6785a415c6fd541e86043ac3f3a0ea73f006e0eec6ab1df125eeca4578678c8e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe
Size

49.6MB
MD5

6a6a8bcf2861af81a6a553d1be91c639
SHA1

4fefc2d3b49f7ec83b58c857aec2c3d02e7b347d
SHA256

6785a415c6fd541e86043ac3f3a0ea73f006e0eec6ab1df125eeca4578678c8e
SHA512

b47cd0ce79b026c8747612787551b2b5f13969d906c7835c68a6603830d84136a440aeb8fd5756077b734ea9005e9f21ab1e9378cd991d63ac70ac835611435d
SSDEEP

1572864:tC/Q7oNmOMyJ0bp19NhNHrIcnlb0w9pwbwc+fAVgAZ:tC/QnOvKrHIk5F9pwb3+fML

Score

9^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

QQPCMgr_Setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ QQPCMgr_Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	QQPCMgr_Setup.exe

Drops file in Drivers directory 8 IoCs

Processes:

QQPCTray.exeQQPCRealTimeSpeedup.exeQMSuperScan.exeQQPCMgr_Setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Drivers\TAOKernel64.sys	QQPCTray.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAccelerator64.sys	QQPCRealTimeSpeedup.exe
File created	C:\Windows\system32\drivers\TSSKX64.sys	QMSuperScan.exe
File opened for modification	C:\Windows\system32\drivers\TSSKX64.sys	QMSuperScan.exe
File created	C:\Windows\system32\Drivers\TFsFltX64.sys	QQPCMgr_Setup.exe
File created	C:\Windows\system32\Drivers\TAOAccelerator64.sys	QQPCTray.exe
File opened for modification	C:\Windows\system32\Drivers\TAOAccelerator64.sys	QQPCTray.exe
File created	C:\Windows\system32\Drivers\TAOKernel64.sys	QQPCTray.exe

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2304 netsh.exe
2084 netsh.exe

pid	process
2304	netsh.exe
2084	netsh.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

QQPCRtp.exeQQPCMgr_Setup.exeQQPCTray.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TSDefenseBt\ImagePath = "\\??\\C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\TSDefenseBT64.sys"	QQPCRtp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QQPCRTP\ImagePath = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QQPCRTP.exe\" -r"	QQPCRtp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QQPCRTP\ImagePath = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QQPCRtp.exe\" -r"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TSDefenseBt\ImagePath = "\\??\\C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\TSDefenseBT64.sys"	QQPCTray.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QQPCRTP\ImagePath = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QQPCRTP.exe\" -r"	QQPCTray.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QMUdisk\ImagePath = "\\??\\C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QMUdisk64.sys"	QQPCTray.exe

Executes dropped EXE 32 IoCs

Processes:

QQPCMgr_Setup.exeTestMSVCR.exeTestMSVCR_64.exeInstAsm.exePluginInstaller.exeRemNPX.exeQQPCRTP.exeTencentdl.exetencentdl.exeQMSuperScan.exeQMCheckNetwork.exeQMCheckNetwork.exeTestMSVCR.exeQQPCTray.exeQQPCRTP.exeQQPCRTP.exeQQPCRtp.exeQQPCTray.exeUpdateTrayIcon.exeQMDeskTopGC.exeQQRepair.exetencentdl.exeQQPCNetFlow.exeQQPCTray.exeQQPCRealTimeSpeedup.exeQQPCTray.exeQQPCRealTimeSpeedup.exeQQRepair.exeQQPCPatch.exeQQPCTray.exeQQPCPatch.exeQQPCSoftTrayTips.exe

pid	process
2036	QQPCMgr_Setup.exe
2232	TestMSVCR.exe
2720	TestMSVCR_64.exe
2924	InstAsm.exe
2944	PluginInstaller.exe
2060	RemNPX.exe
384	QQPCRTP.exe
2372	Tencentdl.exe
2340	tencentdl.exe
2812	QMSuperScan.exe
1264	QMCheckNetwork.exe
2592	QMCheckNetwork.exe
2968	TestMSVCR.exe
2712	QQPCTray.exe
824	QQPCRTP.exe
2740	QQPCRTP.exe
2944	QQPCRtp.exe
1336	QQPCTray.exe
904	UpdateTrayIcon.exe
1008	QMDeskTopGC.exe
2148	QQRepair.exe
2576	tencentdl.exe
1520	QQPCNetFlow.exe
2256	QQPCTray.exe
1788	QQPCRealTimeSpeedup.exe
1832	QQPCTray.exe
3136	QQPCRealTimeSpeedup.exe
2536	QQRepair.exe
4292	QQPCPatch.exe
4456	QQPCTray.exe
4576	QQPCPatch.exe
3468	QQPCSoftTrayTips.exe

Loads dropped DLL 64 IoCs

Processes:

6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exeQQPCMgr_Setup.exeregsvr32.exeregsvr32.exeExplorer.EXEPluginInstaller.exeQQPCRTP.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeTencentdl.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeQMSuperScan.exeQMCheckNetwork.exetencentdl.exeQMCheckNetwork.exe

pid	process
1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
824	regsvr32.exe
3032	regsvr32.exe
2036	QQPCMgr_Setup.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
2944	PluginInstaller.exe
2944	PluginInstaller.exe
2944	PluginInstaller.exe
2036	QQPCMgr_Setup.exe
2944	PluginInstaller.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
384	QQPCRTP.exe
384	QQPCRTP.exe
384	QQPCRTP.exe
2036	QQPCMgr_Setup.exe
1780	regsvr32.exe
1992	regsvr32.exe
2276	regsvr32.exe
1500	regsvr32.exe
2372	Tencentdl.exe
2372	Tencentdl.exe
340	regsvr32.exe
1124	regsvr32.exe
2372	Tencentdl.exe
2372	Tencentdl.exe
1344	regsvr32.exe
548	regsvr32.exe
384	QQPCRTP.exe
384	QQPCRTP.exe
2372	Tencentdl.exe
384	QQPCRTP.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2812	QMSuperScan.exe
2812	QMSuperScan.exe
2812	QMSuperScan.exe
2812	QMSuperScan.exe
1264	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
2340	tencentdl.exe
2340	tencentdl.exe
2592	QMCheckNetwork.exe
2592	QMCheckNetwork.exe
2592	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
2812	QMSuperScan.exe
2340	tencentdl.exe
2340	tencentdl.exe
2812	QMSuperScan.exe
2812	QMSuperScan.exe
2812	QMSuperScan.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall\ = "{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\QMContextUninstall	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\InProcServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QMContextUninstall64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QMContextUninstall64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QMContextScan64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QMGCShellExt64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QMContextScan64.dll"	regsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

QQPCMgr_Setup.exeQQPCRtp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QQPCTray.exe\" /regrun"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ QQPCTray = "\"C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QQPCTray.exe\" /regrun"	QQPCRtp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

QQPCRealTimeSpeedup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QQPCRealTimeSpeedup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QQPCRealTimeSpeedup.exe

Drops Chrome extension 1 IoCs

Processes:

QQPCTray.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooebklgpfnbcnpokahmdidgbmlcdepkm\2.8_0\manifest.json	QQPCTray.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

QQPCTray.exe

description ioc process

File opened (read-only) \??\F: QQPCTray.exe

description	ioc	process
File opened (read-only)	\??\F:	QQPCTray.exe

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

QQPCMgr_Setup.exeTencentdl.exeQMSuperScan.exetencentdl.exeQQPCRtp.exeQQPCTray.exetencentdl.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	QQPCMgr_Setup.exe
File opened for modification	\??\PhysicalDrive0	Tencentdl.exe
File opened for modification	\??\PhysicalDrive0	QMSuperScan.exe
File opened for modification	\??\PhysicalDrive0	tencentdl.exe
File opened for modification	\??\PhysicalDrive0	QQPCRtp.exe
File opened for modification	\??\PhysicalDrive0	QQPCTray.exe
File opened for modification	\??\PhysicalDrive0	tencentdl.exe

Drops file in System32 directory 2 IoCs

Processes:

QQPCRtp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QQPCRtp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db	QQPCRtp.exe

Drops file in Program Files directory 64 IoCs

Processes:

QQPCMgr_Setup.exeTencentdl.exeQQPCRtp.exeQMCheckNetwork.exeQQPCTray.exe

description	ioc	process
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1070.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSSysKit.sys	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\malware\logo\plugin_10492.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1403.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMTrayPlugin\QMTPKTrayPlugin\QMTpkTrayPlugin.rdb	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\RtpPage\RtpPage.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\tsskx64.sys	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Common Files\Tencent\QQDownload\130\tinyxml.dll	Tencentdl.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1302.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Image\point.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Images\logodef.ico	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\tpk\1.0.0.1\def\virscr05.def	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1409.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\SoftMgr\data\support.etf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\malware\MalWare.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMForbiddenWinKey.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\sysmalwarejmp\malware.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\FileSmash\libjpegturbo.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMLoader\QQPCDetector.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMTrayPlugin\QMSysOptimizeAssist\denoiser_info.ini	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\extract.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TAOClient.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\SceneRes\SccCfg\Scc4.dat	QQPCRtp.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSWebShieldX64.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMChExt.exe	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\MobileSoftMgr.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMNetworkMgr.ini	QMCheckNetwork.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QMTrojanScan\QMinfo.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\malware\logo\plugin_1346.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\ClassicLogo\qqpcupgradejump.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\adfilterlib\tsadlibpower.xml	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1400.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\FileSmash\jgImage.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\FileSmash\xImage.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\malware\logo\plugin_1302.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QuickOpenLogo\QQPCB2AndroidJmp_QO.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1073.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1087.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\qmaplocal.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TAO\CODConfig.etf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\CubeSwitch.etf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\FileOpen.etf	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\adplugin\QMAdFilter(big).png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\SoftAAL.sys	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\qmspeedupplugin\speeduprocket\SpeedupRocket.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMEmMat.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMTrayPlugin\QMQQLoginPlugin\QMQQLoginPlugin.rdb	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMAccountProtection.exe	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\arkGraphic.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSClinicWebFix.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\xImage.dll	QQPCMgr_Setup.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\SoftUninstall\RbDel.ini	QQPCTray.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\tpk\1.0.0.1\def\virswf01.def	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\malware\logo\plugin_133.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\ClassicLogo\Win10Tips.png	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\IEStartPage\browserlist.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMLspPing.exe	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQRepairEx.exe	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMClinicCore.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextScan64.dll	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\malware\logo\plugin_1025.png	QQPCMgr_Setup.exe
File opened for modification	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\StartupLog_2.log	QQPCTray.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1107.dat	QQPCMgr_Setup.exe
File created	C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\script\pb_1225.dat	QQPCMgr_Setup.exe

Drops file in Windows directory 1 IoCs

Processes:

QQPCMgr_Setup.exe

description ioc process

File created C:\Windows\Fonts\FZLTCXHJW.TTF QQPCMgr_Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Fonts\FZLTCXHJW.TTF	QQPCMgr_Setup.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

QQPCMgr_Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppName = "QQPCClinic.exe"	QQPCMgr_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\Policy = "3"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions	QQPCMgr_Setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\PCMgrRepairIEExtensions\WarnOnOpen = "0"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}\AppPath = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\"	QQPCMgr_Setup.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

QQPCTray.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.duba.com/?un_449343_3342"	QQPCTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.duba.com/?un_449343_3342"	QQPCTray.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

QQPCMgr_Setup.exeQQPCTray.exeQQPCNetFlow.exeQQPCRealTimeSpeedup.exeQMDeskTopGC.exeQQPCRtp.exeQMSuperScan.exeQQPCTray.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_25 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c175fdd7dcab54d567beeac3844da6f	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_31 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e16177add6ecaa94d4f7bf3ac2344cf6f8f05	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\QMAdBlockExposeBtnSwitch = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\ConfigBackup = 03e807fed01cf00785410f2ddaed0b7fbeac49125f0aab58db2e2ffa67dd05c5b23346f35572000ee813fe1c12f7e4d622826a7fe9e7127691a2067e87d9fb70f6ce732b5e618dab0ce3c42c2d	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\NotFirstUseFileOpen = 7b74ea37	QQPCNetFlow.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\OptimizeNotifyEventCode = 7b74ea37	QQPCRealTimeSpeedup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_37 = 3874d037c712e267fc05809e9cffdb765a172ee31b9238562ac3f722952e351776dd2bcaf44d	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_43 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44f66fbf052b8cb103fa5e917a4beb61b7ed0058ab80ea5fb90928	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_45 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea6eb91f2832bc40669627478210fb6a85c195	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\SPEEDUPCFG\QQPCMgr	QQPCRealTimeSpeedup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\SystemStartupMaxExpCount = 7e74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defGameUpgradeRefreshDate88 = 2374ea377315b06782057396	QQPCTray.exe
Key created	\REGISTRY\USER\WIFISAFECFG\QQPCMgr\WifiSafe	QQPCTray.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg	QMDeskTopGC.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\BackGroundLowPriorStatus = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\NetMonSPTipsLeft = 7874ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\NETFLOWCFG\QQPCMgr\Netflow\Config\NormalConfigOldConverted_4_7b = 7a74ea37	QQPCNetFlow.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\TAVServerConfig = 3d21b57bf27fdc13d36c82fbab96ce1310246cd772a5796e63c9c277be6339795db474af9524471ea79e5d02ff30b36b27e98973fb319f1e63822dd296333bedb9b56ed60e4933e9400a954642c40d976ab881a5b8c633ce60257483c978230148d6e9e56d784224bff89b84e11dee4b9fb6a5b02b319106fb9632273de718515cb0766adcee556aeadea5fabf0e3ac6bf279e09b651ce08c67d097463792003dbc5de4db5d8a9c0e0710a383446d904b5e1bff22ecb771a45ababeb31e7f12a9d710f70a02edc7040a76add21740639660837245e0a3a26ace0445b7ba0da5d4d935c43f9865ad8d3af56a8b11a2a5bcad82b477c01a7e62a72b51145fced8870a1dd1cf4b50e2289ff3d2bed7bbe068079524acc6359563baaea1a559b9a7de6debaf9a13cc57cfe1dbb02a83cb694c163b2aec6e7c61c9e653b5cdb1f9f47f461da7d3b902fbfffa535dbf9418c3586b353667a6289687a87cb65d02c1999035cea357d39030d031e6913677343d4b49af51a330f9303dec0d428a47828a9386ae022396198bf53c7d1fef3894415204cf9eaae870bd6d8563f9098bb9e42cd079981c4f2f1a4d6dfc52cdb745b1a407aa483aad321e9114bf31af64b39d92762855cfd63d6c619e15d4477edd282bb45ec7bbbe9fbc86fe05576a909fa4bf08a565adda46257c137561e7a67d58010ce8bbc4ad0ab1794a2b600b08cd38322cf8f1d9525d2f4a93975106055bda45daf178729dd1590dc39f4e32a7996b471fcd91760c53187dadd4b756b32c550a1be306cc926d0bc7d87c25f79852d60b81ba9b25fe4e6be832f695e74516e4be1aba8f1d3e3745b0d3dd99b933d3c0d77980bf0c08a3075493d8f1ebccb05c8d1c7c888d6a644f2f519cadebd2407f064d1e71d7f10a1ce68ce961b4299bba558d0b4e599618d3825617d293449f8d955c702154a09355211b414ace8c6fbf0d16ba0570c6d5eac041d188e631702a7368058c97193fc19f8d4d61bacde4af5a91e042a96f8ec6c0ebfb6a5598429a83667bc9cad144a37990e65da8a9a5655124b606fb1da77453379fbe76811a8c4a52b40581eb3235ee2791492db66772945bc681f92761590fbd02a07148238a4d6134b1ce60ac4efe6a54072fdbaf6e1019b30303602bb1fb5085fac97a0b54951c11d94e6c7a486bc92ce53cb92fc26d7308cf128da5c71cd59ca16ca8136a94f7935c59ad10ccfdc966be20ddf609579d13002cec291d610f7e58e6083d9b24fddb33417702bb0ff605ce0e8f9f58bd822cfdfc73214b6fcb822dc4ed117d65e3ffb1cc133f2	QQPCRtp.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defGameUpgradeRefreshDate17 = 6a74ea377315b06782057396	QQPCTray.exe
Key created	\REGISTRY\USER\WifiSafeCfg	QQPCTray.exe
Key created	\REGISTRY\USER\WIFISAFECFG\QQPCMgr	QQPCTray.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg	QMSuperScan.exe
Key created	\REGISTRY\USER\QMConfig	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_26 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_46 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c175fdd77caa54d487bf7ac3244c46f8805378c	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_55 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c174ddd71caa24d587bf5ac2444	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\NetMonShowMinibar = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_59 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fb0052b8cbf03f65e927a79eb0cb7c20052ab9eea55b9092830bc56668e277a8233fb6685dc95eccc1a9b487077effa19054751b7fcd832725871a2ad9ee8fc7ce41b	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\QMTaskHistoryLen = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_0 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e14177edd6bcaad4d497bf5ac2744	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_21 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7dad83972697190ad87e8ef7cfe1bbfffb8d6	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_8 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7dcd83972677185ad85e8fa7c	QQPCMgr_Setup.exe
Key created	\REGISTRY\USER\NetflowCfg	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\ExitOnClose = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_29 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbcbcac1480e998b4e866c9621d267	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defGameUpgradeRefreshDate25 = 6274ea377315b06782057396	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\FileMonInstallPerfCount = 7b74ea37	QQPCRtp.exe
Key created	\REGISTRY\USER\QMCONFIG\QQDoctor\DrRtp	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSoftMgrIPRegionInfo = 6b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\QMCfgRPTCNT = 7b7cea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\BlackURLPercent = 9377ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defCmcTencentMiniNewsWndProperty = 0a749b37b512d067ed058b9ed0ff9776041709e31f920c5626c3ed22a72e3f176edd76caa24d5c7beeac3e44c56f92056c8cff03be5e80fb8a6010c85c8f51e4a498	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_30 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadb8e8fa7ceb1ba8ffbfd631778d67	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\TodayNodisturbRuntime = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\NetMonMinibarExpanded = 7b74ea37	QQPCNetFlow.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_27 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ded82e726d718ead9fe8eb7cf81bfaff98d62c779267eeab772d18b2321c41de561f	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_38 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\ProcessCubeDriverMD5 = 1a748937af12d167f405d79ecfffd57648173ee37092725637c3e222842e61172cdd7acaff4d0e7babac6444926fcd05758ceb03f35ec97a16eb79b7ca0008abecea	QQPCRealTimeSpeedup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defGameUpgradeRefreshDate43 = 5074ea377315b06782057396	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\QMCfgQMNRetires = 7874	QQPCTray.exe
Key created	\REGISTRY\USER\QMConfig\QQDoctor\QQDoctor\ComCfg	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_23 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_44 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44f66fbf052b8cb103fa5e917a4beb61b7ed0058ab80ea5fb90928	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_2 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706	QQPCMgr_Setup.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_25 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c175fdd7dcab54d567beeac3844da6f	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\ScanFinishAutoShutDown = 7b74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_29 = 3874d037c712e067e6058b9e8affc77671171ce3239226563ac3ea22bd2e11176bdd68ca824d5c7beeac3644f66fae052b8cbd03fa5e977a4beb26b7f7007cab85ea59b9082830bc43669527408210fb5385e595e1cc1b9b5b706befd119344778b7ddd82872657192ad9fe8ae7cc71bbfffa5d63177a167ccab712d14b2201c47de441fc2b84706c3bbcbcac1480e998b4e866c9621d267	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\NetMonSPTipsLeft = 7874ea37	QQPCNetFlow.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_55 = 3874d037c712e067e6058b9e8affc77671170de3329229563fc3ed22822e0c174ddd71caa24d587bf5ac2444	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_35 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_38 = 3874d037c712e567e705819e9fffc6764c1730e367920d563ac3e822842e23173bdd30cabe4d057bacac7e44	QMSuperScan.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\HideGhostData = 7a74ea37	QQPCTray.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\NetMonHideTrayIcon = 7b74ea37	QQPCNetFlow.exe
Set value (data)	\REGISTRY\USER\QMCONFIG\QQDoctor\QQDoctor\ComCfg\defSpecialFolderPath_Cache_24 = 3874d037c712e567e705819e9fffc6764c1730e303922a5627c3e522bd2e1d1772dd7bcab44d527be9ac3844cc6f8805188c8b03fe5e907a41eb2eb7dc0042abb0ea69b90e283ebc42668e27068229fb6a85dc95fdcc299b6f7076efc919204756b7efd831727771bcadb8e8fa7ceb1ba8ffbfd631778d67	QQPCTray.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exetencentdl.exeQQPCMgr_Setup.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\ProxyStubClsid32\ = "{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qmbfile\shell\command\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QQPCInstAssist.exe \"%1\""	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCMgrRepairIEExtensions\ = "URL: 电脑管家-修复IE插件"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\ProxyStubClsid32\ = "{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu\CLSID\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\AppID = "{1E9BD312-7C8C-4422-906D-897F6D7714F2}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\TypeLib\ = "{445E3964-15B0-472A-95F4-6242DD2EA066}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A30415C-ABEE-4674-B64B-4CA145EEB0CA}\ = "QMContextScan"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\QMContextUninstall.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\npQMExtensionsIE.Basic.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1E9BD312-7C8C-4422-906D-897F6D7714F2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextUninstall.QMContextUninstallMenu.1\CLSID\ = "{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qpakfile\shell\command\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QQPCAddWidget.exe /inst \"%1\""	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\ = "QQ保险柜文件(.qbox)"	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\ProxyStubClsid32\ = "{D4801E96-E7A1-45F6-B124-7A36DFB40B81}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qmbfile\DefaultIcon	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{593BE60A-1C6A-44F9-946D-A5EAB2D53511}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader.1	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.qbox\ = "QQPCMgr.qbox"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\ = "IQMContextScanMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\TypeLib\ = "{593BE60A-1C6A-44F9-946D-A5EAB2D53511}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\NumMethods\ = "3"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\npQMExtensionsIE.Basic\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\LocalServer32	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qmgcfiles\Shell\open\Command	QQPCMgr_Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\shell\open\ = "打开文件保险柜"	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCMgrRepairIEExtensions\Shell\Open\Command	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32\ = "C:\\Program Files (x86)\\Tencent\\QQPCMgr\\11.3.17201.218\\QMContextUninstall64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C049F583-D724-4BAB-8F47-F13BCA41B808}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DownloadProxy.Downloader\CurVer\ = "DownloadProxy.Downloader.1"	tencentdl.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\QMContextUninstall\ = "{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\VersionIndependentProgID\ = "npQMExtensionsIE.Basic"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\LocalServer32\ = "\"C:\\program files (x86)\\common files\\tencent\\qqdownload\\130\\tencentdl.exe\""	tencentdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib	tencentdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMContextScan.QMContextScanMenu.1\ = "QMContextScanMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{593BE60A-1C6A-44F9-946D-A5EAB2D53511}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\QMContextScan\ = "{63332668-8CE1-445D-A5EE-25929176714E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FDA3675-DD0B-43EF-A5EE-2A7188E5D00F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\DefaultIcon	QQPCMgr_Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\ProxyStubClsid32	regsvr32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

QQPCNetFlow.exeQQPCTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	QQPCNetFlow.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	QQPCNetFlow.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	QQPCNetFlow.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	QQPCNetFlow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	QQPCTray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	QQPCTray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

QQPCMgr_Setup.exeQMCheckNetwork.exeQQPCRtp.exeQQPCTray.exeUpdateTrayIcon.exeQQPCRealTimeSpeedup.exe

pid	process
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
2036	QQPCMgr_Setup.exe
1264	QMCheckNetwork.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
2944	QQPCRtp.exe
1788	QQPCRealTimeSpeedup.exe
1788	QQPCRealTimeSpeedup.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
1788	QQPCRealTimeSpeedup.exe
1788	QQPCRealTimeSpeedup.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
2944	QQPCRtp.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
1264	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
1264	QMCheckNetwork.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

QQPCRealTimeSpeedup.exeQQPCTray.exe

pid process

1788 QQPCRealTimeSpeedup.exe
1336 QQPCTray.exe

pid	process
1788	QQPCRealTimeSpeedup.exe
1336	QQPCTray.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

QQPCTray.exeQQPCRtp.exe

pid	process
480
480
480
480
480
480
480
1336	QQPCTray.exe
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
2944	QQPCRtp.exe
480
480
480
480
480
480
480
480
480
2944	QQPCRtp.exe
480
480
480
480
480
480
480
480
480
2944	QQPCRtp.exe
480
480
480
480
480
480
2944	QQPCRtp.exe
480
480
480
480

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

QQPCMgr_Setup.exeQQPCRTP.exeQQPCTray.exeQQPCTray.exeQMDeskTopGC.exeQQPCNetFlow.exeQQPCTray.exeQQPCRealTimeSpeedup.exeQQPCRtp.exeQQPCTray.exeQQPCRealTimeSpeedup.exetencentdl.exeQQPCTray.exeQMSuperScan.exeQQPCSoftTrayTips.exe

description	pid	process
Token: SeDebugPrivilege	2036	QQPCMgr_Setup.exe
Token: SeBackupPrivilege	384	QQPCRTP.exe
Token: SeRestorePrivilege	384	QQPCRTP.exe
Token: 33	2712	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	2712	QQPCTray.exe
Token: 33	1336	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	1336	QQPCTray.exe
Token: SeDebugPrivilege	1336	QQPCTray.exe
Token: SeDebugPrivilege	1008	QMDeskTopGC.exe
Token: SeDebugPrivilege	1336	QQPCTray.exe
Token: SeLoadDriverPrivilege	1336	QQPCTray.exe
Token: SeDebugPrivilege	1336	QQPCTray.exe
Token: SeBackupPrivilege	1336	QQPCTray.exe
Token: SeRestorePrivilege	1336	QQPCTray.exe
Token: SeDebugPrivilege	1520	QQPCNetFlow.exe
Token: SeBackupPrivilege	1520	QQPCNetFlow.exe
Token: SeRestorePrivilege	1520	QQPCNetFlow.exe
Token: 33	2256	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	2256	QQPCTray.exe
Token: 33	1520	QQPCNetFlow.exe
Token: SeIncBasePriorityPrivilege	1520	QQPCNetFlow.exe
Token: SeBackupPrivilege	1788	QQPCRealTimeSpeedup.exe
Token: SeRestorePrivilege	1788	QQPCRealTimeSpeedup.exe
Token: SeDebugPrivilege	2944	QQPCRtp.exe
Token: SeLoadDriverPrivilege	2944	QQPCRtp.exe
Token: SeDebugPrivilege	2944	QQPCRtp.exe
Token: SeDebugPrivilege	1788	QQPCRealTimeSpeedup.exe
Token: SeDebugPrivilege	1788	QQPCRealTimeSpeedup.exe
Token: SeLoadDriverPrivilege	2944	QQPCRtp.exe
Token: SeDebugPrivilege	2944	QQPCRtp.exe
Token: 33	1832	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	1832	QQPCTray.exe
Token: SeDebugPrivilege	2944	QQPCRtp.exe
Token: SeLoadDriverPrivilege	2944	QQPCRtp.exe
Token: SeDebugPrivilege	2944	QQPCRtp.exe
Token: SeLoadDriverPrivilege	2944	QQPCRtp.exe
Token: SeBackupPrivilege	1336	QQPCTray.exe
Token: SeRestorePrivilege	1336	QQPCTray.exe
Token: SeBackupPrivilege	1336	QQPCTray.exe
Token: SeRestorePrivilege	1336	QQPCTray.exe
Token: SeDebugPrivilege	3136	QQPCRealTimeSpeedup.exe
Token: SeBackupPrivilege	2944	QQPCRtp.exe
Token: SeRestorePrivilege	2944	QQPCRtp.exe
Token: SeLoadDriverPrivilege	1336	QQPCTray.exe
Token: SeDebugPrivilege	1336	QQPCTray.exe
Token: SeManageVolumePrivilege	2576	tencentdl.exe
Token: SeManageVolumePrivilege	2576	tencentdl.exe
Token: SeManageVolumePrivilege	2576	tencentdl.exe
Token: 33	4456	QQPCTray.exe
Token: SeIncBasePriorityPrivilege	4456	QQPCTray.exe
Token: SeDebugPrivilege	2812	QMSuperScan.exe
Token: SeBackupPrivilege	1336	QQPCTray.exe
Token: SeRestorePrivilege	1336	QQPCTray.exe
Token: 33	1520	QQPCNetFlow.exe
Token: SeIncBasePriorityPrivilege	1520	QQPCNetFlow.exe
Token: SeLoadDriverPrivilege	1336	QQPCTray.exe
Token: SeDebugPrivilege	3468	QQPCSoftTrayTips.exe
Token: 33	1520	QQPCNetFlow.exe
Token: SeIncBasePriorityPrivilege	1520	QQPCNetFlow.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

UpdateTrayIcon.exeQQPCTray.exetencentdl.exe

pid	process
904	UpdateTrayIcon.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
904	UpdateTrayIcon.exe
2576	tencentdl.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
1336	QQPCTray.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe
904	UpdateTrayIcon.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

QQPCTray.exe

pid process

1336 QQPCTray.exe
1336 QQPCTray.exe
1336 QQPCTray.exe
1336 QQPCTray.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QQPCTray.exe

pid process

1336 QQPCTray.exe

pid	process
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe
1336	QQPCTray.exe

pid	process
1336	QQPCTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exeQQPCMgr_Setup.exeregsvr32.exe

description	pid	process	target process
PID 1040 wrote to memory of 2036	1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe	QQPCMgr_Setup.exe
PID 1040 wrote to memory of 2036	1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe	QQPCMgr_Setup.exe
PID 1040 wrote to memory of 2036	1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe	QQPCMgr_Setup.exe
PID 1040 wrote to memory of 2036	1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe	QQPCMgr_Setup.exe
PID 1040 wrote to memory of 2036	1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe	QQPCMgr_Setup.exe
PID 1040 wrote to memory of 2036	1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe	QQPCMgr_Setup.exe
PID 1040 wrote to memory of 2036	1040	6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe	QQPCMgr_Setup.exe
PID 2036 wrote to memory of 2232	2036	QQPCMgr_Setup.exe	TestMSVCR.exe
PID 2036 wrote to memory of 2232	2036	QQPCMgr_Setup.exe	TestMSVCR.exe
PID 2036 wrote to memory of 2232	2036	QQPCMgr_Setup.exe	TestMSVCR.exe
PID 2036 wrote to memory of 2232	2036	QQPCMgr_Setup.exe	TestMSVCR.exe
PID 2036 wrote to memory of 2924	2036	QQPCMgr_Setup.exe	InstAsm.exe
PID 2036 wrote to memory of 2924	2036	QQPCMgr_Setup.exe	InstAsm.exe
PID 2036 wrote to memory of 2924	2036	QQPCMgr_Setup.exe	InstAsm.exe
PID 2036 wrote to memory of 2924	2036	QQPCMgr_Setup.exe	InstAsm.exe
PID 2036 wrote to memory of 2800	2036	QQPCMgr_Setup.exe	cacls.exe
PID 2036 wrote to memory of 2800	2036	QQPCMgr_Setup.exe	cacls.exe
PID 2036 wrote to memory of 2800	2036	QQPCMgr_Setup.exe	cacls.exe
PID 2036 wrote to memory of 2800	2036	QQPCMgr_Setup.exe	cacls.exe
PID 2036 wrote to memory of 824	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 824	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 824	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 824	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 824	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 824	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 824	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 824 wrote to memory of 3032	824	regsvr32.exe	regsvr32.exe
PID 824 wrote to memory of 3032	824	regsvr32.exe	regsvr32.exe
PID 824 wrote to memory of 3032	824	regsvr32.exe	regsvr32.exe
PID 824 wrote to memory of 3032	824	regsvr32.exe	regsvr32.exe
PID 824 wrote to memory of 3032	824	regsvr32.exe	regsvr32.exe
PID 824 wrote to memory of 3032	824	regsvr32.exe	regsvr32.exe
PID 824 wrote to memory of 3032	824	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2944	2036	QQPCMgr_Setup.exe	QQPCRtp.exe
PID 2036 wrote to memory of 2944	2036	QQPCMgr_Setup.exe	QQPCRtp.exe
PID 2036 wrote to memory of 2944	2036	QQPCMgr_Setup.exe	QQPCRtp.exe
PID 2036 wrote to memory of 2944	2036	QQPCMgr_Setup.exe	QQPCRtp.exe
PID 2036 wrote to memory of 2944	2036	QQPCMgr_Setup.exe	QQPCRtp.exe
PID 2036 wrote to memory of 2944	2036	QQPCMgr_Setup.exe	QQPCRtp.exe
PID 2036 wrote to memory of 2944	2036	QQPCMgr_Setup.exe	QQPCRtp.exe
PID 2036 wrote to memory of 1588	2036	QQPCMgr_Setup.exe	Netsh.exe
PID 2036 wrote to memory of 1588	2036	QQPCMgr_Setup.exe	Netsh.exe
PID 2036 wrote to memory of 1588	2036	QQPCMgr_Setup.exe	Netsh.exe
PID 2036 wrote to memory of 1588	2036	QQPCMgr_Setup.exe	Netsh.exe
PID 2036 wrote to memory of 2060	2036	QQPCMgr_Setup.exe	RemNPX.exe
PID 2036 wrote to memory of 2060	2036	QQPCMgr_Setup.exe	RemNPX.exe
PID 2036 wrote to memory of 2060	2036	QQPCMgr_Setup.exe	RemNPX.exe
PID 2036 wrote to memory of 2060	2036	QQPCMgr_Setup.exe	RemNPX.exe
PID 2036 wrote to memory of 384	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 384	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 384	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 384	2036	QQPCMgr_Setup.exe	QQPCRTP.exe
PID 2036 wrote to memory of 548	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 548	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 548	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 548	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 548	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 548	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 548	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 1780	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 1780	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 1780	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 1780	2036	QQPCMgr_Setup.exe	regsvr32.exe
PID 2036 wrote to memory of 1780	2036	QQPCMgr_Setup.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

QQPCTray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	QQPCTray.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255"	QQPCTray.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:1220

C:\Users\Admin\AppData\Local\Temp\6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a6a8bcf2861af81a6a553d1be91c639_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\QQPCMgr_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\QQPCMgr_Setup.exe" /S ##supply=45137&qqpcmgr=0&recommand=3&DefaultIE="http://www.duba.com/?un_449343_3342"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\TestMSVCR.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\TestMSVCR.exe" (null)
4⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\TestMSVCR_64.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\TestMSVCR_64.exe" (null)
4⤵
- Executes dropped EXE
PID:2720

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\InstAsm.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\InstAsm.exe" "C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad" "C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\TestMSVCR.exe"
4⤵
- Executes dropped EXE
PID:2924

C:\Windows\SysWOW64\cacls.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218" /t /e /c /g SYSTEM:f
4⤵
PID:2800

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s /i "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\\QMGCShellExt64.dll"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\regsvr32.exe
/s /i "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\\QMGCShellExt64.dll"
5⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3032

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\PluginInstaller.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\PluginInstaller.exe" /install
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944

C:\Windows\SysWOW64\Netsh.exe
"C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\firewallLog.txt"
4⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\RemNPX.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\RemNPX.exe"
4⤵
- Executes dropped EXE
PID:2060

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRTP.exe" -i
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\npQMExtensionsIE.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:548

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\qq.com" /f
5⤵
PID:956

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore" /v Flags /t reg_dword /d 4 /f
5⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\baidu.com" /f
5⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\xunlei.com" /f
5⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\sogou.com" /f
5⤵
PID:1296

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\kugou.com" /f
5⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\*" /f
5⤵
PID:896

C:\Windows\SysWOW64\reg.exe
reg delete "hkcr\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9922}" /f
5⤵
PID:2148

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSWebMon64.dat"
4⤵
- Loads dropped DLL
PID:1780

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSWebMon64.dat"
5⤵
- Loads dropped DLL
PID:1124

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextScan64.dll"
4⤵
- Loads dropped DLL
PID:2276

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextScan64.dll"
5⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:340

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextScan.dll"
4⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:1992

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextUninstall64.dll"
4⤵
- Loads dropped DLL
PID:1500

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextUninstall64.dll"
5⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:1344

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Tencentdl.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Tencentdl.exe" /install
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
PID:2372

C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe
"C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe" /RegServer
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2340

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe" description="C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe" action=allow
6⤵
- Modifies Windows Firewall
PID:2084

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件Crash上报" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\130\bugreport_xf.exe" description="C:\program files (x86)\common files\tencent\qqdownload\130\bugreport_xf.exe" action=allow
6⤵
- Modifies Windows Firewall
PID:2304

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\130\DownloadProxyPS.dll"
6⤵
PID:2356

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMSuperScan.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\\QMSuperScan.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMCheckNetwork.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMCheckNetwork.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMCheckNetwork.exe" /AllChain
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2592

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\TestMSVCR.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\TestMSVCR.exe" (null)
4⤵
- Executes dropped EXE
PID:2968

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe" /loadexit /superfetch:1
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRTP.exe" -e
4⤵
- Executes dropped EXE
PID:824

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRTP.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRTP.exe" -s
4⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\UpdateTrayIcon.exe
"C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\UpdateTrayIcon.exe" -t QQPCTray.exe -c 1 -p 1 -d "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:904

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRtp.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRtp.exe" -r
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe" /elevated /regrun
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Drops Chrome extension
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1336

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMDeskTopGC.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMDeskTopGC.exe" /ShowUEFromInstall
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe "C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSWebMon64.dat" /s
3⤵
PID:1684

C:\Windows\system32\regsvr32.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSWebMon64.dat" /s
4⤵
PID:1584

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQRepair.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQRepair.exe" /lock
3⤵
- Executes dropped EXE
PID:2148

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QMNetMon\QQPCNetFlow.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QMNetMon\QQPCNetFlow.exe" /regrun /elevated
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe" /showtrayonly
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRealTimeSpeedup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRealTimeSpeedup.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe" /showtrayonly
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRealTimeSpeedup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRealTimeSpeedup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQRepair.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQRepair.exe" /lock
3⤵
- Executes dropped EXE
PID:2536

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCPatch.exe"
3⤵
- Executes dropped EXE
PID:4292

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe" /showtrayonly
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCSoftTrayTips.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCSoftTrayTips.exe" /scan_soft_analyze
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCPatch.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCPatch.exe"
2⤵
- Executes dropped EXE
PID:4576

C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe
"C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe" -Embedding
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\pic\Both_Disconnected.png
Filesize
31KB

MD5
00ef699da2be626beb8957d69783cf45

SHA1
a381db99b4c39b6af39e39820adab2d38cb5ac18

SHA256
1efc1cdd056be89f2f37253f3845c99708fb6e60ab243179390996915c4be02b

SHA512
8ce2d3be5e9a00b5372c2640ebe3fc8dba492437964a5961b904cb978cea1284a9684d0ac2868e2052d677051023093332a09c9a675b0916b3468ee78929048d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\pic\Check_Router.png
Filesize
6KB

MD5
aa19bfbfedc591a531e1e6bd775f296b

SHA1
a93012d5ed23695c0c2701a4e7ceb430b55f741b

SHA256
fecd26a1fd8bca2f88a758c0df90bf8cb6d9476b61a89806ffb06399037eb502

SHA512
2223a33209c040fd96b13f7bce314116b410864dfa9f9a119271f01de4460c4f18935c6e6ae0cba78bf4399b7b926b8636796b52630122513244c73420bc0497

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\ClinicData\pic\Check_Wireless.png
Filesize
9KB

MD5
752f6ed337ee1f8e8c944400757fa52f

SHA1
9237b59a2d0c9dc2ed06bb61e444ff5dae1027ba

SHA256
433c2f423344f967de20e933cc9134ad7b2fa3e669d144b620500946960b3ec1

SHA512
2945980632b15e3dbcc49b5c7342f81397f97e9862a841e21fb027d297c448ae70b7c36475fecc8de9ff6f698071d006cdcad98d5f6cd9de01d84f236641af02

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\GFCustom.dll
Filesize
550KB

MD5
0481a136599f5367909e0eeaa1301435

SHA1
7caec2f0b0cbb7c74fc2c67e194dc01dcbf563e5

SHA256
e1e9d5fc2e393776744f15da70cd755215f84cb9c589cf5d756f9feadae0ca69

SHA512
816734524182ea14bf0c66cd78ac8a9c431bc92fc9a9941b6b2b5de00a185c414a302616d12fb17d77f0032b5ae644aa7899477d5bda2a7c36721298596b2f19

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\GameSpeedupAppPlugins\QMHardwareDetectPlugin\Config\GameLogo\defaultlogo.png
Filesize
1KB

MD5
92c94435540af76b9f12390398aa5953

SHA1
af824afb3914b3e9cecafadabc244e2ac21f3cef

SHA256
13cf618aed9fea804841025558f79adde633f6d9a2f367df4f41a79e30499330

SHA512
4f28167484420add4c4150aefb652d44cbc271ef1b742bb074c2c89492a47f6d6271ee0242ad5dca134300dd9c0594fd5bdca78ad38d3bea6be6bfb03725a72e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Image\net_err.jpg
Filesize
14KB

MD5
d916dd725680e4071ce10651f512ed6b

SHA1
4226398478a0e221b8d880feef9264c796729af8

SHA256
64000b4e116faddba565537ba741088ecce2133d0ea1130b6be200ceb96ae0db

SHA512
19bebb6ee83508ec58fad6446556df22663a92588092dbef200d699472513fb707a4dd45261b7699269172280149c1553b6cb2adf6d0b9a4b4b06025b78692a6

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Plugins\PluginPackage\InstallCfg.xml
Filesize
156B

MD5
0bcc9711e6388a89e2a2ce7469b7d6d3

SHA1
240bcb9556f5d2a800e25d798f43255caab25b81

SHA256
f22aa3d48af3742d7cd0299817e8da35eea97bcb98be96afe5e7acda9ba2a53a

SHA512
898e5158d16851aeaf935946e51a6d0d4830560c365af29cd28b96ea492fe07ee005ce97e7f463c523b83e112207e0ee919d5f8e259ec6494f95b21adfd5f2b9

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Plugins\pluginctrl.xml
Filesize
30KB

MD5
a742a6ad5697b6229a3406de019be27e

SHA1
1740d2e33f1c8693bfba7a4bdc6107e0f9aa64e5

SHA256
6b6a3a6448cfb2e6b5104abbaace592f1da275901626bf93b111afd45cfec395

SHA512
5ce472eb7ada36cda8a822a1fccf0f9855c1b9d63c48c3c08cdcef43103cb44cbe7700e53cae688f900c9b7b4103ef612f32d6f35280b7f09e8884c2584f8b11

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextUninstall64.dll
Filesize
62KB

MD5
c4d1ca420754a0c6b57d9259cb18ca21

SHA1
e6b165b11a70a1ba650424f414253f8bc3f8c787

SHA256
ba2e2aae246d423fd0aaa61e70321562e43f892aa0baf76d93ad835c7835632d

SHA512
db59dcaa26c13c0ac317f104485ddaf065df2e88e8ff5682ef0bf148bda28ed04406b7676eb52ddae8b493df41c52a64ae2ad4210a99668ecc39ab6c41fbb923

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMNetworkMgr.ini
Filesize
66B

MD5
41eb17baad605779b76011ead23c8bfa

SHA1
d5ad3e1d7b4c90ec49e369252f2e5ffc148bf779

SHA256
b64f2c165c2c9b80dbe8de35a411f460afeb420256f03c2252dc6f733117cd8e

SHA512
e32f9d501ae12494959f77c04a5a320a577fd98fa8a0a6de0de44758940b039258a1d78602376fda2057213f61f1b5518a9de2e57215ec06baeaee51f2cbf55a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMRealTimeSpeedupSkinCenter.zip
Filesize
84KB

MD5
e291240e396630d91d8c7929df800c5d

SHA1
5178690279e506116ea74af7158520f5b49027f5

SHA256
97c71b118eb9e00c8737cc33ad4bcf5abc396cc1c40ca3a6c2b819dacda89a22

SHA512
d544531e0ece2e978f6e6723aef3ebe1168188abcd65669ee794569a7b2b4cad10752771f13bba41b241f24b836ed625b4516dbb4d4cbbf5941781db738419c4

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMSuperScan.EXE
Filesize
146KB

MD5
24685b02ca4af03189beee35a4f62f8a

SHA1
06d45e96cd7b4d721fffd593406266699ed64430

SHA256
76d70d566dc5f28e4137368fa50604d9501e26b885fd5a93307fb42cada78ffa

SHA512
fd6b7f07ebd09a154a83c93a24fc6afa4eb8aeb341488c115d3112870bfae8b66804a8140687998a26f7449ad8d39f11cf4610a651519b8e5337b3e41cc581d1

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMUpdate\QQPCUpdate.exe
Filesize
546KB

MD5
f303b5eaa6c944095a4c0cd7881a4145

SHA1
527c13dc80f32fdd768ba7142ddff0bc1f1e3f47

SHA256
b57b9a8b40a55c899f92824393d46fc8be97c7a287ea5732a6365a30aa83a608

SHA512
c923dad6fe03a91dc59d046d39c180da2f1ac3ee384d15fc9eb9a19d09035d916012af42a814786e484af7ce148bfa573227e265e1dd364d6925f44a76388dc8

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMUpdate\bugreport.exe
Filesize
714KB

MD5
f9e9b340f036551e7f1968c0501d3364

SHA1
e3471fef3deb049366da2714769f46ac17bfe2b8

SHA256
3efcd25b38b640fc43633ab6e40342718a8c757dc2382537b58a719300432817

SHA512
e96bb429c48efe3baff1dac0fe72aeb683f0a4eb066217aed976c9d8c1a8d4275212798ac2cc770f52482d85356ab8c1ff7272e5e41c27feb0ec432c993befa7

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMUpdate\tinyxml.dll
Filesize
98KB

MD5
989f284c2c9c9e0eecc2486fd35cac69

SHA1
708cfabb8f2eafe20ac7b92a0e44395fe7ee2b70

SHA256
33e5c8b4769434f25c0bcbc900aa8bf67dd31fb1c91beefe2fb5b30e9493b1f3

SHA512
39b31ed295cdb82d7f4ec2c63e35d6eaf36afe38bfad42a12fd13a2eb984b44526d6e1eb3de0e40c163284bbc584b2aacb133452da13d6ef8110fcff7f09d55e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMUpdate\xGraphic32.dll
Filesize
90KB

MD5
8ccb026c3939c1e003df4dab099b7169

SHA1
fc30e8d5ebb4c36e1e5ec00b3ff7e1c6f0bf3890

SHA256
a0ddc1d5a04ce902b3f51da9a776a852a8bf1493afbb8363da85eb5f9a633208

SHA512
13a87b34eafb1237c3e3b76a2dcb6f02b79a15ce625a3fe4e1a881eefc3697d149258208c044b15d0936ca0750802105a2da64a0a177459f3f7161fff13c811c

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMUpdate\xImage.dll
Filesize
190KB

MD5
80f265806d0e0e89d6e4d32f8d612ea5

SHA1
d1ebf930391713a88527114e57c551724a370886

SHA256
3336b50f83930cd4b35a53358f0460678fd25e416d91ca5d885ff8de150198cd

SHA512
1fa5cd21e468085da65bd1867c87bc46f8666aa819e2bf8b594979fecacca7b3248abaa5030ea576dcef4897c17169989dbe71470d7f244508c534ec1edd9514

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMUpdate\zlib.dll
Filesize
86KB

MD5
bd6c48ba68daeb86833aa6b850541f2c

SHA1
092aef7aadce020ed99523f043436c9b4e1f088a

SHA256
7edcb2f6e382e9f38e061be8fe3d6e60e9a750c3baf29791adf900b5d396d363

SHA512
6eee47c41b670637e33a82cad3baef197e462561d6b1d94467875199683e24a9b7cbbef72c06b37b9a8b04fda03025b3f15bb296b1fb6be0dc6159124fd9f76e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QOLogo\DefaultMgr.png
Filesize
5KB

MD5
89b8ebf9f0b18cd279af4094ef678a2e

SHA1
48203217ffe2cbcf4d8e6d6ad36234e114ed5813

SHA256
64b69e74945ed8007ba8af6ec8ebebe8c3a3f8af7dcf1728a004dad077fb0464

SHA512
fe05cfc73b072ecc5e4f0512cfa61de222ebda23bfbdf4c54bf147f69d4bfba3bf5b929c74616cd945e8448bf79f740c5a6b7d2578ffcedbebdc2887df58f042

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCCommonMgr.rdb
Filesize
2.1MB

MD5
87b27864228a7a266c96cb43490c0824

SHA1
7d7fab21b649ec4e7679b60733f1c3234704716c

SHA256
85aed0f9b0ea5c41126e2acbe28bfc8530baba2ccf6d33d2f0e30188b9452a72

SHA512
0e09c74f8375943156ca706cdf1144e28a32225056624b835c88c942221623d36010c5e5525f64fe3c6726b2727149c6708e1f356a07eec5aa4cee27379158dd

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCRTP.exe
Filesize
294KB

MD5
e7e070cc27030fb54a370c4ba2386fd6

SHA1
cbb4c91a380756268eaa23546c5f636b74fdccb4

SHA256
97d545fa31bd3f620f4ed1b6ecb5f2095a68b06c8f4f4372ee47f3bd345b383c

SHA512
df15399e66b097729de34c6b42f26710e12ed69df462df24a688bd9889095dc0ba1d981f1a5735d30fe1c0e0203f97d9987e79afcaaec627f79ada984196f3d5

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCTray.exe
Filesize
346KB

MD5
f14424c5f462f9560a87a6aa4df2089e

SHA1
6af6238b7f7e48dfc99091479fcf33af5feecc24

SHA256
d9b0eaad0bdd52fc644857b63067fe84c8c0f243d4fe6e9bdef6573697a4789e

SHA512
4c510ca6d7da7068339639a8df570e192ed2ae204386092e59f908712a4d66bfd6dfd3260c87497a890bb93852b7803c50e970de92b35c0485b218d7c489a720

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Tencentdl.exe
Filesize
1.0MB

MD5
16e27465fc02e6974704fd2187e92144

SHA1
010a8f7ddb6d6b3263cb710d9f80e481db54be51

SHA256
7d33f460ff3c391a35402c3eb850f07996b1d94019b3d4505444ffab26bccda2

SHA512
b70e96aa3c185fbbdad56ffdd9bf9b6d5fdb1fa34bcde197085940adc453b9c4d7784dd37e9e1b137caf9d93dbdf8e379c20d3624aa961838f58ff8f1838ce1d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\dlcore.dll
Filesize
2.1MB

MD5
1123cc85ff12a2a9c44395e5362220cf

SHA1
6e886d10ee0ffaf118e13065283ddb7408099407

SHA256
544b58015ab218dfe4fbf1cbbea7fe9173f023edb254d4a9932a0656237e2a56

SHA512
8693d4fd1f2a83322f262af5a094c6bca57df734514106ddf1c2613f772c2aa2de16ca90a4aa275723cd336163634abecd85742883652c5f3f94d8bb58211d86

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\dr.dll
Filesize
414KB

MD5
960dcb06db8bf6f9fc998e5c05d96b8a

SHA1
fab7a426cdcd9c70aeecfc85a3264725d9a88a5a

SHA256
3e673b18a7ad23cc51170564ff60365fcf035b8db0f42b001b1988d4be2777dd

SHA512
e7ded63b58ae2f0ff3361bf7b0ef68904fad213dedc82570303bb8940f84f8a3982837e517039e6b16cb93bc1b9904fecc922345f4421a314ef00ab901a969e2

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\extract.dll
Filesize
361KB

MD5
e28497e0e9266ce04271815fac080f12

SHA1
9757f0b40b89201e16aae09339530d75d6f51cef

SHA256
81f92b3e0b9687b2258f521eb2ab25d65516494ae7cb08b4bc5bc290f2a2e0cc

SHA512
d46f60f2bbc3b811cd0bf2de199dca6f5a14a742614f093938ec6ffd7adbac5b3997d4e6e1062485842142a2f614dc4ada7170bbda84706a07fb86786d30c529

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\npQMExtensionsIE.dll
Filesize
86KB

MD5
6f6f5b854af0a6728e51120d5853aa80

SHA1
22e90b36584e2526182f34b8734a155ade580fba

SHA256
cd8aeafa3d4ebf06fd1366b9179d30da9e85efd2d1e65b5b327110b9084aa306

SHA512
3b1c63a19abaa1d2601aadba354ee24cec90ce2ea62030f5916f8368e41ac86b9b4f408dce4de1b36c491abe56d8d4202d20945b463ae89eb5b03ada76310a9d

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\ClassicLogo\AddMore.png
Filesize
172B

MD5
020e693e12d5857dab9522c9822f9ac8

SHA1
25f02fe9626ca6064fba8f53471c8eeb685ed64d

SHA256
2a1d08aa13d300f9bc40c0e2de79a6f474700c3223a7dacc05fe051810fec665

SHA512
aa9c9892b2a73481d6162868a39b307b592a0d10cb683527ff25a08cd69b1f2e592879f536c4f893647fed69e6454ad6aa1389b4a11986cd9d505b341f8ffc53

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\ClassicLogo\AppMarketPlugin.png
Filesize
1KB

MD5
f6a6f22f5f5328887f6f0c91c8b9896c

SHA1
c1cb75597fc72a4970a5a6e5198646b615605518

SHA256
10fa93e981dcaee45f4f689f9984a91996d606488882965f5d33d08986950c4f

SHA512
91b5ec0e31720b69522e5613c51b6a91da05c859f9ac9b069e81c26028f4952ffc7f651b45de46c726bad74e116cca512386ea02eb4aa378e70418e44b36ba5f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\ClassicLogo\DownloaderMgrUI.png
Filesize
537B

MD5
71b7eca7aadc0a7a85040d6b14a74784

SHA1
423152c2b01c8bf7aaef426af09eb5175254585f

SHA256
58c2e8a5009b04e213e0537861108bce13772acd0917bf8c70cc33660343c7d5

SHA512
8eb1b47bd98787274cafef4dec5bd3cba9c9fd9e4a9d6a0d3e77db36d7c7771e345aaa01ff9d0946b21b58513de689d89c36200a6a2bc4ed7583b148b4a4f0bf

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\DownloaderMgrUI\DownloaderMgrUI.png
Filesize
1KB

MD5
471dd520a6651137366c2e743c9d9820

SHA1
d678ad5471d9b98396ce88854aedb4dac2c4e389

SHA256
75817f28fc05b328a9fb8b60af281e42d8da449d5f0078a9e3ac9b3411a05520

SHA512
782ea3ca032da42d195e3893bb6f933d382120eac4846a0ef8d25630a27b2ff382dcc60ad52d1e313e75a77dae252c1d731f3091c30d2d4b93473c668d75f84a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\PluginInstaller.exe
Filesize
158KB

MD5
5d8604f4980f677e4b16e5f4ab14e6db

SHA1
bc32bd7b12135129d02dabf9ffd5a4ff95607d79

SHA256
24f4ef8ca38c35d483c81a5b0d1341f82253925b7f53a7f086d894781aa5fd74

SHA512
943a2aa166bab0df410af15a4ec3eae8d2c014f6cb23745f810a53f408aa45a8016256b4892fcd0a7f2418965b6b418f8d6e7a9ef7655254e42e5d4f81eab314

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\Common.dll
Filesize
1.8MB

MD5
9f97986db2dc0b1984c5b86d6e6cb277

SHA1
d842f83b3f6c92bdff10d19307f165dae1034c03

SHA256
44536e1001edbf1b6060bcf76c0e1b7f52868396efcf41f61b3bb346c605f121

SHA512
4af63af15ac67e807d297c45adf65ae198e4a033e89fc6f35c0e4c43abcf57334a4266fa1aa13f4f6605dd2058a74f56e757369079ea11ce8cbca0800c8a313e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\GF.dll
Filesize
2.1MB

MD5
98537ed2b637ee9fe613d356d6a2315b

SHA1
0567a032d2824dec33ee306cd57ba88f55f06dd2

SHA256
52b303f8cd7cf5f958b4a726d6c15f19d26e15a067ec8fdd8924ce930f386bba

SHA512
cb14eb2aa509fa74857c5c8431b1333c92b2ad9c5a87edf747e281066c2073e09ba139e02d8596ab0f7114a58aa6a9bf12c40c0e018423f8c80d739d2f122c73

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\arkGraphic.dll
Filesize
334KB

MD5
6e67cc17373df5c4f0d4c911b8abd190

SHA1
cec68c7f6ff3830654e7adc7e168729e325a12be

SHA256
a0877adadf0609814676c01c0073687edc9fbb9a2dbef77599e8cf33cd3becca

SHA512
8d4da081e92aeeb39c0bdae5172eb0360ff14952670632d2226bab9cc1faeb60ce89c3326d5c2eac24fbcc5600c1b5a772850d16963898b219636e99da5965e9

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\jgIOStub.dll
Filesize
13KB

MD5
81078ce3a928d63f9611a132e9deb6bd

SHA1
0181fb1340833cbe4f9a268b01239b28e01f80fb

SHA256
e5b9766a0ce2183d16120247ea40734c6e35d8c6a31dad3f00b541e9078d74b0

SHA512
8b5415adcb28bf7e19305cbe11aee65612abf78677f1d8166b7d605abcf842c9ed11b9ed3d81893c3c92f57e7986c30eedcdf32bc6fd4c3926627f164f499c3f

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\jgImage.dll
Filesize
44KB

MD5
46e22ea434f8181894233d29201c51f8

SHA1
2bdd24ec7d638363f522463b52f6ac8c17353ee1

SHA256
5552936556414a2210ca41a274518ec80fa4ec7b8940d5dcf26cc76a0708b146

SHA512
c37b145ef7d6c58e373706c76e097922f7092c48eb801a0e537868108157e28cf4472ac548a3fdb1f7485830b48acc4f8194d6622a4533889c3f5553350367da

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\libexpatw.dll
Filesize
134KB

MD5
015c6f01b16a55cb24bebcc3c8d94f1a

SHA1
de2df059b878bafece411e98c63fd4c02125ffd4

SHA256
bce56a73d43e5d83e618bdc45ac7be450d7d11f86672928213edcd48e25a13db

SHA512
40bdee40e517e81ae1e996863f4606e07c2838b3a74240da27693b2dca18866dd8ba12599c3c250bffbaf193156bf1052c1eccc6d182318c666fabf4987535e9

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\libjpegturbo.dll
Filesize
278KB

MD5
d4a6b70e64e19884a80b8f0b205c1045

SHA1
14f821acb93ff13b9d6bcaa40316f9605d958589

SHA256
7cfb2c8456ebc2c0dceffca96a7f63ed2c293b99d4a115bb01590b87761c2b37

SHA512
42575802b48f16baa5024fe186c5b7c1f348888896dfcc8c88425b4cfad8428a354c10c782cd8498558a1084fc0800968aaf50da0c90dc2d276da6ccd8378f49

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\QQPCWifiSafe\libpng.dll
Filesize
154KB

MD5
772bc1ecc5f7e5655145dd61e6ece349

SHA1
14553cb511d3cbd2056ddea7a1e019abad5f9b25

SHA256
092d9313e4456c0d36385dc1d76975e4c574e4806e01e7de340b6f6c651c0173

SHA512
be7a54c5f79ba0334ce16193a9c8744cc8f24438af5515677f30b3b2056913a962d4a6d1893000a92cef325f9c07ea6d1f3e51a9af520dbddf05b35557b8ecf9

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\SysHomePage\GarbageSoftIcon.zip
Filesize
273KB

MD5
e78e85abcca969929a00664a14c80673

SHA1
8344090a69b49cdd239ce74013b58ec06be687e5

SHA256
969596e211d736e02b8b3b99d4fcfcfa3de50989c21a1cbe35d69e69c9900cbc

SHA512
0fae92d233926497d7395a9781d07beed481cbcd3585337a665f851167ca53a44a7b913885f3ad011fb6b8a5510bd90859b1b95ba53c9b7a25e0acd59e466a9e

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\plugins\SysHomePage\HomePageRecommendItemsRes.zip
Filesize
8KB

MD5
0787a1e15edfb0f87625f770bb3fae2d

SHA1
56838b6a1afad2bd846a3ea85da3241c56a59026

SHA256
3d09f8c0ea2c0e379bca115cb00af7517bd93dc04d683d7bfe34aa42078a9fbb

SHA512
5949bfae26497be21cde7d325c719edece1f7a9da785a127ef20da4accb999d221519aae332379b9e677078c06b0a9b972af670f603ae27dc026cae98b4f0df2

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\qmsoftmgrupdate\updatedate.txt
Filesize
20B

MD5
cc2242e27245804799b5168f23a84245

SHA1
4f34df176c664a74b3dda7beed3e6533126fe243

SHA256
ffdeb079535cfa7c1a9d8829a9b04cf3dd58fbb79e8e12190fbbdbaf08e04aed

SHA512
d237e314131a050335fa0670e850f7c0200d4e35d9236a4622222fba43e77b249a3075e253fd3c009adb6addfdfda63a20edb264c5284130acd54203b48b534a

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\sqlite.dll
Filesize
470KB

MD5
856767957cde3156d05265c175468973

SHA1
798192e8883181638679abd66ae970aaf949317f

SHA256
7da90541af73e460ec815dfc2d20c9457d4ec6de6daf00bbc27274fed608ce72

SHA512
e50b79eb5b28fcac6ec144fa4e74ca60a5af950f7d6aad02b8136b2a72692b1c2b4e3425c3bcee1a8d0f9a00bb47807c3375a5b59cd81350142b17bf7cc4df50

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\tpk\Data\tpk33CD.tmp
Filesize
85B

MD5
079bea95c9b6da800a9f7157d1d2e608

SHA1
49b2e5ec742d7a64c5305b66021970d8ae9f4643

SHA256
861b42028dccb37b8ab589e0d4e5a43d2914864d0241f04defe1d8787ba4c185

SHA512
9518033205122f2f69ebea8aa84d25b42ec4d6ab996d28076f91b178bc91fe5c9c73c03f3a873f2b38fe074c6e550eb4b5ade1790a325a4cab55a964ad04fccc

Download Submit
C:\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\tpk\tav.ini
Filesize
816B

MD5
c64340a37ff69e8ce6ddf862833aae23

SHA1
9bc6c13fc3122b88ddabdca39eb8d5e33b048d69

SHA256
7dc5541cb03d41c6aeaecac7058c98bb1ae6e31e0140a356b6c68d4998706b6e

SHA512
7f2b548eb2a9f6f0d13fbb37fd7dbb5832a39c6a4d32a9ec7a77e46796e430a1e1101df70502ac0bc73161ca7e0f61adcbf2a053c868d53de6113e8c220b09ef

Download Submit
C:\ProgramData\Tencent\QQPCMgr\AdFilter\AdFilterRuleItemStatus.xml
Filesize
252B

MD5
8904bccd20ee2e9912ae6b0877b8418e

SHA1
4d26f7d448e650c7639c0249673ef9ed5dff19ef

SHA256
ef564d1c349cea8728967b798e0742f4023b5fd76cfda57c8dfad3d2d36f32c3

SHA512
dff532ec54c903fdb216af22a83c72ded0440f0fafdab7f9de7b588c1fe40fd4471ecc11fd5bc2c96d533d505a3431f9c80b56e671effb83db523392352eb3a9

Download Submit
C:\ProgramData\Tencent\QQPCMgr\GameUpHistory_5.xml
Filesize
49B

MD5
2fa16be87404b457a22c0658b5781bd9

SHA1
06948545a6204eb4a91aa5f961942f5e739bfc9a

SHA256
81d6f1def67d6ccbb07f8d485dce1e3df460847c72fc8fb941a2b831454a11f6

SHA512
26651c2e0fc1e57212d76d8814b4e8d74a7ff3bfb110c11c710dfdc050ecd38820d86edba6cd2a1e01d39a4fa3f162653ead7f211866afd7c959d7200c83ac14

Download Submit
C:\ProgramData\Tencent\QQPCMgr\QQPCMgrInstall_20240523090012.Log
Filesize
5KB

MD5
6d4f569fbdfcacadb49aa8492f363575

SHA1
3e04f50d0e346b8dbd365a4b1eab99fb3f77cc7d

SHA256
757cc2ee94739c6ac0f570a4040a1fa103e7bf00d24af79d3f9d53b731b278e3

SHA512
81edb1c16bdafcf87675753d9c2c2cc6529c2de72d1634eff44d2eac71715eb147235d2bc560792ca19dfa8d0e1392cf9018e7e73d7998b219433c0751b2b58d

Download Submit
C:\ProgramData\Tencent\QQPCMgr\Quarantine\QMCommon.dll
Filesize
698KB

MD5
697e5c4bc7b338810abce015d7fda972

SHA1
7cececcff25b58c8f275ddc60b8482a8cc1b2ea8

SHA256
9b0de00b4b8578660d7d3a42ec8366245a01151cd0b97da537bc7508a375b9b5

SHA512
47116f52c620a3eaeb6d02039d0b4c2be7ba882e0296fdfdedca9b66c59a1e4549ef1bca0de81e1fa77e14db8536d89e3b7e83e22f614297f01e90dea6fe3f8c

Download Submit
C:\ProgramData\Tencent\QQPCMgr\qmvext.db
Filesize
3KB

MD5
802c883473536602fcd602f6b73f789f

SHA1
d5f0280437e820e37c61c194a3e02db9a32391f1

SHA256
57f3f423ff93dff538024fb4234f9d43b355c812a76fb7cc58f55c180cde3ad9

SHA512
514fc93a94a14bc7de882425552e109290668bd5f7e009d0d16b13ed7bc3cc83fb5331f69382ccfdf546f352388c4641a504755291902a4d5a4587bc3efc9d75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab31CA.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar324E.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\InstAsm.exe
Filesize
100KB

MD5
2cf3201553b4eabb62a35143a808381f

SHA1
e70a8f68ae3b8761a2ae75ace72f97bde0b3aa81

SHA256
3de1b79a41e5deb6366ba9f13ff65e47697fddbf7f355995fdd45f50c3668249

SHA512
2665d0fc15620c2125e65d27664ed80936e8b281293f0726fb7c3ca4590462bc13c7c607d85e74f67c91bbd61868a1f30710b0469db3657d5aee99983751b059

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\RemNPX.exe
Filesize
39KB

MD5
fcb991d99796bfeac2378fb787b23d03

SHA1
7a3c85c6d7e64b98bf029158a5fa2b40f194749a

SHA256
f842e1ebeb8787c72ab9edf4dfe5d365ad865798a5f7e2d07d48c1f12771925a

SHA512
462e121192ab674b3a7e2411b0a28ca85046dcc8e757cd9fe387809e4520c97abbee62a61a0f2164f429794d46c321e6d32d93ab74445f7ad2f9be6f7d052870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\TestMSVCR_64.exe
Filesize
16KB

MD5
03d4d6e095bd4883ffdb1d2efdb113f5

SHA1
617a1eb4455389d29b4c4aa225d9ed36685d79a3

SHA256
b5c01124d80d96ceff8829f3623044151bb14e4111a8d241abe00dfbfd173601

SHA512
c4047c355da3cdfa6a359c7e4c0e170ab75ff53f6ea3dfd754b215991b9de158b8fc0c41b79a38a9591801ce4062a6af44ce8104e647c6a492fff75c4c4f0643

Download Submit
C:\Users\Admin\AppData\Local\Temp\sec647D.tmp
Filesize
470B

MD5
1e23b5d98efadef56e01865bcd8c28a4

SHA1
e5222286d6ddeda80f53c719cbaa5a499b10bf99

SHA256
7f7dd58953213755d1779aeeca030e1c8c378a1949859434437fdc619f7c50df

SHA512
0dfbd1fac93eb84ed6621340e58dc87623a1820876ea6f6950f221840135639e9b64f634e8fdd7755958c1af5924793a41022ac44cdfca5e71cbd68c49fae256

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\强力卸载电脑上的软件 .lnk
Filesize
1KB

MD5
d16c0d34eb506bfb851dc687bf389224

SHA1
374ead267a0fd46a59c9d2d17d868bde073440b0

SHA256
a05c667f3cd7a44b0aa5a9934573cdcdd0026e2f9b31f654a94372778b4d1d27

SHA512
9e41495b7db9e769da4ed58698ff5e9667b114f1ada864147cdb8464b66460031ce172b42fddbe9bd526d12c9ae70cb46a0ae4135988291ca9280fc8011f5a5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\电脑管家.lnk
Filesize
1KB

MD5
1e391423565afc18a4e7db6fef4fbc2a

SHA1
441a126564a7a25298729e79206c685ebeee184a

SHA256
e488240b9a587e513b444c53826fd4899724e211c453a5194cc0d4bb958fe5a8

SHA512
c9dd870e91fb04ee88c28f81a6f7200a8abfd76eb4ae177cb38faaae0bdcb6caaa73cd3f4cbb7f7f16ce2fa07c6e9eeae5568c668730688f2bcbcb40e42f2d74

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\Tencentdl\dlcore.tlg
Filesize
25KB

MD5
b8d2f85b15d03b07741d8745e79f8031

SHA1
0340db3c3345ecb90cc1b21c6e01ba705e8c7fe0

SHA256
0d37f4a68893fea8cab078ecd0f9dc778710ed3378d16820de183653d08473df

SHA512
b93ba9b5ff765c68145fa142c2c5d9fb36f88d77f617c754bb3152c932bf9a11ce4eca39c02b7782d045e844068ee8586af1342c976d09f2b0eb1f3c032f5733

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db
Filesize
190B

MD5
3ac62bc4ac3562a8527722961a432eb6

SHA1
05c27feb7c0dbcc2b21d544388552d1febc770eb

SHA256
a3cc7869684f82c27b2762066ff6c3fcbefc51abc601240f5ed9b999e1a27768

SHA512
a86464cf7ce3b7fc20e6b7820213919f8034fc4a86bcc39b91f596987d46bf2f76e7919c5f3390644ebb2aedc5e77470285d424751c558f8a4d783e461d3ab5a

Download Submit
C:\Windows\System32\drivers\TAOAccelerator64.sys
Filesize
87KB

MD5
ac4da97aec79dfe17b93138117d738a9

SHA1
95266b0f2d14aeebc76337e721cb92de357e1d83

SHA256
c6f0cf93317024b993885356ae5469b7f649cdb0e92ea7250e33e6a0f2bb5f33

SHA512
f8949281fb4427665b01dcc43fba595d5421bf70c7fd5e7c5cf5772a84a84253cff9147b30ef09f6c457c86b9c57a7ab32b7137b6c9525f5093f00b2b2bb0a44

Download Submit
C:\Windows\System32\drivers\TAOKernel64.sys
Filesize
128KB

MD5
96ad46a4f7ed4cae92634117212448e6

SHA1
0933fde9433fd4405abfde712ebd97f99f3e43ba

SHA256
df64dbf5f628a2080d08cc53ef2e67fe928573400f53c109330340a48944e8e2

SHA512
ac3075348e7343671fe50a1ea057380066be2c4874ae77d2e41f2f2878bd9163b3d0f8451ee8ff95678743e844c27bbad004ce538d95c4cbaecbccc40fe384bd

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextScan.dll
Filesize
86KB

MD5
e457acfa44aa3a67ebc7334efa87844c

SHA1
b1220b6ed3df44f40f089b9035d165e61ff4b87e

SHA256
a451a2fb0c8def31edf7637ec3f5b37b59a00dd0da214d9cdec14d0e1403d4a8

SHA512
3bb8172f2ed1dda9bdce8dabe59495b4bc7e2a127b692c85f2df2ba4c23f13d5301b664158a3aab61d3581b63b0a40e9cca73fcf7c36c203998c1b641570717d

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMContextScan64.dll
Filesize
91KB

MD5
d164d26fa13713977339b5d3f8226a27

SHA1
56388ab7183fdf5f5a7c8106141e680fe17c67b2

SHA256
0f74f1167a1a00f0328aa3a3d177d210508a1c297ea4241e2b19e3d6a93de406

SHA512
65c8aa90bd2f9de7d259e57e060fed45204de36de935f4a9343f4e8c3e423d9f2411b81a5f0d0d7b4a8f1635a5225d88068584a56a5df3a89c04faf13a513d0f

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMGCShellExt64.dll
Filesize
453KB

MD5
fcca31b983709d96860785127cc6c1a3

SHA1
4b03cbed86cd3d46e7280e3b4e2a5f16006a1b56

SHA256
4079eb7950f86d529ef8e2fcdc59674515a48f21f2ede924529ddcc03a79d68b

SHA512
3d2c4cfde43d80bfe58545fac8bf30c9ebcb759e5c9e77392c442276509d8e237a6a98cd2c1237e5824732d3b6177287f02f33b99af5b9191fb54bbb2f30d123

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QMIESafeDll64.dll
Filesize
360KB

MD5
c2762389af8cf967a428bfb45a3513b9

SHA1
273ba7c9c688412f8a9c8c0592d5bedb6b59f181

SHA256
d103d39939f1a1820632dc6543745a66cfb41323d48c5b965aeffd263c664a1f

SHA512
ba43751fa42ac88dc712f884948c56061249e78d37f74a58b0f2ecfef875c4446b2bf1ef8297010448780d7247902d3645c99ba6f88f30bce289889780d0f9b1

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\QQPCSoftMgr.exe
Filesize
1.6MB

MD5
0c4b8d51933a22009282b47e38df745b

SHA1
d364d5cda17ec811793da889114f780ebeb711fc

SHA256
3ba4892ceaa422559c1b03e29e5712b84083b22cdad4c1164fb929c6b4a62a3b

SHA512
751d0cdb6de86ac3118119ec5faf7a63e5926c6dd426917a20c8ea74a942a9e1d6ccb3c5f19567c09f83c02dcef1784ea25f914d01a64f8948178cc3f36c1a7c

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\RefuseInject.dll
Filesize
170KB

MD5
ba8286f6f6b7c9112aa0a495ad08fe85

SHA1
e04b4606bd6a8ec0096659177ea597fc212e71f0

SHA256
4250dc0cc5eef19f5db5e3cd503c650b4bd5ec77ef76dbf23e8dbf06aeb6a54b

SHA512
caa1a24260a1dab5afb047cf223667c887384a58f16906a3b88ce7d40b67e989b7714a5144ab83d38ffebfe2ac8e8332a892690e1a19e8842bd54129032ded8e

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\TSWebMon64.dat
Filesize
405KB

MD5
3283c4d3bd7d36d3ed8d7bf113c3352b

SHA1
32139fd86d67a1d8a4d9e681146841386affcb9f

SHA256
6874c78579b577fbedcd297afc9f3dcedce6f2133f227fa6f1c9ff5cfb0231e0

SHA512
d668fcd76f2cb03708f001295dc1af57b2c4dcc5e5bb109caf33744054fc39d6b59f5b67c4351fe8e3b9ad1cb570570d823f4c51e2d4fcae409f446aac68522f

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\Uninst.exe
Filesize
1.5MB

MD5
087b6546a0a7f67dc235df6a83021063

SHA1
bb9cec97b8fa10957a8e6ad74a383781dfeac866

SHA256
f3e7409e6b16d55b9eb48073c69901f6ddc4c5587f0eef8b74832f14328de998

SHA512
3a30ac1b0883f20401d69a4cacfbaa913143c03394433b027654e955ae85dc3ae4cc8f13291da5a2fdce7ff706eb83f7d50e8008f35b713ef817c701fde1055e

Download Submit
\Program Files (x86)\Tencent\QQPCMgr\11.3.17201.218\exnscan64.dll
Filesize
530KB

MD5
de168bc051a65700c3e5ffae84c4af0a

SHA1
b7923ccc60240b57475318a9f8b5611db2eebdeb

SHA256
2569f46126275e34495641996dfdb8eb838283bd450ba2c8cd5a7c71b357de17

SHA512
f4f139862bcfb7ad80242a9efc89ac33a3fccdd05940d1014f48ecc4783e6f979f59496c0b7e2d4d21bc77065322e178a29a0b33be16d1dc9d14758811c48762

Download Submit
\Users\Admin\AppData\Local\Temp\QQPCMgr_Setup.exe
Filesize
49.2MB

MD5
d9bd2c2ea09075d1647f0541385c5b65

SHA1
79e6e2f4e368db11e0b2371c907737cb618a6f73

SHA256
45eddf57fd9b7a4bad7758991fb19b01ec68dc3d4f003104b055688b8d84d669

SHA512
c2c3223eabdf28a9abcfccd72dd4465569c9345ac2899ebd4177bb1d87ea051943c8dc3f2e7a3a8eaf4a5ba8d26044ab061907d1c07611d14687e9d5d65a0f7f

Download Submit
\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\PackageConf.dll
Filesize
286KB

MD5
cbe8afe380fff9c520ac6c1721dc47fc

SHA1
9e1cf0b7fa0f3fd65bcc9f838d3c23cc57ba3043

SHA256
672495fce05dd1864e2040f7f3ae6c1c942b7e583bb10552067fc2db9ec51c32

SHA512
b913d2e9e4dff8748c388743523c04814ad1e89e6972642a1b00034a840edb82225a9801acd0869ae41143b1aaac77d3d890466509b31fbe3aadf8291a75d114

Download Submit
\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\TestMSVCR.exe
Filesize
16KB

MD5
4b847825788ec131032f106500638b92

SHA1
b5948921e9d3331eda2906cb664d32ab05564434

SHA256
3313c7606698e6721f65a8ec84e7e1f95859b39a7e2ca40463164788ab00565d

SHA512
e1390df49d8c101aa946ec01600ea7a55953ca950011e64c6343d672179ffbe5e1eff98fadc1b38464702e20c7c1e830eb928a1886dbd4ed4c95a57abbd29146

Download Submit
\Users\Admin\AppData\Local\Temp\Tencent\QQPCMgr\~f7611ad\dr.dll
Filesize
427KB

MD5
68a34245c650829c613e9068bdc6f79d

SHA1
f877ad637c2097915ba894fdccb1a596a52a726e

SHA256
c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf

SHA512
1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe

Download Submit
memory/384-2512-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/384-2518-0x0000000075ED0000-0x0000000075F6D000-memory.dmp

Filesize
628KB

Download
memory/384-2506-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/384-2519-0x0000000076AA0000-0x0000000076BFC000-memory.dmp

Filesize
1.4MB

Download
memory/824-2557-0x0000000076AA0000-0x0000000076BFC000-memory.dmp

Filesize
1.4MB

Download
memory/824-2556-0x0000000075ED0000-0x0000000075F6D000-memory.dmp

Filesize
628KB

Download
memory/824-2552-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/824-2551-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/824-2553-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1220-2615-0x0000000002530000-0x0000000002535000-memory.dmp

Filesize
20KB

Download
memory/1220-2614-0x0000000002530000-0x0000000002535000-memory.dmp

Filesize
20KB

Download
memory/1220-2612-0x0000000002530000-0x0000000002535000-memory.dmp

Filesize
20KB

Download
memory/1264-2530-0x000000006EA80000-0x000000006EA90000-memory.dmp

Filesize
64KB

Download
memory/1336-2751-0x000000006FFB0000-0x000000006FFC0000-memory.dmp

Filesize
64KB

Download
memory/1336-2626-0x000000006FFC0000-0x000000006FFD0000-memory.dmp

Filesize
64KB

Download
memory/1336-2623-0x000000006FFC0000-0x000000006FFD0000-memory.dmp

Filesize
64KB

Download
memory/1336-2622-0x000000006FFC0000-0x000000006FFD0000-memory.dmp

Filesize
64KB

Download
memory/1336-2589-0x000000006FFD0000-0x000000006FFE0000-memory.dmp

Filesize
64KB

Download
memory/1336-2602-0x0000000005FA0000-0x0000000006015000-memory.dmp

Filesize
468KB

Download
memory/1336-2749-0x000000006FFB0000-0x000000006FFC0000-memory.dmp

Filesize
64KB

Download
memory/2036-2554-0x0000000006D80000-0x0000000006D86000-memory.dmp

Filesize
24KB

Download
memory/2036-39-0x0000000006CB0000-0x0000000006CF8000-memory.dmp

Filesize
288KB

Download
memory/2036-46-0x0000000006580000-0x0000000006586000-memory.dmp

Filesize
24KB

Download
memory/2148-2870-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/2148-2652-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2148-2653-0x000000006FFE0000-0x000000006FFF0000-memory.dmp

Filesize
64KB

Download
memory/2148-2874-0x0000000076AA0000-0x0000000076BFC000-memory.dmp

Filesize
1.4MB

Download
memory/2148-2873-0x0000000075ED0000-0x0000000075F6D000-memory.dmp

Filesize
628KB

Download
memory/2148-2872-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/2232-49-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2232-50-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2256-2781-0x0000000076AA0000-0x0000000076BFC000-memory.dmp

Filesize
1.4MB

Download
memory/2256-2770-0x000000006FFD0000-0x000000006FFE0000-memory.dmp

Filesize
64KB

Download
memory/2256-2774-0x00000000765F0000-0x0000000076625000-memory.dmp

Filesize
212KB

Download
memory/2256-2773-0x0000000075ED0000-0x0000000075F6D000-memory.dmp

Filesize
628KB

Download
memory/2740-2564-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-2581-0x0000000076AA0000-0x0000000076BFC000-memory.dmp

Filesize
1.4MB

Download
memory/2740-2580-0x0000000075ED0000-0x0000000075F6D000-memory.dmp

Filesize
628KB

Download
memory/2812-2531-0x00000000002E0000-0x0000000000355000-memory.dmp

Filesize
468KB

Download
memory/2968-2542-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download