f91d0009ca5d8da7275b9e60aa054ad86432fdb33

Score

10^/10

adware bootkit discovery evasion persistence stealer trojan

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall\ = "{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Drops file in Drivers directory 6 IoCs

Processes:

QQPCTray.exeQQPCRealTimeSpeedup.exePCMgr_Setup.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\TAOKernelEx64_ev.sys	QQPCTray.exe
File opened for modification	C:\Windows\system32\Drivers\TAOKernelEx64_ev.sys	QQPCTray.exe
File created	C:\Windows\system32\Drivers\TAOAcceleratorEx64_ev.sys	QQPCRealTimeSpeedup.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAcceleratorEx64_ev.sys	QQPCRealTimeSpeedup.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAcceleratorEx64_ev.sys	QQPCTray.exe
File created	C:\Windows\system32\Drivers\TFsFltX64_ev.sys	PCMgr_Setup.exe

Executes dropped EXE 50 IoCs

Processes:

小马激活Oem7F7.exe7z.exeMiniTPFw.exeMiniThunderPlatform.exekuwo_jm951.execurl.exeQQPCMgr_1100122422.exePCMgr_Setup.exeKwMusic.execurl.exeKwService.exeKwWebKit.exeWriteMbox.exeQMBluerayInsHlp.exeQMBluerayInsHlpx64.exeQQPCSoftCmd.exeQQPCRTP.exeQMProxyHelper64.exeQMSuperScan.exeQMCheckNetwork.exeQMCheckNetwork.exeGameAssist_Setup.exeQQPCTray.exeQQPCRTP.exeQQPCRTP.exeQQPCRtp.exeQQPCTray.exeQQPCTray.exeUpdateTrayIcon.exeInstallUninstallCube.exeQQRepair.exeQMProxyHelper64.exeQQRepair.EXEVolSnapshotX64.exeQQRepair.EXEQQPCPatch.exeKWUpdate.exeKwConfig.exeQQPCPatch.exeKwUACSet.exeqmdl.exeQQPCRealTimeSpeedup.exeQMBlueScreenFixSetup_13.10.21935.215__1619169878035.exeQMRealTimeSpeedupSetup_13.10.21935.215__1619169878035.exeVolSnapshotX64.exeVolSnapshotX64.exeQMCheckNetwork.exeQMCheckNetwork.exeTSVulFixInc64.exeQQPCSoftTrayTips.exe

pid	process
2704	小马激活Oem7F7.exe
3104	7z.exe
3836	MiniTPFw.exe
3780	MiniThunderPlatform.exe
540	kuwo_jm951.exe
372	curl.exe
1904	QQPCMgr_1100122422.exe
3664	PCMgr_Setup.exe
4036	KwMusic.exe
3980	curl.exe
3196	KwService.exe
3032	KwWebKit.exe
3644	WriteMbox.exe
1576	QMBluerayInsHlp.exe
672	QMBluerayInsHlpx64.exe
3932	QQPCSoftCmd.exe
984	QQPCRTP.exe
1160	QMProxyHelper64.exe
3656	QMSuperScan.exe
3392	QMCheckNetwork.exe
928	QMCheckNetwork.exe
1636	GameAssist_Setup.exe
4168	QQPCTray.exe
4212	QQPCRTP.exe
4348	QQPCRTP.exe
4404	QQPCRtp.exe
4544	QQPCTray.exe
4580	QQPCTray.exe
4644	UpdateTrayIcon.exe
4664	InstallUninstallCube.exe
4112	QQRepair.exe
4732	QMProxyHelper64.exe
4832	QQRepair.EXE
4136	VolSnapshotX64.exe
4692	QQRepair.EXE
4916	QQPCPatch.exe
4172	KWUpdate.exe
3552	KwConfig.exe
4784	QQPCPatch.exe
3484	KwUACSet.exe
1844	qmdl.exe
220	QQPCRealTimeSpeedup.exe
5276	QMBlueScreenFixSetup_13.10.21935.215__1619169878035.exe
5316	QMRealTimeSpeedupSetup_13.10.21935.215__1619169878035.exe
5828	VolSnapshotX64.exe
5872	VolSnapshotX64.exe
5968	QMCheckNetwork.exe
5980	QMCheckNetwork.exe
6060	TSVulFixInc64.exe
3520	QQPCSoftTrayTips.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

小马激活Oem7F7.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 小马激活Oem7F7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	小马激活Oem7F7.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UpdateTrayIcon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000\Control Panel\International\Geo\Nation	UpdateTrayIcon.exe

Loads dropped DLL 64 IoCs

Processes:

7z.exe94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exeMiniThunderPlatform.exekuwo_jm951.exeQQPCMgr_1100122422.exeKwMusic.exe

pid	process
3104	7z.exe
3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
3780	MiniThunderPlatform.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
1904	QQPCMgr_1100122422.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4728 icacls.exe

pid	process
4728	icacls.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PCMgr_Setup.exeQQPCRtp.exeQQRepair.exeQQRepair.EXEkuwo_jm951.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.10.21935.215\\QQPCTray.exe\" /regrun"	PCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.10.21935.215\\QQPCTray.exe\" /regrun"	QQPCRtp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.10.21935.215\\QQPCTRAY.EXE\" /regrun /qqrepair"	QQRepair.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.10.21935.215\\QQPCTRAY.EXE\" /regrun /qqrepair"	QQRepair.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kwmusic = "\"C:\\Program Files (x86)\\kuwo\\kuwomusic\\9.1.1.6_P2T1\\Kwmusic.exe\" /autorun"	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	PCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQDisabled	PCMgr_Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

KwMusic.exeQQRepair.exeQQRepair.EXEQQPCTray.exeQQPCRealTimeSpeedup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KwMusic.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQRepair.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQRepair.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQPCTray.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQPCRealTimeSpeedup.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Writes to the Master Boot Record (MBR) 1 TTPs 9 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

QQPCMgr_1100122422.exePCMgr_Setup.exeQMCheckNetwork.exeGameAssist_Setup.exeMiniThunderPlatform.exeKwMusic.exeQMSuperScan.exeQQPCRtp.exeQQPCTray.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQPCMgr_1100122422.exe
File opened for modification	\??\PhysicalDrive0	PCMgr_Setup.exe
File opened for modification	\??\PhysicalDrive0	QMCheckNetwork.exe
File opened for modification	\??\PhysicalDrive0	GameAssist_Setup.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe
File opened for modification	\??\PhysicalDrive0	KwMusic.exe
File opened for modification	\??\PhysicalDrive0	QMSuperScan.exe
File opened for modification	\??\PhysicalDrive0	QQPCRtp.exe
File opened for modification	\??\PhysicalDrive0	QQPCTray.exe

Drops file in System32 directory 64 IoCs

Processes:

PCMgr_Setup.exeGameAssist_Setup.exeVolSnapshotX64.exeQQPCRtp.exeVolSnapshotX64.exeVolSnapshotX64.exe

description	ioc	process
File created	C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\QMLogEx\log.ini	VolSnapshotX64.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\QMLogEx\log.ini	QQPCRtp.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\QMLogEx\log.ini	VolSnapshotX64.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	QQPCRtp.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	QQPCRtp.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QQPCRtp.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll	GameAssist_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	QQPCRtp.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll	GameAssist_Setup.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\QMLogEx\log.ini	VolSnapshotX64.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	PCMgr_Setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

KwUACSet.exekuwo_jm951.exePCMgr_Setup.exeKwMusic.exeGameAssist_Setup.exeQQPCRtp.exeQQPCPatch.exe

description	ioc	process
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\img\earth_iconhover.png	KwUACSet.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\img\toTop\to_top_hover.png	KwUACSet.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwMiniSite.exe	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMTrayPlugin\qmavtrayplugin\QMShield64.png	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\apps\AppCtrlInfo\SysOptimizeCtrl.xml	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\ClinicData\script\pb_1231.dat	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\content_artist.html	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\feedback.html	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\api-ms-win-crt-environment-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\skin\serverskin\5002\svrconf.ini	KwMusic.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\Skin\base\logindlgex.xml	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\static\iconfont.svg	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\static\iconfont.woff	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\plugins\SysHomePage\HomePageRecommendItems.xml	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\img\cdpack\download.png	KwUACSet.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\img\earth_tipsleft.png	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\apps\Logo\GameLobbyPlugin.png	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\api-ms-win-core-rtlsupport-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\plugins\QMNetMon\msvcp140.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\static\userInfo.js	KwUACSet.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\adfilterlib\tsadlibexceptac.xml	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMProtect.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\api-ms-win-crt-string-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\originalcontentpage.html	KwUACSet.exe
File opened for modification	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\skin\serverskin\10087	KwMusic.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\period_radio.conf	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\plugins\IEStartPage\TPBrowser.dat	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMUpdate\api-ms-win-crt-heap-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.8265.138\GameRouterFileList\rl383.etf	GameAssist_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\myradio.html	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\apps\Logo\qqpcuninstalljump.png	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\Skin\base\KwVipOpenPage.xml	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\font\iconfont.svg	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\img\earth_tipsup.png	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\img\radio_stop.png	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\WriteMbox.exe	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\channel_mv.html	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\img\nodata\no-network-white.png	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\apps\AppCtrlInfo\DeepSpeedupSrcCtrl.xml	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\img\comment\face\emoji_28.png	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\img\close.png	KwUACSet.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\content_rankList.html	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\myFavor.html	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\plugins\QMNetMon\api-ms-win-core-heap-l1-1-0.dll	PCMgr_Setup.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\WSFDatabase.db	QQPCRtp.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\img\comment\face\emoji_100.png	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.8265.138\libeay32.dll	GameAssist_Setup.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMTrayPlugin\QMAutoTaskPlugin\SubPlugins\GameSpeedupTipsMgr.dll.src_11343	QQPCPatch.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\static\common.js	kuwo_jm951.exe
File opened for modification	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\skin\servertheme\10101\svrconf.ini	KwMusic.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMUpdate\api-ms-win-crt-stdio-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\img\original\next.png	KwUACSet.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\qmspeedupplugin\speeduprocket\TrayRocket.rdb	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\plugins\QMNetMon\api-ms-win-core-processthreads-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong.tmp\netsong\js\originalcontent.js	KwUACSet.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\FileGroupUpdate\DownloadCache\TVL00003.tvl.zip	QQPCPatch.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\Skin\base\hifi_gif.gif	kuwo_jm951.exe
File opened for modification	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\Skin\localskin\1\bk.jpg	kuwo_jm951.exe
File created	C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\html\webdata\netsong\img\m_hd.png	kuwo_jm951.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\WndFilterCfg.dat	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMUpdate\QQPCUpdate.rdb	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\api-ms-win-crt-conio-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\plugins\QMNetMon\api-ms-win-crt-process-l1-1-0.dll	PCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.8265.138\qbclient\qb.pak	GameAssist_Setup.exe

Drops file in Windows directory 1 IoCs

Processes:

kuwo_jm951.exe

description ioc process

File created C:\Windows\KwYlx.dat kuwo_jm951.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\KwYlx.dat	kuwo_jm951.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QQPCTray.exeKwMusic.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QQPCTray.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QQPCTray.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	KwMusic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	KwMusic.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	KwMusic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	KwMusic.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	KwMusic.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

PCMgr_Setup.exekuwo_jm951.exeQQPCTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions	PCMgr_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000\Software\Microsoft\Internet Explorer\Styles	kuwo_jm951.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000\Software\Microsoft\Internet Explorer\Styles\MaxScriptStatements = "4294967295"	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}	PCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppPath = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.10.21935.215\\"	PCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppName = "QQPCClinic.exe"	PCMgr_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\Policy = "3"	PCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	PCMgr_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions\WarnOnOpen = "0"	PCMgr_Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000\Software\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	QQPCTray.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000\Software\Microsoft\Internet Explorer\Main\StatusBarWeb = "1"	QQPCTray.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

QQPCTray.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.chn112.com"	QQPCTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.chn112.com"	QQPCTray.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

QQPCRtp.exeQQPCTray.exePCMgr_Setup.exeQMSuperScan.exeQQPCSoftCmd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defDocProVolSnapSwitch = 7a	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TJWhiteListIsDeleteAll = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\NewUrlFwWaitResultTime = 7b74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	QQPCRtp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_11 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177	PCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_5 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e141774dd7bcab34d507bffac3944de6f8f05	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\Area2_SaveGarbage = 7b74ea379b12b567	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\FMFileMonEngineComb = 7674ea37	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\QMClientConfigItem_31004 = 4a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\FMEnableSandbox = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defEcommerceCfgHeartbeatValue = 7074ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defOpenUrlbyQBQuery88CSInterval = 0374ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_30 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadb8e8fa7ceb1ba8ffbfd631778d67	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\guid = 1e17df55a92a8006f03dddab9ccc83474e746dda26a32e6332f2b410831d3127	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defQMWebInfoCfgVersion = 4974da37aa128267bb05df9ec9ff9a761d176be36992785665c3b122d42e64172add	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defstrQbEtwCtrlReport = 4a74da37ab129667a705de9ec8ff84761d177ee374927d5663c3b422	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defDocProVolSnapLocalSwitch = 7a74ea37	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\SaveUploadFile	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defConsentPromptBehaviorAdmin = 7e74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_29 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbcbcac1480e998b4e866c9621d267	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Tencent\QQ	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\NetMonNeverAsk = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_37 = 3874d037c712e267fc05809e9cffdb765a172ee31b9238562ac3f722952e351776dd2bcaf44d	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_36 = 3874d037c712e267fc05809e9cffdb765a172ee3	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TJEnableKillProcess = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TJWhiteListInvalidInterval = 7b6ea537	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\VulFilterCtrlFalg = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_34 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa190f474db7fdd828726b7192ad92e8	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\QMClientConfigItemSize_31004 = 7f74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TJHeartbeatFlag = 7274ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\QmwscLibCfgLastTimeStamp = 4974da37a9128567a505d69ec9ff83761c176ce373927e5660c3b422e12e	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_43 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44f66fbf052b8cb103fa5e917a4beb61b7ed0058ab80ea5fb90928	PCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defTipsBehaviourLocal = 7a74ea37	QQPCSoftCmd.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_35 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\TJDisableAvira = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defNewsDefaultPopTypeBootOrIdle = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\NetMonMinibarPos = 848b15c864ed4a98	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\StickKeySetting = 8575ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_29 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbcbcac1480e998b4e866c9621d267	QMSuperScan.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defVulNetCfg_bVulPopTipDisable = 7b74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\IEHomepageV1 = 6339f5f9e46fe68448a416e0fb771eed1777e3dea3bb120dc653d964848aaf77ea9e61c72823a8d78b3d3ab154ccf9d3441984e793024d87	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\ExitOnClose = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defQMWebInfoCfgNewVersion = 4a74c437ab129b67a405c09ecdffb476	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\LRTLastLaunchDate = 7bb468f3ad506d66	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\LRTCloseTipCnt = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\OppBrowserInjectControl = 6875ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_21 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7dad83972697190ad87e8ef7cfe1bbfffb8d6	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\LOCALTRUSTCLOUD = 0074df37aa128567a605df9ecbfff1761f1770e37e92735665c3b022cc2e64172add2dca854d107ba2ac1244986fb905698c9903a55ebc7a61eb04b7ef0003abd4ea0eb942286bbc046687271b824efb7385c995b9cc179b0c7034ef9219014760b7b6d81e724171d0adc6e8b77cce1be2ff89d66977c967adab462d49b26a1c0dde601f9db87106b2bbddca8d485b99cd4eb66cd621e1679f197c10340b2f6b9cb1d377a7f7f0a1f1011d5d5b34fd6795888c9735a6256903ceedc56d96e749c51c1313f547dc1210c977bb79185766396d6c52664c5f79a28510667b92fe6d4da3297a80bf5fe1f6cc719de52a2c3dbcbc5d766464ac853413f12934ba88d714d18173a3d16e67f79118449917f261fc48610ca93c4f267ac5bf7e3eebc818e3e3a5c9e97fb53be556a941e953f3f0b10ae7cbd78e8e79e20c62359c229875f353d7453ca062b581e35884c02f9657d8d628022707e30b2ee9c0559c6f19de7115b759296a266c5c572a67310174b5eca7802f145bea55df9fc665a5146adc1f2fbb45600fcfec71a8e59b8cbb472c2275f3dfd8b178dcf11754d5fef08b019468dde5fd9cedcd88baa64f84060e274142a3baaae72dd80579c94e871d4c865714c12eac2688a1408f08173982e1e7b774984ac9dfe7fa1cd3227cbc48980e9cde133f81c01739e75e097b680488f208f3878f33e2f520d690fd30dfd8d5d50290a84daa60c993b2577543703ab3c11b9e10b05fea67a1d60b84e9520a92c2208e95513eb503c28dbc6f19230fcd5ad6ff4724cd79aad42df3931654f30a0cfc7fd7dc1e81d7c8a7436d6603656f7b95a1afb0d2ab03040b4fc5e2e753296c6ff109b9c3fe3a07515ccd23eafb4dc2f781f3d7f9d40481b04dffb5cd4a599534a5992c3744cd981b91f65643f592d011839484c231cb510c13395d0c74f6d3318661503842531145db55c88fa5ad9ec519f83847046cd57f2a27da11413af84af666bb79c0f178f284cb72b4ac6e81b5234620b0b9d32932eb95ee76e733c65615e5f3ef7d0e4e94365d99fcdd391650253606e68f3721630db3ae3665fdb6e34a1c650182546ee37310c7c6361f6a74c86c71b2144df5f5e1174173dd58e1d4660e5fc6699e8ac9c01013a5d4f9d675ac3f007a32ca59d3573be9e7d5f60472b917e1bafad28cd7c7d703ccd1bb52a851d9a273a00a4cc869c525d0b53e91484d0f86e5967e9b98fd198e2ebe4fd327a37476c5f3a29e4999b0fd3ae285ed46b4e351aa6e671ab05017d0e8f38dea8645b3b0906d73c680d773b805a342eb5a0cf92cc003d59eadbf6be6ac047e31ebc3506d19916b62683d006c6b7f0d74383d177094756856ac2aaa1b8fd3c56bba2166b6325b1032d406363287d9b0c8656ad6c7dbcf21fb495afdb45fd0545031e1571fad21e4205f4aa677769385acf6e63feba666dadaaf53877e25541e39617d1af17364a6f0960ffaa0af8ae72c9e1cc639a67a90eaa501539251e3ed01522ad08e03c5c7dc30df569a1437c5a3f60bb5cb05412f81f3bd78e31435ab24483dd4de10fb8fb2be76c0f7faf57f223f4e4bbed5981dade5ff6a413fd9fecbae24c4e290c723821d287172221559c3e7fc78a5063c7755aabdb8c3ef96260ce6288116e9b481174e9c8af94105a979ba8d3aead16b344fd2d92857da1a2fe16c1d26ab2d83719c06f30dafb407268b9ca9f82830e38d81d68360333c6c8e66a715332254f2004fcdeaba3ab3303c2470dac1123f8ebecce0e9f87b9dd38311fd5b1be5a97a6ffb7c64275f44fb3767833f52b18e8d9a51c320aa17a95a6425c1ce6720ae3c6f354226356eaed135baa1ee01d6eb3d0133de4466a5781b674da69aa706d2113c10a84a1ab67b85eb4e94ce42ae6d2fed501051185af5e9d6300ad9719ff5483d816665ffdb1e9d16e8b58c0b151e777a37a906eaf47b9901306ec423b359ae751aee1734916ec2b78e88e88cc6fafc74543a664d35625433194d1bacbe12d8128db5cefdac0bea9257427162210877a2b242ccd37b2afa88965c13fa5ebe27801761c9116f826109ac222b867ebd714f5ba3451f6d77d70847931b578f45b755dfa0dc2e1b5a0ef2f72db6d1e34b564b582fbf9f76f3830696157e878aaf369c5010dadf5da259c206a6f1575ca408b64b36d515a2e812d03dfecf10e058ba66fb8679e826857b5d2e8e2db7a68da1c15174b74661b9bf7f9f2e522283515bedebf9e429156f6f65acdf427cd8171fc8b086041503f806683d4fc44393de586d7c7e2dfbd1d1a746c3ea676a2e9c845d36ae904d3eefc46a7e0c55e9da3426d20a5a1ea08e95f44ec6351f89398a449ada91f17d3fd73bf4589bd991c86ec031ab3f17cac29277de1b3889c30c4dcf0f685145be9c2b542668e687441564b58d21ae8b627ba2f45129aaf1ae14f7d0b1ef412b85915596609ccc5d51bdce4022634cf41bb0250471d4224acac2e22e033a1de450619512087a2c37dd68b1e01098cae631316ce21a85d22fd7345c8ad00bdd2d70b5ad9606c099a29a58d19333f9f32e6b09248f05e02e5a80b82dd20d6da2df41f7980c7e5480903caad8227660bef43cc9643fd2a7984f7cec433be8aa6c27d7ee5bed99eaed019988aca1d386e220b1b5f55e42f58131ddf031ed6778507e73a9d0929e8022d8bfaeeece46a10542fecfd043a0dbda90d0401d2120454e39196172c667d428e83d90f0651acf5ad08c15293fc49899beaa2a4dd64c39910ae14adfb68d7aebf3661ec9e03d85e1797a15ec5f92ac6427d1b09f7a8dac050d10da7c12446c0e13b391eb97c581762541bb51f9d202b1cd63d41e010f25817e07defa44fa0e48a4a8ece1ce6b3d6e76efbded41f93ce94a7c230dd7433f7203e332ebf41c122f250f4cd7c668f15678b72c8b047b23a9c852ec5f6932ff0b8e354f8de69bc0d69115044b98e4c891657c344882012e3859c01d398074f5277c72624b539fde53db4bce16411be669cf715eaf8a36daeef4c3a715d54d59986436f41d2f3b57e59b5447272557b13c3af5e549ebda2fc9bce97801f37543b4ddd27e5e3b1eeff56e3a060d7c8885f4443d182e19636fe5d3a0b75ead7710a94600abced372e9c0b5f2a51361c26beaae414117c7cc1013d6fc2644a33d60bc304c34f0fcd4052093a39a291b3c0ee4032f366713b02c6ab6b4aa52068c7e2b2e5129fa75581809004cf0f6623176ca5f35d2d68ce7495a26fcc52114b51c1df935893c55057b82d1963bb41e474592b76c91700ec0a9a9f1f5bd7b6d8f55cf9ff96b45a34a0e79c94f2775f3d8f19bdeebf04b9dba31885b76987179fe715d4f36d3eff4f72c8e0a65095dd955d22276adcbf5fb55bf6f193619613abc3bd72f055b0983f959ae36ec9d9f9ead57f0cbcd5b159776e531ae8def4a271ac550f31eddbf36b0999dcba9e9c86039b402f2f10807f28809432ee02a7cd0987865687390871cd7d2c6e989d7cc81ebed47c5238088b81994875212186a5c2a2332f84404786af3928310e8fc770d37a54d3c41dcdb610a42e93bcba2cb71b2d9eb3c04df5743d47af900e37db0692c86c7abe62fadf91191b09b039e1a1ca6a62e44d4cd2abb2e050bb7998ae1645794413a895f40136cecd5690256a662dad52f20ca60696451194760778b191aa5cef16213f6e550bbe1ef50a9a74cf5c1ccd0f1638d255e95647f5fe5e896699695fda5e3d78101970984862761e3bd93b9c33b0ac6f65c77c29de0c11b8a79e1b2d28eac60532f812700ec9afc7cd9e741525dee15698f468d92c2d265fd03aab11ffe3c9c8334572f5cf8236df496baa195c92d0bedefe89b424b56ba34d15c97e15fef9ae1a08505ed5eb62da06e60a06bcc89b733c7ff0ff8f2ece6e10eb571431075dd5e403dd742c298626c41b53023c7e6fa313df1c4232a5bed4294f0335b251721c8333ea7d1f75df55616e684c5d39db2af255a3625a61b20a91f92082caf96fc78f5291847b58810dbc530877002c6287c57ea6a6a55f615735d4d51169311d835a9dbe9c66b7e14dbb8ff3b211cfff0d57f95c5d3cc10fcfd54d5702bf4e08b414958713b27b26d4ed131ef7c71db04f6cdb9a7c57bd976984b75a3db070c3cb685c16e78922ec761ebf35f1715e2518a2444603294c2be9d61ef687d8df8e4456eccbb84f55b3fe5ad7bf0b9d855717268c9c02cef7a8a238d19d0905f3e828dc591a21faea816bfd188eb6f0c6c211766db9734ac7c07b3c5c2fa4cb556894d15011d231f65af7a5be91bfcb16e6dced983dfea1444b08925ca432c2270a8f77c5f907c9e2fdce8ec528a1f447e40f4aefd8e453000c0ee0f15769391f626bcc5d8878204169566d4e2738aa6c0ceb07d168d783b5c39034376e50dc95dbf7543b26b927fb92065ed7a4312b723684acebf380af9292ac4864e8b4cd656e135130b523c563f60a7bfd432252124b8ef1f66a7409eaafe050309ae462e0b138181e1e3987dbd28879459d5bc66ab62efcd41ae36fdc01125c29185c00c61a49e669065a5dcd9c3539d4365413d53130a78280e3ab16a52224fb6cecbe8c475312683b30cb7e5d056ca7fff594653aa1894edc44a98bd5854bd3b44a7fc1a5f06a3f616cd81483da75ca89a270f0fbb00547e8d9fa07deec5ef9c0d633ada7712e20507a0bb0e41d6afd64dc78e255cfc373e3e2274337c072b485ab2b357195440947146eae7efba6254148692cccec412f1d0fe553393ec6c60e4811b8d9b7839afa31ac4cb49e04c1f507685ddbef134f8d81d003f9e19f2a1f44a4c27b47a0a2f131747f90edf68999e8f175d62160148f802efcbdd69a3762f0ce37ee8a6243448028e913182adf7a00c7c7cc5786ee80765e96e1e52af935d8c29b1241f8b6644b6fea9d4cd4aaeea07637eda0284edaadbf43b6278aac15504c96e9e8761278ed7f73ffc1afe2a9f2c1a421397f705f84dce948dfb3d7a23325cff603696b82514f45183e44097a94c56ed390d440b5aa1722f3d786f61bad846fb6ab8c8c745307f34fdc04eafbc02b1f815f3a6d2700bbc2038c56186c96013719b18c546c4ad2973beac2dbabcee8d6b6763d2099976923d70b78f04e002f3817940a0aef751aab49c0879f9ba0ce513a9a4f3de3f9f9afab4d6bcb98590d57eadeaef2ff8c67f6f417cde936c7e20665dc598dab2dda73bc4ba9781fd66f8fb4c6313f8028405da2182ef87e33445a8898f45b09b099538b42b4f26cd842c096d195756d9fecc4c07ff3f0296d1ffc8da2a3ed098898a262cbde0d30c574550f1187a5213c6b80f30b6f4e9d1a72a51297e6853551ff1b67202b654d723c72910010fa16eeffafa254631a559eb1a783564072d4aeab00f4c0904af30459063eec07bb9da6ebde3ea51873cc605bdef54801a14b7a0a2b191e4a9e00b91a75ccf7661447d63f70e9adc744c1bedcc7f9992e3407a77261b21c41cf2ae96bec2eaa6e72c2f4a1deb06df37e3db1663116c33fe3673bd4ee07b5c070acbb990da3da64c6bca17e96aa765056be38a37ba307f156f8a1cbe0d180ea92847a06dc6c9bd5754a8d3187b2cb849f62b6c00dcbe48723ef81b2871a55ce7bf3264784d9163bb29b93d522d2a631df7eef4594eb69615edeeafbe2aef166ceff56e74528fbdbb734298080a6db56b838dee67c54f6193024f7f3fc329389528444c7c96e7a19e355aaf71d304cd5d44c19352b64ae93e1823afee3ab50580235a7176322c4ee89cea30b0471dc9a9648f8882685dbb9df8f28904ea3e17cad8ecce012d6fea3b894f2e5ae81c91f50a1159a0b80658582e8e3099ca82dd6ed7e80ab1ccdd9bb2a07acca582a3ba5f46f570ea6a36c4c6e0c8b063ac5b6287c727f1e1af746685a48174125955fcde169d020d8cde17d08e16937498067ef771fcd6fbaf405112a88db9b1b3456d8ae2239ac59101eed7568f1bb107b69ce4b8a1deff20517a52456032e73389143d7d96b5dcf711f2093330ae2d377bd2fe1b2d55971d43a04053941e75602f4f68fca55f6ea5a23370fa9e71bb1c57bdc75c78041c4fd647f20ea5a6fa42a81e900b5fe9de6c0b7c9cbcd46a9e640067600f066f43fa2764be9e4fe38bf92e6670f9c5321fd738e6085aeda6f76675ecf7b103e3ba1d822556f44ae5da6cb47c35764c	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defLastReportCloseBusinessTips = 6774	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\HideGhostData = 7a74ea37	QQPCTray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defHeartbeatSccUrlCfgLastValue = 7074ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_8 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7dcd83972677185ad85e8fa7c	PCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_59 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa19054751b7fcd832725871a2ad9ee8fc7ce41b	PCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg\FMEnableWriteInhibit = 7a74ea37	QQPCTray.exe

Modifies registry class 64 IoCs

Processes:

kuwo_jm951.exePCMgr_Setup.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_MP1\shell\openkw\command\ = "\"C:\\Program Files (x86)\\kuwo\\kuwomusic\\9.1.1.6_P2T1\\bin\\KwMusic.exe\" \"%1\""	kuwo_jm951.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_FLAC\shell\playlist\ = "加入酷我音乐播放列表"	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\shell\open	PCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_DSF\\shell\\open\\command	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_MP2\shell	kuwo_jm951.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCMgrRepairIEExtensions\Shell\Open\Command	PCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C049F583-D724-4BAB-8F47-F13BCA41B808}\1.0\ = "npQMExtensionsIE 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\CLSID\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu\ = "QMContextUninstallMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\13.10.21935.215\\QMGCShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_WV\\shell\\openkw	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_ape\shell\openkw\command	kuwo_jm951.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_MP2\shell\openkw\ = "用酷我音乐播放"	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kuwo\DefaultIcon\ = "C:\\Program Files (x86)\\kuwo\\kuwomusic\\9.1.1.6_P2T1\\bin\\KwMusic.exe,0"	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_AAC\\shell\\openkw\\command	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_dks\shell\open\command\ = "\"C:\\Program Files (x86)\\kuwo\\kuwomusic\\9.1.1.6_P2T1\\bin\\KwMusic.exe\" \"%1\""	kuwo_jm951.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\.dks\ = "kwfile_dks"	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3303E77E-EAF6-4840-8208-5D950B2B61E7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_CDA\\shell\\openkw	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dks	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCMgrRepairIEExtensions\ = "URL: 电脑管家-修复IE插件"	PCMgr_Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_wma\shell\playlist	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_CUE\shell	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_DSF\shell	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_WV\shell\open\command	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_WV\shell\openkw	kuwo_jm951.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\.CDA\kwbak	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\QMRealTimeSpeedupShellContextMenuExtension	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ac3\ = "kwfile_AC3"	kuwo_jm951.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_AAC\shell\playlist\ = "加入酷我音乐播放列表"	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\AppID = "{D611A85B-A248-4A35-9A6F-BEC94DD62480}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_MP1\\shell\\open\\command	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_WAV\shell	kuwo_jm951.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_wma\shell\openkw\command\ = "\"C:\\Program Files (x86)\\kuwo\\kuwomusic\\9.1.1.6_P2T1\\bin\\KwMusic.exe\" \"%1\""	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ac3\kwbak = "VLC.ac3"	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_CDA\\shell\\playlist\\command	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_FLAC\DefaultIcon	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_M4A\shell\playlist\command	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lrcx	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3303E77E-EAF6-4840-8208-5D950B2B61E7}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_wma\shell\openkw\ = "用酷我音乐播放"	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_wma\\shell\\openkw	kuwo_jm951.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_M4A\shell\openkw\ = "用酷我音乐播放"	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\QMRealTimeSpeedupShellContextMenuExtension\ = "{C5617F6A-39BB-436D-91CF-61C1B45DD688}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu\CurVer\ = "QMContextUninstall.QMContextUninstallMenu.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_CDA\shell	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\ = "QMContextScanMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_MP1\\shell\\openkw\\command	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_MP3	kuwo_jm951.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kwfile_ape\\shell\\open\\command	kuwo_jm951.exe
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_CUE\\shell\\openkw\\command	kuwo_jm951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\ = "QMContextScanMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\kwfile_DFF\shell\playlist\command\ = "\"C:\\Program Files (x86)\\kuwo\\kuwomusic\\9.1.1.6_P2T1\\bin\\KwMusic.exe\" \\list \"%1\""	kuwo_jm951.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

QQPCRtp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	QQPCRtp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	QQPCRtp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	QQPCRtp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kuwo_jm951.exeQQPCMgr_1100122422.exePCMgr_Setup.exeKwMusic.exeKwService.exeKwWebKit.exeQMCheckNetwork.exe

pid	process
540	kuwo_jm951.exe
540	kuwo_jm951.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
1904	QQPCMgr_1100122422.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
540	kuwo_jm951.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
3196	KwService.exe
3196	KwService.exe
3196	KwService.exe
3196	KwService.exe
3032	KwWebKit.exe
3032	KwWebKit.exe
3196	KwService.exe
3196	KwService.exe
3196	KwService.exe
3196	KwService.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3664	PCMgr_Setup.exe
3392	QMCheckNetwork.exe
3392	QMCheckNetwork.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

QQPCRealTimeSpeedup.exeQQPCTray.exe

pid process

220 QQPCRealTimeSpeedup.exe
4544 QQPCTray.exe

pid	process
220	QQPCRealTimeSpeedup.exe
4544	QQPCTray.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

QQPCRtp.exeQQPCTray.exe

pid	process
652
652
652
652
652
652
652
4404	QQPCRtp.exe
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
4544	QQPCTray.exe
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

MiniThunderPlatform.exeKwService.exePCMgr_Setup.exeQQPCTray.exeGameAssist_Setup.exeQQPCTray.exeQQPCTray.exeInstallUninstallCube.exeQQPCRtp.exeQQRepair.exeQMSuperScan.exevssvc.exeQQRepair.EXEqmdl.exeQQPCRealTimeSpeedup.exe

description	pid	process
Token: SeManageVolumePrivilege	3780	MiniThunderPlatform.exe
Token: SeManageVolumePrivilege	3780	MiniThunderPlatform.exe
Token: SeBackupPrivilege	3196	KwService.exe
Token: SeSecurityPrivilege	3196	KwService.exe
Token: SeSecurityPrivilege	3196	KwService.exe
Token: SeBackupPrivilege	3664	PCMgr_Setup.exe
Token: SeRestorePrivilege	3664	PCMgr_Setup.exe
Token: SeBackupPrivilege	3664	PCMgr_Setup.exe
Token: SeRestorePrivilege	3664	PCMgr_Setup.exe
Token: SeDebugPrivilege	3664	PCMgr_Setup.exe
Token: 33	4168	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4168	QQPCTray.exe
Token: SeDebugPrivilege	1636	GameAssist_Setup.exe
Token: 33	4544	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4544	QQPCTray.exe
Token: 33	4580	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4580	QQPCTray.exe
Token: SeDebugPrivilege	4664	InstallUninstallCube.exe
Token: SeDebugPrivilege	4404	QQPCRtp.exe
Token: SeLoadDriverPrivilege	4404	QQPCRtp.exe
Token: SeDebugPrivilege	4404	QQPCRtp.exe
Token: SeLoadDriverPrivilege	4544	QQPCTray.exe
Token: SeLoadDriverPrivilege	4112	QQRepair.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: SeShutdownPrivilege	4544	QQPCTray.exe
Token: SeCreatePagefilePrivilege	4544	QQPCTray.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: SeLoadDriverPrivilege	4544	QQPCTray.exe
Token: SeSystemProfilePrivilege	4544	QQPCTray.exe
Token: SeDebugPrivilege	3656	QMSuperScan.exe
Token: SeLoadDriverPrivilege	4404	QQPCRtp.exe
Token: SeDebugPrivilege	4404	QQPCRtp.exe
Token: SeDebugPrivilege	4404	QQPCRtp.exe
Token: SeLoadDriverPrivilege	4404	QQPCRtp.exe
Token: SeDebugPrivilege	4404	QQPCRtp.exe
Token: SeLoadDriverPrivilege	4404	QQPCRtp.exe
Token: SeBackupPrivilege	4532	vssvc.exe
Token: SeRestorePrivilege	4532	vssvc.exe
Token: SeAuditPrivilege	4532	vssvc.exe
Token: SeBackupPrivilege	4404	QQPCRtp.exe
Token: SeRestorePrivilege	4404	QQPCRtp.exe
Token: 33	3196	KwService.exe
Token: SeIncBasePriorityPrivilege	3196	KwService.exe
Token: SeLoadDriverPrivilege	4832	QQRepair.EXE
Token: SeManageVolumePrivilege	1844	qmdl.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: SeDebugPrivilege	220	QQPCRealTimeSpeedup.exe
Token: SeBackupPrivilege	4544	QQPCTray.exe
Token: SeRestorePrivilege	4544	QQPCTray.exe
Token: SeDebugPrivilege	220	QQPCRealTimeSpeedup.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: 33	3196	KwService.exe
Token: SeIncBasePriorityPrivilege	3196	KwService.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: SeDebugPrivilege	4544	QQPCTray.exe
Token: 33	3196	KwService.exe
Token: SeIncBasePriorityPrivilege	3196	KwService.exe
Token: 33	3196	KwService.exe
Token: SeIncBasePriorityPrivilege	3196	KwService.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

KwMusic.exeUpdateTrayIcon.exeQQPCTray.exe

pid	process
4036	KwMusic.exe
4036	KwMusic.exe
4036	KwMusic.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4544	QQPCTray.exe
4544	QQPCTray.exe
4544	QQPCTray.exe
4544	QQPCTray.exe
4644	UpdateTrayIcon.exe
4644	UpdateTrayIcon.exe
4544	QQPCTray.exe
4544	QQPCTray.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

KwMusic.exeQQPCTray.exe

pid process

4036 KwMusic.exe
4036 KwMusic.exe
4544 QQPCTray.exe
4544 QQPCTray.exe
4544 QQPCTray.exe
4544 QQPCTray.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QQPCMgr_1100122422.exe

pid process

1904 QQPCMgr_1100122422.exe

pid	process
1904	QQPCMgr_1100122422.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.execmd.exekuwo_jm951.exeQQPCMgr_1100122422.exeKwMusic.exePCMgr_Setup.exeQMBluerayInsHlp.exeregsvr32.exe

description	pid	process	target process
PID 3952 wrote to memory of 2704	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	小马激活Oem7F7.exe
PID 3952 wrote to memory of 2704	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	小马激活Oem7F7.exe
PID 3952 wrote to memory of 2704	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	小马激活Oem7F7.exe
PID 3952 wrote to memory of 3668	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	cmd.exe
PID 3952 wrote to memory of 3668	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	cmd.exe
PID 3952 wrote to memory of 3668	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	cmd.exe
PID 3668 wrote to memory of 3104	3668	cmd.exe	7z.exe
PID 3668 wrote to memory of 3104	3668	cmd.exe	7z.exe
PID 3668 wrote to memory of 3104	3668	cmd.exe	7z.exe
PID 3952 wrote to memory of 3836	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	MiniTPFw.exe
PID 3952 wrote to memory of 3836	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	MiniTPFw.exe
PID 3952 wrote to memory of 3836	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	MiniTPFw.exe
PID 3952 wrote to memory of 3780	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	MiniThunderPlatform.exe
PID 3952 wrote to memory of 3780	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	MiniThunderPlatform.exe
PID 3952 wrote to memory of 3780	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	MiniThunderPlatform.exe
PID 3952 wrote to memory of 540	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	kuwo_jm951.exe
PID 3952 wrote to memory of 540	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	kuwo_jm951.exe
PID 3952 wrote to memory of 540	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	kuwo_jm951.exe
PID 540 wrote to memory of 372	540	kuwo_jm951.exe	curl.exe
PID 540 wrote to memory of 372	540	kuwo_jm951.exe	curl.exe
PID 540 wrote to memory of 372	540	kuwo_jm951.exe	curl.exe
PID 3952 wrote to memory of 1904	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	QQPCMgr_1100122422.exe
PID 3952 wrote to memory of 1904	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	QQPCMgr_1100122422.exe
PID 3952 wrote to memory of 1904	3952	94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe	QQPCMgr_1100122422.exe
PID 1904 wrote to memory of 3664	1904	QQPCMgr_1100122422.exe	PCMgr_Setup.exe
PID 1904 wrote to memory of 3664	1904	QQPCMgr_1100122422.exe	PCMgr_Setup.exe
PID 1904 wrote to memory of 3664	1904	QQPCMgr_1100122422.exe	PCMgr_Setup.exe
PID 540 wrote to memory of 1848	540	kuwo_jm951.exe	netsh.exe
PID 540 wrote to memory of 1848	540	kuwo_jm951.exe	netsh.exe
PID 540 wrote to memory of 1848	540	kuwo_jm951.exe	netsh.exe
PID 540 wrote to memory of 1820	540	kuwo_jm951.exe	netsh.exe
PID 540 wrote to memory of 1820	540	kuwo_jm951.exe	netsh.exe
PID 540 wrote to memory of 1820	540	kuwo_jm951.exe	netsh.exe
PID 540 wrote to memory of 4036	540	kuwo_jm951.exe	KwMusic.exe
PID 540 wrote to memory of 4036	540	kuwo_jm951.exe	KwMusic.exe
PID 540 wrote to memory of 4036	540	kuwo_jm951.exe	KwMusic.exe
PID 540 wrote to memory of 3980	540	kuwo_jm951.exe	curl.exe
PID 540 wrote to memory of 3980	540	kuwo_jm951.exe	curl.exe
PID 540 wrote to memory of 3980	540	kuwo_jm951.exe	curl.exe
PID 4036 wrote to memory of 3196	4036	KwMusic.exe	KwService.exe
PID 4036 wrote to memory of 3196	4036	KwMusic.exe	KwService.exe
PID 4036 wrote to memory of 3196	4036	KwMusic.exe	KwService.exe
PID 4036 wrote to memory of 3032	4036	KwMusic.exe	KwWebKit.exe
PID 4036 wrote to memory of 3032	4036	KwMusic.exe	KwWebKit.exe
PID 4036 wrote to memory of 3032	4036	KwMusic.exe	KwWebKit.exe
PID 4036 wrote to memory of 3644	4036	KwMusic.exe	WriteMbox.exe
PID 4036 wrote to memory of 3644	4036	KwMusic.exe	WriteMbox.exe
PID 4036 wrote to memory of 3644	4036	KwMusic.exe	WriteMbox.exe
PID 3664 wrote to memory of 524	3664	PCMgr_Setup.exe	cacls.exe
PID 3664 wrote to memory of 524	3664	PCMgr_Setup.exe	cacls.exe
PID 3664 wrote to memory of 524	3664	PCMgr_Setup.exe	cacls.exe
PID 3664 wrote to memory of 1576	3664	PCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 3664 wrote to memory of 1576	3664	PCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 3664 wrote to memory of 1576	3664	PCMgr_Setup.exe	QMBluerayInsHlp.exe
PID 1576 wrote to memory of 672	1576	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 1576 wrote to memory of 672	1576	QMBluerayInsHlp.exe	QMBluerayInsHlpx64.exe
PID 3664 wrote to memory of 540	3664	PCMgr_Setup.exe	regsvr32.exe
PID 3664 wrote to memory of 540	3664	PCMgr_Setup.exe	regsvr32.exe
PID 3664 wrote to memory of 540	3664	PCMgr_Setup.exe	regsvr32.exe
PID 540 wrote to memory of 1428	540	regsvr32.exe	regsvr32.exe
PID 540 wrote to memory of 1428	540	regsvr32.exe	regsvr32.exe
PID 3664 wrote to memory of 3932	3664	PCMgr_Setup.exe	QQPCSoftCmd.exe
PID 3664 wrote to memory of 3932	3664	PCMgr_Setup.exe	QQPCSoftCmd.exe
PID 3664 wrote to memory of 3932	3664	PCMgr_Setup.exe	QQPCSoftCmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

QQPCTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	QQPCTray.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255"	QQPCTray.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe
"C:\Users\Admin\AppData\Local\Temp\94fe30df66ffa19efb5d4d95f11212273c008788410c6e59e251589ce1cea5ff.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\小马激活Oem7F7.exe
"C:\Users\Admin\AppData\Local\Temp\小马激活Oem7F7.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\7z.exe x C:\Users\Admin\AppData\Local\Temp\XMDownload -y -oC:\Users\Admin\AppData\Local\Temp\
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\7z.exe
C:\Users\Admin\AppData\Local\Temp\7z.exe x C:\Users\Admin\AppData\Local\Temp\XMDownload -y -oC:\Users\Admin\AppData\Local\Temp\
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3104

C:\Users\Admin\AppData\Local\Temp\Download\download\MiniTPFw.exe
C:\Users\Admin\AppData\Local\Temp\Download\download\MiniTPFw.exe
3⤵
- Executes dropped EXE
PID:3836

C:\Users\Admin\AppData\Local\Temp\Download\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\Download\download\MiniThunderPlatform.exe" -StartTP
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\kuwo_jm951.exe
"C:\Users\Admin\AppData\Local\Temp\kuwo_jm951.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\curl.exe
"C:\Users\Admin\AppData\Local\Temp\curl.exe" -d MiUwOTxTUkM6TVVTSUNfOS4xLjEuNl9QMlQxfEFDVDpJTlNUQUxMX0lORk98VFlQRTpTdGFydFNldHVwfFRDb3VudDozMDI0MTgxMnx7a3V3b19qbTk1MS5leGV9fFU6fE1BQzo1MkM1RTU4RENDMTQ+ http://log.kuwo.cn/music.yl -o C:\Users\Admin\AppData\Local\Temp\kuwomsglog.txt
4⤵
- Executes dropped EXE
PID:372

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwMusic.exe" 酷我音乐 ENABLE
4⤵
PID:1848

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwService.exe" 酷我核心服务 ENABLE
4⤵
PID:1820

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwMusic.exe
"C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwMusic.exe" /autorun /nologauto
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwService.exe
"C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwService.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwWebKit.exe
"C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwWebKit.exe" --type=renderer --disable-gpu-compositing --no-sandbox --enable-begin-frame-scheduling --disable-direct-write --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\debug.log" --log-severity=disable --enable-system-flash --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-gpu-compositing --channel="4036.0.426665358\687056398" /prefetch:1
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\WriteMbox.exe
"C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\WriteMbox.exe"
5⤵
- Executes dropped EXE
PID:3644

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KWUpdate.exe
"C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KWUpdate.exe" /kwsid=63440682 /kwver=MUSIC_9.1.1.6_P2T1
5⤵
- Executes dropped EXE
PID:4172

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwConfig.exe
"C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwConfig.exe"
5⤵
- Executes dropped EXE
PID:3552

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwUACSet.exe
--unzipnetsong
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3484

C:\Users\Admin\AppData\Local\Temp\curl.exe
"C:\Users\Admin\AppData\Local\Temp\curl.exe" -d MiUwOTxTUkM6TVVTSUNfOS4xLjEuNl9QMlQxfEFDVDpJTlNUQUxMX0lORk98U3VjOjF8RGlzcGxheUNvbXBsZXRlUGFnZTowfEhhc1Nob3dDaGVjazowfEhhc1VuQ2hlY2s6MHxIYXNTdGFydE11c2ljQm94OjB8RXhjcHRpb25BYm9ydDowLjJ8U0tJUFRZUEU6MHxBdXRvUnVuOjF8U3RhZ2U6OTN8SW5zdGFsbFRpY2s6MzAyNjU0MjF8RXhpdFR5cGU6MXxVVUlEOnxUQ291bnQ6MzAyNjg1Nzh8e2t1d29fam05NTEuZXhlfXxVOnxNQUM6NTJDNUU1OERDQzE0Pg== http://log.kuwo.cn/music.yl -o C:\Users\Admin\AppData\Local\Temp\kuwomsglog.txt
4⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\AppData\Local\Temp\QQPCMgr_1100122422.exe
"C:\Users\Admin\AppData\Local\Temp\QQPCMgr_1100122422.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~1cd9f3b\PCMgr_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\TencentDownload\~1cd9f3b\PCMgr_Setup.exe" /S ##silence=1&handle=262722&update=1&supply=1100122422&forceinstall=1&qqpcmgr=0&DefaultIE=http://www.chn112.com&DownloadSetupInOne=2
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215" /t /e /c /g SYSTEM:f
5⤵
PID:524

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMBluerayInsHlp.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMBluerayInsHlp.exe" /install
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMBluerayInsHlpx64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMBluerayInsHlpx64.exe" /install
6⤵
- Executes dropped EXE
PID:672

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /i "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\\QMGCShellExt64.dll"
5⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\regsvr32.exe
/s /i "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\\QMGCShellExt64.dll"
6⤵
- Modifies registry class
PID:1428

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCSoftCmd.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCSoftCmd.exe" /command=SetSimpleVersionConfig /SimpleVersion=2 /From=Installer
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3932

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~1cdb9e7\firewallLog.txt"
5⤵
PID:3496

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRTP.exe" -i
5⤵
- Executes dropped EXE
PID:984

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\npQMExtensionsIE.dll"
5⤵
- Modifies registry class
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\qq.com" /f
6⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\baidu.com" /f
6⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\xunlei.com" /f
6⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\sogou.com" /f
6⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore" /v Flags /t reg_dword /d 4 /f
6⤵
PID:876

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\*" /f
6⤵
PID:988

C:\Windows\SysWOW64\reg.exe
reg delete "hkcr\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9922}" /f
6⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\kugou.com" /f
6⤵
PID:3620

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\TSWebMon64.dat"
5⤵
PID:2204

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\TSWebMon64.dat"
6⤵
- Modifies registry class
PID:1624

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMContextScan64.dll"
5⤵
PID:2316

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMContextScan64.dll"
6⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1640

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMContextScan.dll"
5⤵
- Modifies system executable filetype association
- Modifies registry class
PID:3848

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMContextUninstall64.dll"
5⤵
PID:1496

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMContextUninstall64.dll"
6⤵
- Modifies system executable filetype association
- Modifies registry class
PID:224

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMProxyHelper64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMProxyHelper64.exe" /Uninstall
5⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMSuperScan.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\\QMSuperScan.exe"
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\GameAssist_Setup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\GameAssist_Setup.exe" /S ##silence=1&supplyid=3500
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.8265.138" /t /e /c /g SYSTEM:f
6⤵
PID:4372

C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.8265.138\QMProxyHelper64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\Plugins\GameAssist\3.0.8265.138\QMProxyHelper64.exe" /Uninstall
6⤵
- Executes dropped EXE
PID:4732

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRTP.exe" -e
5⤵
- Executes dropped EXE
PID:4212

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCTray.exe" /loadexit /superfetch:1
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRTP.exe" -s
5⤵
- Executes dropped EXE
PID:4348

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCTray.exe" /regrun
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\InstallUninstallCube.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\\InstallUninstallCube.exe" "/verb=EndInstall" /sync=0000028c /pid=3664 "/temp=C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~1cdb9e7\" "/version=13.10.21935.215" /silence=1 /result=1
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~1cdb9e7\UpdateTrayIcon.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~1cdb9e7\UpdateTrayIcon.exe" -t QQPCTray.exe -c 1 -p 1 -d "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
PID:4644

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQRepair.EXE
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQRepair.EXE" /ext=5 /sid=-2147221500
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
5⤵
PID:4252

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
5⤵
PID:4248

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
5⤵
PID:4068

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
5⤵
PID:672

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
5⤵
PID:4920

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCPatch.exe"
5⤵
- Executes dropped EXE
PID:4784

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQRepair.EXE
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQRepair.EXE" /ext=5 /sid=-2147221502
4⤵
- Executes dropped EXE
PID:4692

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe" /AllChain
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:928

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRtp.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRtp.exe" -r
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCTray.exe" /elevated /regrun
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- System policy modification
PID:4544

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQRepair.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQRepair.exe" /master
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:4728

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:1640

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:3672

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:4684

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc.exe" start QQPCRtp
4⤵
PID:4868

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCPatch.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4916

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\qmdl.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\qmdl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low
4⤵
- Modifies file permissions
PID:4728

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\TSWebMon64.dat" /s
3⤵
PID:1336

C:\Windows\system32\regsvr32.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\TSWebMon64.dat" /s
4⤵
- Modifies registry class
PID:3884

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRealTimeSpeedup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCRealTimeSpeedup.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\Plugin\QMBlueScreenFixSetup_13.10.21935.215__1619169878035.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\Plugin\QMBlueScreenFixSetup_13.10.21935.215__1619169878035.exe" /S
3⤵
- Executes dropped EXE
PID:5276

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\Plugin\QMRealTimeSpeedupSetup_13.10.21935.215__1619169878035.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\Plugin\QMRealTimeSpeedupSetup_13.10.21935.215__1619169878035.exe" /S
3⤵
- Executes dropped EXE
PID:5316

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMGCShellExt64.dll"
3⤵
PID:5524

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMGCShellExt64.dll"
4⤵
- Modifies registry class
PID:5540

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe"
3⤵
- Executes dropped EXE
PID:5968

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QMCheckNetwork.exe" /AllChain
4⤵
- Executes dropped EXE
PID:5980

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\TSVulFixInc64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\TSVulFixInc64.exe" /start=3
3⤵
- Executes dropped EXE
PID:6060

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCSoftTrayTips.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\QQPCSoftTrayTips.exe" /scan_soft_analyze
3⤵
- Executes dropped EXE
PID:3520

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\VolSnapshotX64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\VolSnapshotX64.exe" 00000003000000010501010000000000000205010000000000000003050150000000
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4136

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\VolSnapshotX64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\VolSnapshotX64.exe" 00000003000000010501010000000000000205010000000000000003050150000000
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5828

C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\VolSnapshotX64.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\13.10.21935.215\VolSnapshotX64.exe" 00000003000000010501010000000000000205010000000000000003050150000000
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\DuiLib.dll
Filesize
1018KB

MD5
f4aa39bd6c7845b6e1c3a5922e2f06a9

SHA1
48c16bf2c1b07d7626038cbf3d54ae949e971b7f

SHA256
11f01e321831fa5417568711bcc77609b6d809efe25afad116f43a5adc6f8a55

SHA512
055100f158c8d98c6c3b8c700e933baeaf59b4afea0c1874b09dc48bdb03792c7f95d11a45b50943dde5041d930bb5f39c84edacd0a6df6f0bc19895d0d94b6d

Download Submit
C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwMusic.exe
Filesize
633KB

MD5
9d8f56976f4bee9c113114c762f4e92d

SHA1
b7cf53fd88f60acdf46b17b36ef73b2adcb5af83

SHA256
6b1bd3bdb325c2b1b3f4b3e8e14c8db3967a9d4ce76cfe78b5d490f4233b7af1

SHA512
4213abd658a2954a62eb12a7db7b13d677733fe5b143ec9c787246089bfe50cd5aaa013c8ec65545a7d7be7c0d097a943b4ee94d093827ff98b001ef6a4cab41

Download Submit
C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\KwService.exe
Filesize
56KB

MD5
2f8711ee7c7c6c2aaca5a1cc68644d49

SHA1
ebc656daac09839455a67776e78fa5979007ebd3

SHA256
86deac76786e2bd4ac4534e6c051c06657a10ecf0651e490f423046a6a543be1

SHA512
0c7c41d0dbb02c1b50c63a395f2348a2c104194c37894077e1522867cbc6caf724f5b3aebf0edb9f086744180fe031cfef052a8dc9cf8a0361162128dd5f26e8

Download Submit
C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\MSVCP120.dll
Filesize
451KB

MD5
a34aed811909aae9262de05400a8f2a4

SHA1
43e91f7fedb04ef94b7d8b571408ea240ca5fd62

SHA256
4b0c0671495a3ea7ededb43ea4330b4b3e932be01eda42e58c20b1b6bf26e5e9

SHA512
590bd85cf61c682ebfcc52c598afb2c8d1050cfa9a2b912ece3acd6f2760b7799f26837aede88190b10cd9127c68af08a1c481edd8770845404aaa128422b9c9

Download Submit
C:\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\kwmusic.exe
Filesize
633KB

MD5
9d8f56976f4bee9c113114c762f4e92d

SHA1
b7cf53fd88f60acdf46b17b36ef73b2adcb5af83

SHA256
6b1bd3bdb325c2b1b3f4b3e8e14c8db3967a9d4ce76cfe78b5d490f4233b7af1

SHA512
4213abd658a2954a62eb12a7db7b13d677733fe5b143ec9c787246089bfe50cd5aaa013c8ec65545a7d7be7c0d097a943b4ee94d093827ff98b001ef6a4cab41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll
Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe
Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\ATL71.DLL
Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\MSVCP71.dll
Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\MSVCR71.dll
Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\MiniTPFw.exe
Filesize
58KB

MD5
58bb62e88687791ad2ea5d8d6e3fe18b

SHA1
0ffb029064741d10c9cf3f629202aa97167883de

SHA256
f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100

SHA512
cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\MiniTPFw.exe
Filesize
58KB

MD5
58bb62e88687791ad2ea5d8d6e3fe18b

SHA1
0ffb029064741d10c9cf3f629202aa97167883de

SHA256
f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100

SHA512
cd36b28f87be9cf718f0c44bf7c500d53186edc08889bcfa5222041ff31c5cbee509b186004480efbd99c36b2233182ae0969447f4051510e1771a73ed209da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\MiniThunderPlatform.exe
Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\MiniThunderPlatform.exe
Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\XLBugHandler.dll
Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\XLBugReport.exe
Filesize
242KB

MD5
67c767470d0893c4a2e46be84c9afcbb

SHA1
00291089b13a93f82ee49a11156521f13ea605cd

SHA256
64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0

SHA512
d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\dl_peer_id.dll
Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\download_engine.dll
Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\id.dat
Filesize
40B

MD5
d0aee12037dae8b448b5b5df98ed21c5

SHA1
14bf7765e5df943991b04b44764dfd6288c4876c

SHA256
4e74a22c6a0e43fc4afe7414e63145e8b37e3ebde2dad3ec46ee9f085e4a306f

SHA512
06c8f20fac11f9d39a0d8e5f1fe21237433f8fb7ef7e12fb563d57d42171d41a0ddf4c5c3ce9866f177c5c3118530028d75383eb21c67a1d7c323b3ae38c57a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\download\zlib1.dll
Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Download\xldl.dll
Filesize
282KB

MD5
69fa23f05b7200185eba28f8ee5c5d89

SHA1
247bc859c90175d94d397f96af896168516af861

SHA256
62a7dacc4f1614995c2121e308de94418768571b80b8cdf1f80a2b0050df2567

SHA512
a5b6c8852c0a06d84bde38e4b460df3a8df6c59ad00f0e5926af511af15e12b72e8c2de2695de32b630203ded7ae503c60ae5f567780f58d77dc8e0c16e2ec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQPCMgr_1100122422.exe
Filesize
93.9MB

MD5
b15528bb954cd7f407e29450faf773d9

SHA1
af0195611b6850238c67dd390bd485e23e53b90b

SHA256
5bf4bec9b7fb39b07841061db20d28165b4e9671ff4cc89e49238c0d39bc0253

SHA512
686d6d2523ffd6d4c3790eb21f8d8aa2b0c6804ee5b662b63935376fb495c3419e8318d73dafe8431f49eff8aa858c60b56d1c1896a7f817c481ee32a7096997

Download Submit
C:\Users\Admin\AppData\Local\Temp\TencentDownload\~1cd9f3b\PCMgr_Setup.exe
Filesize
92.7MB

MD5
e36629a1f68ec3690102245d743f6572

SHA1
1c0475d3f29d74a9a437b5fca2afbc1083b865d5

SHA256
b2bb3c22390eaedc3dd93d3aa180c86396cd33aecb976bccf3105fb083cd2967

SHA512
2e66be481d34ac517b1ad47194d477423ab296397ec5b3ae8221e0568331eb7f44a507cb6e4b623026cb16045e4ccc20c4e3471bc8feb2513c4413c45d35aed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TencentDownload\~1cd9f3b\PCMgr_Setup.exe
Filesize
92.7MB

MD5
e36629a1f68ec3690102245d743f6572

SHA1
1c0475d3f29d74a9a437b5fca2afbc1083b865d5

SHA256
b2bb3c22390eaedc3dd93d3aa180c86396cd33aecb976bccf3105fb083cd2967

SHA512
2e66be481d34ac517b1ad47194d477423ab296397ec5b3ae8221e0568331eb7f44a507cb6e4b623026cb16045e4ccc20c4e3471bc8feb2513c4413c45d35aed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XMDownload
Filesize
2.1MB

MD5
0eda2c01efb500d88c92c3be306e0910

SHA1
b9933537a1b314842bf3b56412d32be2ce48fbb6

SHA256
861cfede51bb8bb3e39bb428bbe88ff87245ef7a46aa0546b65410bc36f4653e

SHA512
00e7eed1d665984515926e3f5036ed6ca040a55bdeef271ef8841b2dd55ba0af23469fcfe56854e67a96ae466cc93a0550c8bd2ceac0e8f8909497c42cf1be64

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl.exe
Filesize
659KB

MD5
6b535f795bf0325178a4df17ce4ad09c

SHA1
66b9bcd039653ca654d779ebf40109ae4cd1d818

SHA256
264d69e8a7ca1afcdf4179429d74a9098187c3f8a5e06080d2758682313a42b4

SHA512
e3b0323570ef1faf4284e8199f0b0f9f2de8d49bcca63bc15890254221e0dccfc327d9ebb754b4c98d5e51771c732589f5ad43c7d09b11d8e8848317c2793f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl.exe
Filesize
659KB

MD5
6b535f795bf0325178a4df17ce4ad09c

SHA1
66b9bcd039653ca654d779ebf40109ae4cd1d818

SHA256
264d69e8a7ca1afcdf4179429d74a9098187c3f8a5e06080d2758682313a42b4

SHA512
e3b0323570ef1faf4284e8199f0b0f9f2de8d49bcca63bc15890254221e0dccfc327d9ebb754b4c98d5e51771c732589f5ad43c7d09b11d8e8848317c2793f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kuwo_jm951.exe
Filesize
44.8MB

MD5
9c4d344d15d89b0e158a6246a78e7eaa

SHA1
42014ee3a40327d26d8b4d5db174f33ae4940d9f

SHA256
72bd768856271b2532beeaa340578e35fb0d8ce0b9366b61fe55414d1e0b0bb7

SHA512
368ebce770b29521d92ea3394a30e6665264e7b974f7ba83ecdb3fcdc94fa1275e034a59388228720d6224a9f8107d3d31405e596251e42b341c390f90c63ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\小马激活Oem7F7.exe
Filesize
881KB

MD5
2b13b58ccbb7f3ce02c9bf957f7f529e

SHA1
ee82d4425ce1f6d5193822139a5f0abc8883cf38

SHA256
ef1edc756d5635b96d1700223a31c71bf3b1020222de4ee184161b44b16221ec

SHA512
b5e620e3ad4efe93359996e31240a90fb78968c0c27d14301427d6cdf93f22aa2c33e59f4b88e23803f2dd62d5801772bde0247675005b1649ef64edb6eff6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\小马激活Oem7F7.exe
Filesize
881KB

MD5
2b13b58ccbb7f3ce02c9bf957f7f529e

SHA1
ee82d4425ce1f6d5193822139a5f0abc8883cf38

SHA256
ef1edc756d5635b96d1700223a31c71bf3b1020222de4ee184161b44b16221ec

SHA512
b5e620e3ad4efe93359996e31240a90fb78968c0c27d14301427d6cdf93f22aa2c33e59f4b88e23803f2dd62d5801772bde0247675005b1649ef64edb6eff6be

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db
Filesize
190B

MD5
fcd8e070efeb7fb2c2d612c6313ae52e

SHA1
1020e76825cef5fe805c22770e8f36a5794ff75a

SHA256
9d37d49a8b720a275c177655aa141f6dbc037035a2c51ce58547b251cfcc8cfd

SHA512
bdb1ad0659ad2fafbbd0a27a4e18cb1729e700b076fff05d02d8817846cea4ebf2c8ceec3cba2a701cb857c80a3213a389ec16fd4fb429a57760912fa8d1d494

Download Submit
\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\DuiLib.dll
Filesize
1018KB

MD5
f4aa39bd6c7845b6e1c3a5922e2f06a9

SHA1
48c16bf2c1b07d7626038cbf3d54ae949e971b7f

SHA256
11f01e321831fa5417568711bcc77609b6d809efe25afad116f43a5adc6f8a55

SHA512
055100f158c8d98c6c3b8c700e933baeaf59b4afea0c1874b09dc48bdb03792c7f95d11a45b50943dde5041d930bb5f39c84edacd0a6df6f0bc19895d0d94b6d

Download Submit
\Program Files (x86)\kuwo\kuwomusic\9.1.1.6_P2T1\bin\msvcp120.dll
Filesize
451KB

MD5
a34aed811909aae9262de05400a8f2a4

SHA1
43e91f7fedb04ef94b7d8b571408ea240ca5fd62

SHA256
4b0c0671495a3ea7ededb43ea4330b4b3e932be01eda42e58c20b1b6bf26e5e9

SHA512
590bd85cf61c682ebfcc52c598afb2c8d1050cfa9a2b912ece3acd6f2760b7799f26837aede88190b10cd9127c68af08a1c481edd8770845404aaa128422b9c9

Download Submit
\Users\Admin\AppData\Local\Temp\7z.dll
Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\XLBugHandler.dll
Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\atl71.dll
Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\dl_peer_id.dll
Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\dl_peer_id.dll
Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\download_engine.dll
Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\download_engine.dll
Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\msvcp71.dll
Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\msvcr71.dll
Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\msvcr71.dll
Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
\Users\Admin\AppData\Local\Temp\Download\download\zlib1.dll
Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
\Users\Admin\AppData\Local\Temp\Download\xldl.dll
Filesize
282KB

MD5
69fa23f05b7200185eba28f8ee5c5d89

SHA1
247bc859c90175d94d397f96af896168516af861

SHA256
62a7dacc4f1614995c2121e308de94418768571b80b8cdf1f80a2b0050df2567

SHA512
a5b6c8852c0a06d84bde38e4b460df3a8df6c59ad00f0e5926af511af15e12b72e8c2de2695de32b630203ded7ae503c60ae5f567780f58d77dc8e0c16e2ec04

Download Submit
\Users\Admin\AppData\Local\Temp\TencentDownload\~1cd9f3b\QQPCDownload.dll
Filesize
1.1MB

MD5
2f10670810f8260d8046f84a6c021ded

SHA1
5d9b2cd70cdf49ba129f86028fd3984875b7a643

SHA256
86ed0a152f943ea22e7785703180c3f32cb70aba4d89418682c689efbc8642da

SHA512
f079c76b43bec422bcbefc24e8130e9bcaf2b1f651111efefe3418edb96bd57fe6940a66a1e6cca1ebf12bbc1460f099e4e4f52d0a878bc36d5301f82f9e3c13

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\InstLancher.dll
Filesize
1.7MB

MD5
34939bd7a20c7c6800ad7977a1f0b1da

SHA1
eda1d13f48d1828ba7c46496f2056fac633d01a7

SHA256
7d43f7ea7111a109e5193f9670b11a73d3a8819a5753ae9ef4ce3205af908c98

SHA512
46c77ae746c6fd2e4283681d1af3dda58dbe04f854760ee8fe4cbb9d2890278951d229d9ee90373d120ae6fc7ad0f96bd0bc3f9c2489128bf887e40bbb5d8d3f

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KuWoNsis_new.dll
Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KwMusicNsis.dll
Filesize
419KB

MD5
06029e624f1d222e59ac641b2ce426b6

SHA1
6ba2875bee2eae79c0e1eaa8aa236038c8db6044

SHA256
09fb37e917faea5c966bc3418d1d7e46e3d0b9912cadd56486ba5bb5ac0f7b10

SHA512
516c04cfc31204879a0c938961208416ddd4ca7204606d630abe860c81422aa1316e45e29669ba01a7506af3f05284395c7c46524f2e73f36d3b4274203de70b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\KwUnzip.dll
Filesize
157KB

MD5
a807ee958f2ef0f5aed5c97c7df56f90

SHA1
61c69bf8f0481ed2fea0506533a84584ee8053dc

SHA256
8643d35c7023f766fffaf472d6407610fa541fef9af6936051274e764bd835d4

SHA512
4d103a6eaba17ac974f8150e84fa5ffcdd8559ba82916f8df779394ef2357f7185fa9291a3ec607c0bb963ab848d2d29d0ee9fa2ffa41908047ee9fc7d6ed8ba

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\System.dll
Filesize
11KB

MD5
7df8fb4196186f28cb308f9952d7ef64

SHA1
f20a7259ad233ac3795b6e6537de658209a8fd40

SHA256
72253837028abed272e5d50a3a6771933e9dd1aad73e90b8db4538aa9c786cbf

SHA512
3f373d69664ce015ceab16c12ba4c806c3489b89ae9db282551ec2452acd2ced1d70ddd4de0ef8c56d62a715624c9d2ceddc968adf07e905f2e4c81c2850ae4b

Download Submit
\Users\Admin\AppData\Local\Temp\nst6F05.tmp\inetc.dll
Filesize
61KB

MD5
8bde726084a37cacd13a7e03259f953f

SHA1
25400124fe8b399d659d5853f45e388a5a53b61a

SHA256
19a8e8aaa8a8d6c6e49ffd054b1c62f562eda5909aa6e7863c65c5f858f5fd18

SHA512
2f4932fade786312ba72c0f12d51bb1e561fd939597983dceccc0f0d7a53f18862f362473620c0788be039bb4977f0e23b541c61d67ab0ba9a043be963694b23

Download Submit
memory/224-358-0x0000000000000000-mapping.dmp

Download
memory/372-165-0x0000000000000000-mapping.dmp

Download
memory/524-271-0x0000000000000000-mapping.dmp

Download
memory/540-274-0x0000000000000000-mapping.dmp

Download
memory/540-154-0x0000000000000000-mapping.dmp

Download
memory/540-159-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/540-170-0x0000000007110000-0x000000000715C000-memory.dmp

Filesize
304KB

Download
memory/672-273-0x0000000000000000-mapping.dmp

Download
memory/876-352-0x0000000000000000-mapping.dmp

Download
memory/928-364-0x0000000000000000-mapping.dmp

Download
memory/984-343-0x0000000000000000-mapping.dmp

Download
memory/988-361-0x0000000000000000-mapping.dmp

Download
memory/1008-362-0x0000000000000000-mapping.dmp

Download
memory/1160-353-0x0000000000000000-mapping.dmp

Download
memory/1392-351-0x0000000000000000-mapping.dmp

Download
memory/1428-275-0x0000000000000000-mapping.dmp

Download
memory/1496-350-0x0000000000000000-mapping.dmp

Download
memory/1576-272-0x0000000000000000-mapping.dmp

Download
memory/1624-349-0x0000000000000000-mapping.dmp

Download
memory/1636-365-0x0000000000000000-mapping.dmp

Download
memory/1640-528-0x0000000000000000-mapping.dmp

Download
memory/1640-354-0x0000000000000000-mapping.dmp

Download
memory/1820-182-0x0000000000000000-mapping.dmp

Download
memory/1848-180-0x0000000000000000-mapping.dmp

Download
memory/1860-357-0x0000000000000000-mapping.dmp

Download
memory/1904-174-0x0000000000000000-mapping.dmp

Download
memory/2204-346-0x0000000000000000-mapping.dmp

Download
memory/2316-347-0x0000000000000000-mapping.dmp

Download
memory/2704-114-0x0000000000000000-mapping.dmp

Download
memory/2900-355-0x0000000000000000-mapping.dmp

Download
memory/3032-251-0x0000000000000000-mapping.dmp

Download
memory/3032-258-0x000000003F000000-0x000000003F001000-memory.dmp

Filesize
4KB

Download
memory/3032-254-0x0000000036330000-0x0000000036340000-memory.dmp

Filesize
64KB

Download
memory/3104-118-0x0000000000000000-mapping.dmp

Download
memory/3196-240-0x0000000000BD0000-0x0000000000BFA000-memory.dmp

Filesize
168KB

Download
memory/3196-225-0x0000000000000000-mapping.dmp

Download
memory/3196-237-0x0000000000B50000-0x0000000000B5D000-memory.dmp

Filesize
52KB

Download
memory/3196-236-0x0000000000B20000-0x0000000000B46000-memory.dmp

Filesize
152KB

Download
memory/3196-238-0x0000000000B70000-0x0000000000B81000-memory.dmp

Filesize
68KB

Download
memory/3196-227-0x0000000000580000-0x00000000005F5000-memory.dmp

Filesize
468KB

Download
memory/3196-228-0x00000000001D0000-0x00000000001E9000-memory.dmp

Filesize
100KB

Download
memory/3196-267-0x0000000003BC0000-0x0000000003BD5000-memory.dmp

Filesize
84KB

Download
memory/3196-245-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/3196-265-0x0000000003840000-0x0000000003868000-memory.dmp

Filesize
160KB

Download
memory/3196-263-0x0000000003800000-0x000000000382D000-memory.dmp

Filesize
180KB

Download
memory/3196-233-0x00000000009B0000-0x00000000009CA000-memory.dmp

Filesize
104KB

Download
memory/3196-262-0x00000000037C0000-0x00000000037DE000-memory.dmp

Filesize
120KB

Download
memory/3196-232-0x0000000000980000-0x00000000009AF000-memory.dmp

Filesize
188KB

Download
memory/3196-255-0x0000000002F10000-0x0000000002F3D000-memory.dmp

Filesize
180KB

Download
memory/3196-231-0x0000000000900000-0x0000000000973000-memory.dmp

Filesize
460KB

Download
memory/3196-260-0x00000000034B0000-0x00000000034C5000-memory.dmp

Filesize
84KB

Download
memory/3196-261-0x00000000034F0000-0x00000000034FF000-memory.dmp

Filesize
60KB

Download
memory/3392-363-0x0000000000000000-mapping.dmp

Download
memory/3496-342-0x0000000000000000-mapping.dmp

Download
memory/3620-359-0x0000000000000000-mapping.dmp

Download
memory/3644-268-0x0000000000000000-mapping.dmp

Download
memory/3656-360-0x0000000000000000-mapping.dmp

Download
memory/3664-177-0x0000000000000000-mapping.dmp

Download
memory/3668-117-0x0000000000000000-mapping.dmp

Download
memory/3672-529-0x0000000000000000-mapping.dmp

Download
memory/3696-356-0x0000000000000000-mapping.dmp

Download
memory/3780-147-0x00000000026D0000-0x0000000002A2C000-memory.dmp

Filesize
3.4MB

Download
memory/3780-130-0x0000000000000000-mapping.dmp

Download
memory/3780-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-146-0x00000000026D1000-0x0000000002943000-memory.dmp

Filesize
2.4MB

Download
memory/3836-124-0x0000000000000000-mapping.dmp

Download
memory/3848-348-0x0000000000000000-mapping.dmp

Download
memory/3888-344-0x0000000000000000-mapping.dmp

Download
memory/3932-276-0x0000000000000000-mapping.dmp

Download
memory/3980-222-0x0000000000000000-mapping.dmp

Download
memory/4036-212-0x0000000008110000-0x0000000008160000-memory.dmp

Filesize
320KB

Download
memory/4036-252-0x0000000019F00000-0x0000000019F27000-memory.dmp

Filesize
156KB

Download
memory/4036-213-0x0000000008170000-0x000000000817D000-memory.dmp

Filesize
52KB

Download
memory/4036-219-0x0000000015190000-0x00000000151A0000-memory.dmp

Filesize
64KB

Download
memory/4036-226-0x00000000181D0000-0x0000000018246000-memory.dmp

Filesize
472KB

Download
memory/4036-214-0x00000000082D0000-0x00000000082FA000-memory.dmp

Filesize
168KB

Download
memory/4036-211-0x00000000080E0000-0x00000000080FA000-memory.dmp

Filesize
104KB

Download
memory/4036-269-0x0000000019420000-0x0000000019451000-memory.dmp

Filesize
196KB

Download
memory/4036-208-0x0000000008053000-0x000000000806E000-memory.dmp

Filesize
108KB

Download
memory/4036-215-0x0000000015140000-0x000000001516F000-memory.dmp

Filesize
188KB

Download
memory/4036-250-0x00000000195E0000-0x00000000195F4000-memory.dmp

Filesize
80KB

Download
memory/4036-248-0x00000000184B0000-0x0000000018578000-memory.dmp

Filesize
800KB

Download
memory/4036-246-0x0000000018420000-0x000000001849E000-memory.dmp

Filesize
504KB

Download
memory/4036-244-0x00000000183F0000-0x0000000018407000-memory.dmp

Filesize
92KB

Download
memory/4036-209-0x00000000080B0000-0x00000000080C1000-memory.dmp

Filesize
68KB

Download
memory/4036-241-0x00000000183A0000-0x00000000183DC000-memory.dmp

Filesize
240KB

Download
memory/4036-198-0x0000000000000000-mapping.dmp

Download
memory/4036-205-0x0000000014B90000-0x0000000015132000-memory.dmp

Filesize
5.6MB

Download
memory/4036-207-0x0000000008080000-0x00000000080A6000-memory.dmp

Filesize
152KB

Download
memory/4112-520-0x0000000000000000-mapping.dmp

Download
memory/4136-530-0x0000000000000000-mapping.dmp

Download
memory/4168-367-0x0000000000000000-mapping.dmp

Download
memory/4212-368-0x0000000000000000-mapping.dmp

Download
memory/4348-370-0x0000000000000000-mapping.dmp

Download
memory/4372-371-0x0000000000000000-mapping.dmp

Download
memory/4544-374-0x0000000000000000-mapping.dmp

Download
memory/4580-375-0x0000000000000000-mapping.dmp

Download
memory/4644-377-0x0000000000000000-mapping.dmp

Download
memory/4664-378-0x0000000000000000-mapping.dmp

Download
memory/4684-531-0x0000000000000000-mapping.dmp

Download
memory/4692-533-0x0000000000000000-mapping.dmp

Download
memory/4728-527-0x0000000000000000-mapping.dmp

Download
memory/4732-523-0x0000000000000000-mapping.dmp

Download
memory/4832-524-0x0000000000000000-mapping.dmp

Download
memory/4868-532-0x0000000000000000-mapping.dmp

Download
memory/4916-534-0x0000000000000000-mapping.dmp

Download