794a83579d11639d51da839647145a1a4b5d9a3e893fe09c0f56f7b7c5d64c69

Analysis

max time kernel
100s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QuarkPC_V1.9.0.151_pc_pf30002.msi
Size

216.3MB
MD5

4507d0b4b388162362dfcf53cc262ad9
SHA1

c559c7ec90968a896f99acdd64cd7e073152173d
SHA256

794a83579d11639d51da839647145a1a4b5d9a3e893fe09c0f56f7b7c5d64c69
SHA512

927bf11c12efc4dc53ee3486da87b1fec03f33fdfd151e4f2715955a749af87b904499a048676301cf0461d955f9f2f04293a4bb5d786739075b279f963b63fe
SSDEEP

6291456:0Ao/2PVmZrDQalQVdvLQtqF5BUgbE5MXtBUdbyv:0c2DQFdQ8F5PuMX/Uov

Score

9^/10

discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	quark.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	quark.exe

Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\xen	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\xen	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\xen	quark.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	quark.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	quark.exe

Looks for VMWare services registry key. 1 TTPs 3 IoCs

evasion

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMMemCtl	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmmouse	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VMTools	quark.exe

Looks for Xen service registry key. 1 TTPs 5 IoCs

evasion

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\xennet6	quark.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\xensvc	quark.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\xenvdb	quark.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\xenevtchn	quark.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\xennet	quark.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quark.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	quark.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Wine	quark.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wine	quark.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe{62C4845D-02D4-41a5-83D2-CAA034255C09}.exequark.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\Mylnk\\down.lnk"	{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdeta_Service = "C:\\Users\\Admin\\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\\down.exe"	{62C4845D-02D4-41a5-83D2-CAA034255C09}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\quark = "\"C:\\Program Files\\Quark\\quark.exe\" --launch-from=loginitem"	quark.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

quark.exe

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	quark.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

colorcpl.exemsiexec.exemsiexec.exequark.exe

description	ioc	Process
File opened (read-only)	\??\E:	colorcpl.exe
File opened (read-only)	\??\Q:	colorcpl.exe
File opened (read-only)	\??\T:	colorcpl.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	colorcpl.exe
File opened (read-only)	\??\P:	colorcpl.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	colorcpl.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	colorcpl.exe
File opened (read-only)	\??\O:	colorcpl.exe
File opened (read-only)	\??\W:	colorcpl.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	colorcpl.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	colorcpl.exe
File opened (read-only)	\??\V:	colorcpl.exe
File opened (read-only)	\??\Y:	colorcpl.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	colorcpl.exe
File opened (read-only)	\??\S:	colorcpl.exe
File opened (read-only)	\??\Z:	colorcpl.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\f:	quark.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	colorcpl.exe
File opened (read-only)	\??\X:	colorcpl.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	colorcpl.exe
File opened (read-only)	\??\J:	colorcpl.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

quark.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	quark.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	quark.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	quark.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quark.exequark.exequark.exequark.exequark.exequark.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	quark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	quark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	quark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	quark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	quark.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	quark.exe

Drops file in System32 directory 15 IoCs

Processes:

updater.exeupdater.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\utForpc\storage\ut_storage	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\utForpc\34385585\MzQzODU1ODU=\UTForPC.db	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\utForpc\34385585\MzQzODU1ODU=\UTForPC.db-journal	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\utForpc\storage\ut_storage	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\utForpc\34385585\MzQzODU1ODU=\UTForPC.db-journal	updater.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\utForpc\storage\ut_storage	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\utForpc\34385585\MzQzODU1ODU=\UTForPC.db	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	updater.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of SetThreadContext 1 IoCs

Processes:

down.exe

description	pid	Process	procid_target
PID 2052 set thread context of 784	2052	down.exe	40

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

quark.exe

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	quark.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

quark.exequark.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	quark.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	quark.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	quark.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	quark.exe

Drops file in Program Files directory 64 IoCs

Processes:

QuarkPC_V1.9.0.151_pc_pf30002.tmpupdater.exeupdater.exeupdater.exeQuarkUpdaterSetup.exeupdater.exeupdater.exe

description	ioc	Process
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-TSPBG.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\msvcr120.dll	updater.exe
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\utdid.dll	updater.exe
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\audio_player\is-6T0TS.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-BMOTA.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\req\LOCK	updater.exe
File created	C:\Program Files\Quark\1.9.0.151\is-T1EJG.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-6LM0I.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad\settings.dat	updater.exe
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\updater.log	updater.exe
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\req\000005.log	updater.exe
File opened for modification	C:\Program Files\Quark\1.9.0.151\SecurityGuardSDK64.dll	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\packages\ump_video_plugin\assets\images\is-OUCDO.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater2044_1226175383\bin\alisafeproxy.dll	QuarkUpdaterSetup.exe
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\is-ISNKG.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Quark\1.9.0.151\is-HD0P8.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\app.asar.unpacked\node_modules\ffi-napi\build\Release\is-RO12O.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\packages\ump_video_plugin\assets\images\is-GNH1A.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\skin\QuarkWallpaper4\images\is-RRA5G.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files\Quark\1.9.0.151\quark.dll	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\app.asar.unpacked\node_modules\electron-clipboard-ex\bin\win32-x64-103\is-002VC.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-150R5.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-ALBVV.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\skin\QuarkWallpaper6\images\is-NB4RU.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater2044_1226175383\bin\msvcr120.dll	QuarkUpdaterSetup.exe
File opened for modification	C:\Program Files\Quark\1.9.0.151\Resources\host_client\vcruntime140d.dll	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-BCQGL.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-20Q5D.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\evt\LOCK	updater.exe
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\evt\000002.dbtmp	updater.exe
File created	C:\Program Files\Quark\1.9.0.151\is-9UJQI.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\is-SK8QO.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\audio_player\is-HI4J4.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File opened for modification	C:\Program Files\Quark\1.9.0.151\unet.dll	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\is-IRPT4.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\skin\QuarkWallpaper5\images\is-2FN2E.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\evt\MANIFEST-000001	updater.exe
File created	C:\Program Files\Quark\1.9.0.151\is-CL5CH.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\packages\ump_video_plugin\assets\images\is-9LV44.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\is-BMDON.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\is-LP129.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\WidevineCdm\is-IVQ2M.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File opened for modification	C:\Program Files\Quark\1.9.0.151\ulog.dll	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\is-7AGNU.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files\Quark\1.9.0.151\utdid32.dll	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\host_client\is-7DI77.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\req\000002.dbtmp	updater.exe
File created	C:\Program Files\Quark\1.9.0.151\Resources\skin\QuarkWallpaper9\images\is-A7FLL.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\76cf22fc-aeaf-40cf-8732-20bcc6e5c4e0.tmp	updater.exe
File opened for modification	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\evt\LOCK	updater.exe
File opened for modification	C:\Program Files\Quark\1.9.0.151\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\packages\ump_video_plugin\assets\images\is-KIAOS.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\skin\QuarkWallpaper1\images\is-57MQ9.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\is-J2VT8.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-PPA2O.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\assets\images\video_player\is-AH5J6.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\host_client\is-H8E2U.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\skin\QuarkWallpaper4\images\is-6SFOG.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\req\000001.dbtmp	updater.exe
File created	C:\Program Files\Quark\1.9.0.151\Locales\is-SOP4G.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp
File created	C:\Program Files\Quark\1.9.0.151\Resources\assets\flutter\data\flutter_assets\packages\window_manager\images\is-RA7NC.tmp	QuarkPC_V1.9.0.151_pc_pf30002.tmp

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	Process
File created	C:\Windows\Installer\f771a64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771a64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2178.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f771a65.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f771a65.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CA6.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 26 IoCs

Processes:

down.exedown.exe{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe{62C4845D-02D4-41a5-83D2-CAA034255C09}.exeQuarkPC_V1.9.0.151_pc_pf30002.exeQuarkPC_V1.9.0.151_pc_pf30002.tmpQuarkUpdaterSetup.exequark.exequark.exeupdater.exeupdater.exequark.exequark.exequark.exeupdater.exeupdater.exequark.exequark.exequark.exequark.exequark.exeupdater.exeupdater.exequark.exequark.exequark.exe

pid	Process
2052	down.exe
2416	down.exe
1152	{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe
2156	{62C4845D-02D4-41a5-83D2-CAA034255C09}.exe
1636	QuarkPC_V1.9.0.151_pc_pf30002.exe
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
2044	QuarkUpdaterSetup.exe
2364	quark.exe
2128	quark.exe
1036	updater.exe
3036	updater.exe
2880	quark.exe
2072	quark.exe
1544	quark.exe
2088	updater.exe
536	updater.exe
2080	quark.exe
1724	quark.exe
3056	quark.exe
1976	quark.exe
872	quark.exe
1748	updater.exe
3088	updater.exe
3680	quark.exe
3812	quark.exe
2928	quark.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exedown.exedown.exeQuarkPC_V1.9.0.151_pc_pf30002.exeQuarkPC_V1.9.0.151_pc_pf30002.tmpquark.exequark.exeregsvr32.exeregsvr32.exeQuarkUpdaterSetup.exeupdater.exequark.exe

pid	Process
2268	MsiExec.exe
2268	MsiExec.exe
2268	MsiExec.exe
2268	MsiExec.exe
2268	MsiExec.exe
332	MsiExec.exe
264	MsiExec.exe
264	MsiExec.exe
264	MsiExec.exe
2052	down.exe
2052	down.exe
2052	down.exe
2052	down.exe
2052	down.exe
2416	down.exe
2416	down.exe
2416	down.exe
2416	down.exe
2416	down.exe
2268	MsiExec.exe
1636	QuarkPC_V1.9.0.151_pc_pf30002.exe
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
1208
1208
1208
1208
2128	quark.exe
2364	quark.exe
2364	quark.exe
1372	regsvr32.exe
1368	regsvr32.exe
2044	QuarkUpdaterSetup.exe
1036	updater.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
1036	updater.exe
1036	updater.exe
1036	updater.exe
1036	updater.exe
2880	quark.exe
1036	updater.exe
2880	quark.exe
2880	quark.exe
2880	quark.exe
2880	quark.exe
2880	quark.exe
2880	quark.exe
2880	quark.exe
2880	quark.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exeupdater.exeupdater.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
2600	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

QuarkPC_V1.9.0.151_pc_pf30002.tmpcmd.exetaskkill.exeMsiExec.exe{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe{62C4845D-02D4-41a5-83D2-CAA034255C09}.exeQuarkPC_V1.9.0.151_pc_pf30002.execmd.execmd.exeMsiExec.exetaskkill.execmd.exetaskkill.exetaskkill.execmd.execmd.exetaskkill.exetaskkill.exeregsvr32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62C4845D-02D4-41a5-83D2-CAA034255C09}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QuarkPC_V1.9.0.151_pc_pf30002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

quark.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	quark.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	quark.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exequark.exeupdater.exequark.exeQuarkPC_V1.9.0.151_pc_pf30002.tmpupdater.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	quark.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

quark.exequark.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	quark.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	quark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	quark.exe

Kills process with taskkill 6 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
3052	taskkill.exe
1668	taskkill.exe
1748	taskkill.exe
2828	taskkill.exe
2912	taskkill.exe
1724	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeupdater.exeupdater.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	updater.exe

Modifies registry class 64 IoCs

Processes:

updater.exeQuarkPC_V1.9.0.151_pc_pf30002.tmpquark.exeupdater.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D6BA44C0-6ADD-4B9A-8413-42ABD79A3534}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{89A73DF0-4FED-43E3-AA9A-9A20963C5C05}\TypeLib\ = "{89A73DF0-4FED-43E3-AA9A-9A20963C5C05}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.htm\shell\open\command\ = "\"C:\\Program Files\\Quark\\quark.exe\" \"%1\""	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.xht\DefaultIcon	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\http\shell\open\command\ = "\"C:\\Program Files\\Quark\\quark.exe\" --single-argument %1"	quark.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{9ECE50D3-E77D-5A17-A406-CCD1818CCF01}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DCE29276-9472-5391-B4A7-176B4D7C62EA}\1.0\0\win32\ = "C:\\Program Files\\QuarkUpdater\\QuarkUpdater\\1.0.0.6\\updater.exe\\4"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F91ED29-D3E7-48ED-BE24-B66F5558731B}\ = "IAppCommandWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D6BA44C0-6ADD-4B9A-8413-42ABD79A3534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A536829E-776E-470E-B35B-C2D2F96A2A3B}\TypeLib\ = "{A536829E-776E-470E-B35B-C2D2F96A2A3B}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9B74E9CB-2DFA-4DF4-A530-64B7623A51D3}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{443B967D-2717-4139-94B9-8674F86B5E9A}\ = "IAppWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{041D0956-D895-4664-A362-C686CF2BB55E}\TypeLib	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\qklink\shell	quark.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.xhtml\shell\open\command	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\QuarkHTM.html	quark.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{13D7E092-A48D-5D68-B452-AE4CE8163D13}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D1855982-71E6-4878-8756-E570AB3E76F8}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDD9362A-5D20-4D1A-B426-B58BDDFC3D25}\ = "IAppVersionWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4021C1FE-4B41-40EE-BD4E-86CA49A73DB3}\ServiceParameters = "--com-service"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DCE29276-9472-5391-B4A7-176B4D7C62EA}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6BA44C0-6ADD-4B9A-8413-42ABD79A3534}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{A536829E-776E-470E-B35B-C2D2F96A2A3B}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{08607B59-8559-5356-B6B5-706BDA5883C2}\1.0\ = "QuarkUpdater TypeLib for IUpdaterAppStatesCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9FE22FC7-EDCA-40D0-812E-4018183A60D5}\1.0\0\win64\ = "C:\\Program Files\\QuarkUpdater\\QuarkUpdater\\1.0.0.6\\updater.exe\\6"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{9B87590A-89CA-53C2-8F83-0F0F368AB035}\1.0\0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{08607B59-8559-5356-B6B5-706BDA5883C2}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BA9BC49-1065-45B2-8CE2-191503AC310E}\1.0\ = "QuarkUpdater TypeLib for IProcessLauncher2"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{041D0956-D895-4664-A362-C686CF2BB55E}\1.0\ = "QuarkUpdater TypeLib for IPolicyStatusSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{24E58198-D9D4-44AB-B7D0-4691697620B7}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.webp\shell\open\command\ = "\"C:\\Program Files\\Quark\\quark.exe\" \"%1\""	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B83783C-EAFB-4BD4-8137-66AD71DCD70A}\1.0\ = "QuarkUpdater TypeLib for IAppVersionWebSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FBA345B-EFA8-4F4D-9B1F-25ED4A351AF0}\TypeLib\ = "{0FBA345B-EFA8-4F4D-9B1F-25ED4A351AF0}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F91ED29-D3E7-48ED-BE24-B66F5558731B}\1.0\0\win32\ = "C:\\Program Files\\QuarkUpdater\\QuarkUpdater\\1.0.0.6\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.xhtml\shell\open\Icon = "C:\\Program Files\\Quark\\quark.exe"	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BA9BC49-1065-45B2-8CE2-191503AC310E}\1.0\0\win32\ = "C:\\Program Files\\QuarkUpdater\\QuarkUpdater\\1.0.0.6\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC9E9B9F-F0D8-473F-9470-DAD572BAD68A}\TypeLib\ = "{DC9E9B9F-F0D8-473F-9470-DAD572BAD68A}"	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.htm	quark.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0B83783C-EAFB-4BD4-8137-66AD71DCD70A}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0FBA345B-EFA8-4F4D-9B1F-25ED4A351AF0}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{929627B1-C0E5-4B2A-B3A0-5FC2662234DC}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.htm\	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{94CFCECD-5E22-5550-A50D-FAA132BAC6B4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.xht\DefaultIcon\ = "C:\\Program Files\\Quark\\quark.exe,6"	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D6BA44C0-6ADD-4B9A-8413-42ABD79A3534}\1.0\0\win32	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\http	quark.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{24E58198-D9D4-44AB-B7D0-4691697620B7}\1.0\0\win32\ = "C:\\Program Files\\QuarkUpdater\\QuarkUpdater\\1.0.0.6\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B2DF7AC-D5D3-4DBF-A9D8-FF0BF79926E9}\ = "IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9B74E9CB-2DFA-4DF4-A530-64B7623A51D3}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.svg	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QuarkHTM.htm\shell\open	QuarkPC_V1.9.0.151_pc_pf30002.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13D7E092-A48D-5D68-B452-AE4CE8163D13}\1.0\ = "QuarkUpdater TypeLib for IUpdaterCallbackSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4F91ED29-D3E7-48ED-BE24-B66F5558731B}\TypeLib\ = "{4F91ED29-D3E7-48ED-BE24-B66F5558731B}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\QuarkHTM.pdf	quark.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9ECE50D3-E77D-5A17-A406-CCD1818CCF01}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{4F91ED29-D3E7-48ED-BE24-B66F5558731B}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D1855982-71E6-4878-8756-E570AB3E76F8}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1855982-71E6-4878-8756-E570AB3E76F8}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4F91ED29-D3E7-48ED-BE24-B66F5558731B}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	quark.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{9ECE50D3-E77D-5A17-A406-CCD1818CCF01}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{08607B59-8559-5356-B6B5-706BDA5883C2}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0B83783C-EAFB-4BD4-8137-66AD71DCD70A}	updater.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

quark.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	quark.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	quark.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	quark.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	quark.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMsiExec.execolorcpl.exeQuarkPC_V1.9.0.151_pc_pf30002.tmp

pid	Process
2016	msiexec.exe
2016	msiexec.exe
264	MsiExec.exe
264	MsiExec.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
784	colorcpl.exe
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2016	msiexec.exe
Token: SeTakeOwnershipPrivilege	2016	msiexec.exe
Token: SeSecurityPrivilege	2016	msiexec.exe
Token: SeCreateTokenPrivilege	2600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2600	msiexec.exe
Token: SeLockMemoryPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeMachineAccountPrivilege	2600	msiexec.exe
Token: SeTcbPrivilege	2600	msiexec.exe
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeLoadDriverPrivilege	2600	msiexec.exe
Token: SeSystemProfilePrivilege	2600	msiexec.exe
Token: SeSystemtimePrivilege	2600	msiexec.exe
Token: SeProfSingleProcessPrivilege	2600	msiexec.exe
Token: SeIncBasePriorityPrivilege	2600	msiexec.exe
Token: SeCreatePagefilePrivilege	2600	msiexec.exe
Token: SeCreatePermanentPrivilege	2600	msiexec.exe
Token: SeBackupPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeDebugPrivilege	2600	msiexec.exe
Token: SeAuditPrivilege	2600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2600	msiexec.exe
Token: SeChangeNotifyPrivilege	2600	msiexec.exe
Token: SeRemoteShutdownPrivilege	2600	msiexec.exe
Token: SeUndockPrivilege	2600	msiexec.exe
Token: SeSyncAgentPrivilege	2600	msiexec.exe
Token: SeEnableDelegationPrivilege	2600	msiexec.exe
Token: SeManageVolumePrivilege	2600	msiexec.exe
Token: SeImpersonatePrivilege	2600	msiexec.exe
Token: SeCreateGlobalPrivilege	2600	msiexec.exe
Token: SeCreateTokenPrivilege	2600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2600	msiexec.exe
Token: SeLockMemoryPrivilege	2600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2600	msiexec.exe
Token: SeMachineAccountPrivilege	2600	msiexec.exe
Token: SeTcbPrivilege	2600	msiexec.exe
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeLoadDriverPrivilege	2600	msiexec.exe
Token: SeSystemProfilePrivilege	2600	msiexec.exe
Token: SeSystemtimePrivilege	2600	msiexec.exe
Token: SeProfSingleProcessPrivilege	2600	msiexec.exe
Token: SeIncBasePriorityPrivilege	2600	msiexec.exe
Token: SeCreatePagefilePrivilege	2600	msiexec.exe
Token: SeCreatePermanentPrivilege	2600	msiexec.exe
Token: SeBackupPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeShutdownPrivilege	2600	msiexec.exe
Token: SeDebugPrivilege	2600	msiexec.exe
Token: SeAuditPrivilege	2600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2600	msiexec.exe
Token: SeChangeNotifyPrivilege	2600	msiexec.exe
Token: SeRemoteShutdownPrivilege	2600	msiexec.exe
Token: SeUndockPrivilege	2600	msiexec.exe
Token: SeSyncAgentPrivilege	2600	msiexec.exe
Token: SeEnableDelegationPrivilege	2600	msiexec.exe
Token: SeManageVolumePrivilege	2600	msiexec.exe
Token: SeImpersonatePrivilege	2600	msiexec.exe
Token: SeCreateGlobalPrivilege	2600	msiexec.exe
Token: SeCreateTokenPrivilege	2600	msiexec.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

msiexec.exeQuarkPC_V1.9.0.151_pc_pf30002.tmpquark.exe

pid	Process
2600	msiexec.exe
2600	msiexec.exe
1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

quark.exe

pid	Process
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe
2364	quark.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

colorcpl.exe

pid	Process
784	colorcpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exedown.exeQuarkPC_V1.9.0.151_pc_pf30002.exeQuarkPC_V1.9.0.151_pc_pf30002.tmpcmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2016 wrote to memory of 2268	2016	msiexec.exe	31
PID 2016 wrote to memory of 2268	2016	msiexec.exe	31
PID 2016 wrote to memory of 2268	2016	msiexec.exe	31
PID 2016 wrote to memory of 2268	2016	msiexec.exe	31
PID 2016 wrote to memory of 2268	2016	msiexec.exe	31
PID 2016 wrote to memory of 2268	2016	msiexec.exe	31
PID 2016 wrote to memory of 2268	2016	msiexec.exe	31
PID 2016 wrote to memory of 332	2016	msiexec.exe	36
PID 2016 wrote to memory of 332	2016	msiexec.exe	36
PID 2016 wrote to memory of 332	2016	msiexec.exe	36
PID 2016 wrote to memory of 332	2016	msiexec.exe	36
PID 2016 wrote to memory of 332	2016	msiexec.exe	36
PID 2016 wrote to memory of 332	2016	msiexec.exe	36
PID 2016 wrote to memory of 332	2016	msiexec.exe	36
PID 2016 wrote to memory of 264	2016	msiexec.exe	37
PID 2016 wrote to memory of 264	2016	msiexec.exe	37
PID 2016 wrote to memory of 264	2016	msiexec.exe	37
PID 2016 wrote to memory of 264	2016	msiexec.exe	37
PID 2016 wrote to memory of 264	2016	msiexec.exe	37
PID 264 wrote to memory of 2052	264	MsiExec.exe	38
PID 264 wrote to memory of 2052	264	MsiExec.exe	38
PID 264 wrote to memory of 2052	264	MsiExec.exe	38
PID 2052 wrote to memory of 2416	2052	down.exe	39
PID 2052 wrote to memory of 2416	2052	down.exe	39
PID 2052 wrote to memory of 2416	2052	down.exe	39
PID 2052 wrote to memory of 784	2052	down.exe	40
PID 2052 wrote to memory of 784	2052	down.exe	40
PID 2052 wrote to memory of 784	2052	down.exe	40
PID 2052 wrote to memory of 784	2052	down.exe	40
PID 1636 wrote to memory of 1032	1636	QuarkPC_V1.9.0.151_pc_pf30002.exe	44
PID 1636 wrote to memory of 1032	1636	QuarkPC_V1.9.0.151_pc_pf30002.exe	44
PID 1636 wrote to memory of 1032	1636	QuarkPC_V1.9.0.151_pc_pf30002.exe	44
PID 1636 wrote to memory of 1032	1636	QuarkPC_V1.9.0.151_pc_pf30002.exe	44
PID 1636 wrote to memory of 1032	1636	QuarkPC_V1.9.0.151_pc_pf30002.exe	44
PID 1636 wrote to memory of 1032	1636	QuarkPC_V1.9.0.151_pc_pf30002.exe	44
PID 1636 wrote to memory of 1032	1636	QuarkPC_V1.9.0.151_pc_pf30002.exe	44
PID 1032 wrote to memory of 2380	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	45
PID 1032 wrote to memory of 2380	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	45
PID 1032 wrote to memory of 2380	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	45
PID 1032 wrote to memory of 2380	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	45
PID 2380 wrote to memory of 3052	2380	cmd.exe	47
PID 2380 wrote to memory of 3052	2380	cmd.exe	47
PID 2380 wrote to memory of 3052	2380	cmd.exe	47
PID 2380 wrote to memory of 3052	2380	cmd.exe	47
PID 1032 wrote to memory of 1856	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	49
PID 1032 wrote to memory of 1856	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	49
PID 1032 wrote to memory of 1856	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	49
PID 1032 wrote to memory of 1856	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	49
PID 1856 wrote to memory of 1668	1856	cmd.exe	51
PID 1856 wrote to memory of 1668	1856	cmd.exe	51
PID 1856 wrote to memory of 1668	1856	cmd.exe	51
PID 1856 wrote to memory of 1668	1856	cmd.exe	51
PID 1032 wrote to memory of 2412	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	52
PID 1032 wrote to memory of 2412	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	52
PID 1032 wrote to memory of 2412	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	52
PID 1032 wrote to memory of 2412	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	52
PID 2412 wrote to memory of 1748	2412	cmd.exe	54
PID 2412 wrote to memory of 1748	2412	cmd.exe	54
PID 2412 wrote to memory of 1748	2412	cmd.exe	54
PID 2412 wrote to memory of 1748	2412	cmd.exe	54
PID 1032 wrote to memory of 1616	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	55
PID 1032 wrote to memory of 1616	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	55
PID 1032 wrote to memory of 1616	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	55
PID 1032 wrote to memory of 1616	1032	QuarkPC_V1.9.0.151_pc_pf30002.tmp	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\QuarkPC_V1.9.0.151_pc_pf30002.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F32920A0D79FD0332ECF56DFD97671C1 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBAD271542C0C7057181BB5161B32451
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:332
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B6C0CEE9F4A259314981F4B2DCC95557
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\down.exe
    C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\\down.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\down.exe
      C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\down.exe /aut
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2416
  - - C:\Windows\system32\colorcpl.exe
      colorcpl.exe
      4⤵
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2664

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000004DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1324

C:\Users\Admin\AppData\Local\Temp\{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe
"C:\Users\Admin\AppData\Local\Temp\{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{57ECF1ED-E564-46bf-9F3B-19BF94992EB7}"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152

C:\Users\Admin\AppData\Local\Temp\{62C4845D-02D4-41a5-83D2-CAA034255C09}.exe
"C:\Users\Admin\AppData\Local\Temp\{62C4845D-02D4-41a5-83D2-CAA034255C09}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{E091C0A4-06FA-4643-B7EA-8DFBC556D563}"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156

C:\Program Files (x86)\QuarkPC_V1.9.0.151_pc_pf30002\QuarkPC_V1.9.0.151_pc_pf30002\QuarkPC_V1_9_0_151_pc_pf30002\QuarkPC_V1.9.0.151_pc_pf30002.exe
"C:\Program Files (x86)\QuarkPC_V1.9.0.151_pc_pf30002\QuarkPC_V1.9.0.151_pc_pf30002\QuarkPC_V1_9_0_151_pc_pf30002\QuarkPC_V1.9.0.151_pc_pf30002.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\is-VH52J.tmp\QuarkPC_V1.9.0.151_pc_pf30002.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VH52J.tmp\QuarkPC_V1.9.0.151_pc_pf30002.tmp" /SL5="$70212,219803070,1206784,C:\Program Files (x86)\QuarkPC_V1.9.0.151_pc_pf30002\QuarkPC_V1.9.0.151_pc_pf30002\QuarkPC_V1_9_0_151_pc_pf30002\QuarkPC_V1.9.0.151_pc_pf30002.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im quark_swap_util.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im quark_swap_util.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im QuarkUpdaterSetup.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im QuarkUpdaterSetup.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im quark_proxy.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im quark_proxy.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im quark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im quark.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im quark_host_client.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im quark_host_client.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2912
- - C:\Program Files\Quark\1.9.0.151\Installer\QuarkUpdaterSetup.exe
    "C:\Program Files\Quark\1.9.0.151\Installer\QuarkUpdaterSetup.exe" --install --silent --system
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2044
  - - C:\Program Files\QuarkUpdater2044_1226175383\bin\updater.exe
      "C:\Program Files\QuarkUpdater2044_1226175383\bin\updater.exe" --install --silent --system --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Modifies registry class
      PID:1036
    - - C:\Program Files\QuarkUpdater2044_1226175383\bin\updater.exe
        
        "C:\Program Files\QuarkUpdater2044_1226175383\bin\updater.exe" --crash-handler --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2 --system "--database=C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad" --url=https://pan-api.quark.cn/monitor/crash/collect/ --annotation=_companyName=UC --annotation=_productName=QuarkPCUpdater --annotation=_version=1.0.0.6 --annotation=app=quark-updater --annotation=app_bid= --annotation=app_channel= --annotation=bizguid=ZztRqAAAACkDAIQCGHgadgbb --annotation=dcheck=off --annotation=guid=ZztRqAAAACkDAIQCGHgadgbb --annotation=official_build=true --annotation=platform=win32 --annotation=prod=QuarkUpdater --annotation=sver= --annotation=ucVersion=240822210044 --annotation=utdid=ZztRqAAAACkDAIQCGHgadgbb --annotation=ver=1.0.0.6 --annotation=version=1.0.0.6 --annotation=xtm=1731940817296 --annotation=xtoken=8a3e75 --initial-client-data=0x154,0x158,0x15c,0x130,0x160,0x13fa2aff8,0x13fa2b004,0x13fa2b010
        5⤵
        Drops file in Program Files directory
        Executes dropped EXE
        
        PID:3036
- - C:\Program Files\Quark\quark.exe
    "C:\Program Files\Quark\quark.exe" --quark-extension-install --install-from=quarkinstaller --quark-make-default-browser --launch-from=firstinstall --quark-pin-to-taskbar
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Identifies Xen via ACPI registry values (likely anti-VM)
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Looks for VMWare services registry key.
    - Looks for Xen service registry key.
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Checks computer location settings
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Checks system information in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2364
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Quark\User Data" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Quark\User Data\Crashpad" --url=https://pan-api.quark.cn/monitor/crash/collect/ --annotation=_companyName=UC --annotation=_productName=QuarkPC --annotation=_version=1.9.0.151 --annotation=app=quark-windows --annotation=app_bid=999 --annotation=app_channel=pcquark@homepage_oficial --annotation=bizguid=ZztRqAAAACkDAIQCGHgadgbb --annotation=brand= "--annotation=cpu_model=Intel Core Processor (Broadwell)" --annotation=dcheck=off --annotation=guid=ZztRqAAAACkDAIQCGHgadgbb --annotation=official_build=true --annotation=plat=Win64 --annotation=platform=win32 --annotation=prod=Quark "--annotation=rom=Windows NT_6.1.7601 SP1" --annotation=sver=alpha --annotation=ucVersion=241031172851 --annotation=utdid=ZztRqAAAACkDAIQCGHgadgbb --annotation=ver=1.9.0.151 --annotation=ver_electron=24.1.3 --annotation=version=1.9.0.151 --annotation=wpk_auto_collect_flag=true --annotation=xtm=1731940815954 --annotation=xtoken=149e87 --initial-client-data=0x15c,0x160,0x164,0x138,0x170,0x7fef6376910,0x7fef6377138,0x7fef6377960
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2128
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=gpu-process --no-sandbox --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2452 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2880
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=zh-CN --service-sandbox-type=none --no-sandbox --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --start-stack-profiler --mojo-platform-channel-handle=2928 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:8
      4⤵
      Executes dropped EXE
      PID:2072
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=zh-CN --service-sandbox-type=service --no-sandbox --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2872 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:8
      4⤵
      Executes dropped EXE
      PID:1544
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=renderer --first-renderer-process --no-sandbox --disable-gpu-compositing --lang=zh-CN --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3544 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2080
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=renderer --no-sandbox --disable-gpu-compositing --lang=zh-CN --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3632 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1724
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=renderer --extension-process --no-sandbox --disable-gpu-compositing --lang=zh-CN --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4476 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3056
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=renderer --extension-process --no-sandbox --disable-gpu-compositing --lang=zh-CN --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4400 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:872
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=utility --utility-sub-type=uc.wpk.mojom.WpkService --lang=zh-CN --service-sandbox-type=none --no-sandbox --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=4600 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:8
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      Checks processor information in registry
      Enumerates system info in registry
      PID:1976
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=renderer --extension-process --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\Quark\1.9.0.151\Resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --no-sandbox --disable-gpu-compositing --lang=zh-CN --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4888 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3680
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=zh-CN --service-sandbox-type=none --no-sandbox --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=5104 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:8
      4⤵
      Executes dropped EXE
      PID:3812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\reg.exe QUERY "HKCU\Software\Tencent\WeChat" /v FileSavePath"
      4⤵
      PID:2596
    - - C:\Windows\system32\chcp.com
        
        C:\Windows\system32\chcp.com 65001
        5⤵
        
        PID:784
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKCU\Software\Tencent\WeChat" /v FileSavePath
        5⤵
        
        PID:3480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\reg.exe QUERY "HKLM\Software\Tencent\WeChat" /v FileSavePath"
      4⤵
      PID:1700
    - - C:\Windows\system32\chcp.com
        
        C:\Windows\system32\chcp.com 65001
        5⤵
        
        PID:3620
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\Software\Tencent\WeChat" /v FileSavePath
        5⤵
        
        PID:3628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\reg.exe QUERY "HKCU\Software\Tencent\WeChat" /v FileSavePath"
      4⤵
      PID:1588
    - - C:\Windows\system32\chcp.com
        
        C:\Windows\system32\chcp.com 65001
        5⤵
        
        PID:3640
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKCU\Software\Tencent\WeChat" /v FileSavePath
        5⤵
        
        PID:3652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\reg.exe QUERY "HKLM\Software\Tencent\WeChat" /v FileSavePath"
      4⤵
      PID:3776
    - - C:\Windows\system32\chcp.com
        
        C:\Windows\system32\chcp.com 65001
        5⤵
        
        PID:3848
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\Software\Tencent\WeChat" /v FileSavePath
        5⤵
        
        PID:3876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\reg.exe QUERY "HKCU\Software\Tencent\WeChat" /v FileSavePath"
      4⤵
      PID:3992
    - - C:\Windows\system32\chcp.com
        
        C:\Windows\system32\chcp.com 65001
        5⤵
        
        PID:4044
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKCU\Software\Tencent\WeChat" /v FileSavePath
        5⤵
        
        PID:3948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\reg.exe QUERY "HKLM\Software\Tencent\WeChat" /v FileSavePath"
      4⤵
      PID:3996
    - - C:\Windows\system32\chcp.com
        
        C:\Windows\system32\chcp.com 65001
        5⤵
        
        PID:3940
    - - C:\Windows\system32\reg.exe
        
        C:\Windows\system32\reg.exe QUERY "HKLM\Software\Tencent\WeChat" /v FileSavePath
        5⤵
        
        PID:3156
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" "C:\Program Files\Quark\1.9.0.151\Resources\app.asar\dist\server\index.js" --type=electron-node /prefetch:8
      4⤵
      Executes dropped EXE
      PID:2928
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=zh-CN --service-sandbox-type=none --no-sandbox --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=5116 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:8
      4⤵
      PID:3932
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=zh-CN --service-sandbox-type=none --no-sandbox --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=5104 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:8
      4⤵
      PID:3952
  - - C:\Program Files\Quark\quark.exe
      "C:\Program Files\Quark\quark.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=zh-CN --service-sandbox-type=none --no-sandbox --standard-schemes=main,uccd --secure-schemes=main,uccd --bypasscsp-schemes --cors-schemes --fetch-schemes=main,uccd --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=5104 --field-trial-handle=2464,i,11888443683974329363,8592766535848084719,131072 --enable-features=EnableTabMuting,WinrtGeolocationImplementation /prefetch:8
      4⤵
      PID:3636
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /i:"--reg-to-hklm" /s "C:\Users\Admin\AppData\Local\Programs\Common\Quark\quarkshellext_20241031183131.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1372
  - - C:\Windows\system32\regsvr32.exe
      /i:"--reg-to-hklm" /s "C:\Users\Admin\AppData\Local\Programs\Common\Quark\quarkshellext_20241031183131.dll"
      4⤵
      Loads dropped DLL
      PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /t /im quark_host_client.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /t /im quark_host_client.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1724

C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe
"C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe" --system --windows-service --service=update-internal --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2088
- C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe
  "C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe" --crash-handler --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2 --system "--database=C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad" --url=https://pan-api.quark.cn/monitor/crash/collect/ --annotation=_companyName=UC --annotation=_productName=QuarkPCUpdater --annotation=_version=1.0.0.6 --annotation=app=quark-updater --annotation=app_bid= --annotation=app_channel= --annotation=bizguid=ZztR0wAAACkDAIQCGHigv2/V --annotation=dcheck=off --annotation=guid=ZztR0wAAACkDAIQCGHigv2/V --annotation=official_build=true --annotation=platform=win32 --annotation=prod=QuarkUpdater --annotation=sver= --annotation=ucVersion=240822210044 --annotation=utdid=ZztR0wAAACkDAIQCGHigv2/V --annotation=ver=1.0.0.6 --annotation=version=1.0.0.6 --annotation=xtm=1731940819620 --annotation=xtoken=752720 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x13fa7aff8,0x13fa7b004,0x13fa7b010
  2⤵
  - Executes dropped EXE
  PID:536

C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe
"C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe" --system --windows-service --service=update --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1748
- C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe
  "C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe" --crash-handler --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2 --system "--database=C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad" --url=https://pan-api.quark.cn/monitor/crash/collect/ --annotation=_companyName=UC --annotation=_productName=QuarkPCUpdater --annotation=_version=1.0.0.6 --annotation=app=quark-updater --annotation=app_bid= --annotation=app_channel= --annotation=bizguid=ZztR0wAAACkDAIQCGHigv2/V --annotation=dcheck=off --annotation=guid=ZztR0wAAACkDAIQCGHigv2/V --annotation=official_build=true --annotation=platform=win32 --annotation=prod=QuarkUpdater --annotation=sver= --annotation=ucVersion=240822210044 --annotation=utdid=ZztR0wAAACkDAIQCGHigv2/V --annotation=ver=1.0.0.6 --annotation=version=1.0.0.6 --annotation=xtm=1731940822633 --annotation=xtoken=fe20cf --initial-client-data=0x15c,0x160,0x164,0x138,0x168,0x13fa7aff8,0x13fa7b004,0x13fa7b010
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  PID:3088

C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe
"C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe" --system --windows-service --service=update --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2
1⤵
PID:3364
- C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe
  "C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\updater.exe" --crash-handler --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2,*/chrome/updater/quark/*=2 --system "--database=C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad" --url=https://pan-api.quark.cn/monitor/crash/collect/ --annotation=_companyName=UC --annotation=_productName=QuarkPCUpdater --annotation=_version=1.0.0.6 --annotation=app=quark-updater --annotation=app_bid= --annotation=app_channel= --annotation=bizguid=ZztR0wAAACkDAIQCGHigv2/V --annotation=dcheck=off --annotation=guid=ZztR0wAAACkDAIQCGHigv2/V --annotation=official_build=true --annotation=platform=win32 --annotation=prod=QuarkUpdater --annotation=sver= --annotation=ucVersion=240822210044 --annotation=utdid=ZztR0wAAACkDAIQCGHigv2/V --annotation=ver=1.0.0.6 --annotation=version=1.0.0.6 --annotation=xtm=1731940849402 --annotation=xtoken=48c376 --initial-client-data=0x15c,0x160,0x164,0x138,0x168,0x13fa7aff8,0x13fa7b004,0x13fa7b010
  2⤵
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771a66.rbs

Filesize
27KB

MD5
77c45f1f63ad49d7e602bf9a92bb93eb

SHA1
33aba3b2425e9cf32b0f665f95162f6a1f9a0a99

SHA256
7d22d97438c2e86988f52ec10596d5550ac17565a68b4a6818f771a71221cd57

SHA512
1e97826100e3e75a37a5d2a4f48b62f8405e1a211c044cf29810486eb09e0cb8e8e1bc9cad76a79d4ec05eadd9ede8f18d71953228ea3be24315965273fbb5b8

Download Submit
C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\Crashpad\settings.dat

Filesize
40B

MD5
d23638b812b27208238e9673ff8d994b

SHA1
dd85125de115bb9e4e5d32df8721a4771107e367

SHA256
f05fab431893c6c3853e55e032327c78868887e5ee2b35ae8258ccf6ae2ff6c9

SHA512
3fe47d1692efb9880bd513a753a461fb25ad491cb56fae526a7b01808847bb6d6ef08c92fd31b97b3b14fc0e5d5e3350b028bd8e5b00d5f38237c89819ab5f8c

Download Submit
C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\evt\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\evt\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Program Files\QuarkUpdater\QuarkUpdater\1.0.0.6\stdb\req\CURRENT~RFf78148a.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Program Files\Quark\1.9.0.151\Installer\QuarkUpdaterSetup.exe

Filesize
13.9MB

MD5
56dde3c70854d14d2cd66af0f4de1b3e

SHA1
74a1f753a7d4916b070f5c4dd198334d90af4714

SHA256
4d1a0171e7f4b18c864282c5a9ea8077777f1a46330df9511f3922ea83de0c96

SHA512
c78f23cd1b316635fe5e6dbd7120a2fb91966ccc6e6cb97bea4e7f8745e32947b6ba95ae4f635fd1aff7d82e15aa9678910b7b1da9a18293af79cd869034fa8f

Download Submit
C:\Users\Admin\AppData\Local\Programs\Common\Quark\quarkshellext_20241031183131.dll

Filesize
588KB

MD5
8cabdbed684fd3a173ab5f49836742a5

SHA1
3c488e132fe1585023264cb966d8bdf09d3cbfcf

SHA256
6edc358490c5d4ea6e2213e6b079d18fe8f8be32db1843ca17feb6373f017313

SHA512
dee12456054f9659e2cc2a0ef83e421ed5bab142331ccfacb7ee2d326d249a69de7bd19200470a29c9bbd03696a9802970e0b498d574437095a0336d248939a0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Common\xdrive.node

Filesize
2.3MB

MD5
ebbfe9365f58738bfc21f49d21ceba63

SHA1
f976fa0657d0c21f6c82c264d44e7bc94c804853

SHA256
229ebec17a4fe928c1fdf29c5e6d63d7c47a8645f24df9c593009387cb11beb1

SHA512
19870a3bb6dde7c0e09bb44df146da3389e8b1dd61aeb12ff5750ab8133b680e829bbd4d4f4655b595cfaa0884cdf5a5088e492e80865da8c0ad71f3aed8899d

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Default\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Default\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Default\Code Cache\webui_js\index-dir\the-real-index

Filesize
48B

MD5
93e459aec93a7ce40d2645e153857df5

SHA1
425602339c21b2c2f6473be484b77d012bca1408

SHA256
5b7a3899f2d2bc081e7bb12cd6fab5afff37f1688685aa807363e24570bf78a9

SHA512
90e14dd47f7d5ff8fb9fb5da05e5f489a825a22aac15e92788f20259fc8ee44e22ad54db2b24ece6139fb408eea8f489f22298b2dc447b2d997ee63a41b0ffae

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Default\Preferences

Filesize
5KB

MD5
d2755b4fd6a962f2931d7a96899b2f58

SHA1
383ffd92bc89fa0fbcfeca3b1224e5494393321c

SHA256
ceb90fe5fc3da3e3b918843ba1e820ec0b48f16efb6d64885688aeb481358211

SHA512
bb9ec2e2cbcf861efc1fb457239bd2a775457f9fe9ab52e4c4d32fc8fd897e8405d3c1e96ee94ef6c7730eba6515104e7d6a9c0813a358a7bd7f709dcb3de560

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Default\Quark Profile.ico~RFf7818fd.TMP

Filesize
187KB

MD5
c20fa6784b1b6c1395e6e5329da6e663

SHA1
47de380e798d1e34bab14ecfe47363c7a7c4e7a8

SHA256
ff7b0837a9fff093d7be023e3ae2207660a27bf9d2ccc403342cdfd2504baaf4

SHA512
acaac91ba574a7635c90cb423c574999c7da28b80444e7ebc66eb40f0796a97a34ceed690929ff9b3ce8600e091644070f6e5f91b0bac1203feb5360df0bf62f

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\EfsReports\.e80ffe33\.95c2fa37\.61863cb7\1976\.1`pctrace`1731940825173200000`none`1

Filesize
110KB

MD5
0d825550fdb551e4447e91709694de1c

SHA1
641dc7e57ff6080512ffaa9356500d2a896d8ed8

SHA256
8ab221cfcc71cf51c8d92c23b2b62be6cdbc53e57c23766716c80a9c96486a4f

SHA512
c927b3f6d6f66c2ee3785e2673c729817c4e1b12b998d6cd38a7c0e94d0fc53048449435fefb6360e5844d37923e86e6e062a93d32cf688c86a212a2208c3f91

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Local State

Filesize
4KB

MD5
73a0243f44459a561cb8f22678fa5cfd

SHA1
a473858711b699144d6582f061cde70af4ee4666

SHA256
9d310dbb8f7107d3b90f0c53101ed91aaad30109fd6713f1328cafd77588fca0

SHA512
8949d6cb9e3c058aaffc506015c374aea5cebf90f22ddb76f7561538249201357d218a27029b5d8511c3d8e3c0dc83a1741960440742bd8faa075d2681f2ed04

Download Submit
C:\Users\Admin\AppData\Local\Quark\User Data\Local State

Filesize
4KB

MD5
f88466852841a24db0a074bd6a79ae4f

SHA1
5b87bc5c1627f43e0514645c0f9c9c6f93c1a257

SHA256
9acc66e4d0f24761189ebf51d806f30e667402f03a6256d8de97165e30a774d7

SHA512
d0e0f48a0579bff375ddf058368ab88d82a8eac8d75efe4d2ed6044eb685bae12aef4f90fd8f249cbc71b8bfbe9f96a4bfe9192142265ddc1e694689913e2625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab11FD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBDF2.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar123E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\background_welcome.png

Filesize
87KB

MD5
67ad03a5210049b0642c7a8bc0187a8c

SHA1
2c53b3894eb817249783fe88c12b8a30682eef38

SHA256
56346ca9f09f5601a05c7630e98538cece3ba2938c2fee3d1d033f5464cb7066

SHA512
aa02546d96b97224a3e0feca07855f60c4b229ff41748dca17ebef102945246ec1ace5234c13457c84c860ef452f7bf899eaf94a855833f9a5d26bca5c439955

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\button_close.png

Filesize
304B

MD5
b7f933ca07ab9728c1e7fdadba09b2db

SHA1
3f30a7f8d248d9ab633593d36cbaea039453c3ef

SHA256
5c9bf11674e9516ddc981bc4f8b17c73d644d14de6f25c2508ada90f144ae7d9

SHA512
fd8e62cd7066b314731fd59196d9eb09e58e461cce99297735d425943dcf3cdcc9b5c61668334ae49514239ca1fd05812f693a51d0a9f93ec3beb9d8fefd1048

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\button_install.png

Filesize
5KB

MD5
74657912da7a28747e355a5b5cbe92a5

SHA1
e54a98e339155b251e78a07110975a780c80bb47

SHA256
c7bce090573671491e5069e08c16eec9a7c5172352fbef56daf3267a84326f78

SHA512
1c02d5911947fd62d86e2691032530b357b78a52a5608b5a19257b75bce0af6265067cfc363c289c7b6cdfb70475ca57dbb13fee368e1847e6fde6910a4af15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\button_minimize.png

Filesize
155B

MD5
260f371a446b8ea2b11ee9ffc77ddde7

SHA1
8cf052827edfdfd1f98e69081e4bc29911ed709b

SHA256
9b01beef87d2f7775002a8142e8dd6fd8a1170f1b123c664529415d3b14f0d82

SHA512
59ee54c985392f997a0874e92ae22794f3dc82334f3b2a22ea3ca85aa011995d9b6bdf397934933aeaff4ea4fb31769136c8541265035c11ad005372e6db4c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\checkbox.png

Filesize
4KB

MD5
5221a515f97fd72c19f3dbe875f27f50

SHA1
ff9c11e80998f9b81402d607ddd2b7ed202bf635

SHA256
1f5c1a6e78ae2faf6cf2ebef272b16bed000f8f3874acc713d8a84304cd52fd2

SHA512
e20f19265dd367d27eb93a1ac74f2541e316ecd53e92058bf12f94f83a760734601418de7592d6c43322d8e541957caaccfa83a679ecd592a6c4cb8b3489d53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\file_icon.png

Filesize
1KB

MD5
3340397e2d044c7de75b5db4c2a38bd4

SHA1
f7e6d708881f92dd0665561372fb0562b70a89dc

SHA256
80bc383f3fe7aa3b8ef75cdeaf7e67d0b46b599d2ca6197b516800c3e8e9fefa

SHA512
4db729e8ede6bb0fce12dacdcb1e43fa73d53c529d4f2321e44da6b6a47cf2313742b113aea21110f1f1a4082d125f8583eeb8542d3204504806660676115bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\progressbar_background.png

Filesize
114B

MD5
9b00d43b506441e0e36b73b59232b70c

SHA1
60f4df0614ef3412069d9071c5602b50ae88ac91

SHA256
c319b74526493047af9540579cbbf23d492e42ccb9b2f617149d0f43f11fcf27

SHA512
d202979e24168efc1d76707dff91a9ca802cd686f78556969c13423da61807b4288adafc2fca6280d08de7e7a4ede2efb0b21aecd341a52c740dce2ca6a2a721

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\progressbar_foreground.png

Filesize
141B

MD5
e8fbfc95f374d35614e6f53b04c80a10

SHA1
1982e89c69e68cdae4074fd976c5df8845d6e485

SHA256
2aab71d17d1d2d10b76ca08ca80269366915a71241bf95fb87f1c4a4d4fc969d

SHA512
fe2b36754eba5b4dbe0f0071f3ba7c2d7d6754baa3e88a83adf07bea4cf7794c44393f9ff0af1487314de37adda4f6e63c4425b29c837dd6a817881f3eeb71bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\slide_pic1.png

Filesize
85KB

MD5
9ad365fbcc11a1ae42802ff37ab836ff

SHA1
ce8baf713eb4d4314f33eeba9f82864ac07bd099

SHA256
c223efa252363b5d1ed4256b46c77b0216beb424ed226f20decece3069d76e3a

SHA512
a1eb96f2c12bbecdd75a91488a2380e79c5fd378436cbd651440933bdaa1aef0fbb4bdaa1eaf75675f69c2a70933e6ec87656641bd8064ac3fea87863f80e93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\slide_pic2.png

Filesize
111KB

MD5
25e77dbaaab50721efcdde81187d7eae

SHA1
a0702c1adfce48eef1c8c6e76e68f8d43f4630cd

SHA256
d615fcdcb820c770fdff5980d2cc9998caf4f665a15c2e03e38fb5a6c75e63f7

SHA512
ecaaabee854ad21694ace09a69d9e2220df6e932b9d27e81057335238d30b2540685c8cae57120c827b6ba8c1eb13e0f67d0c2373bc13cc65cfce5225ea80fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\slide_pic3.png

Filesize
88KB

MD5
e758224f31ffb7663030814547f4f809

SHA1
95d1c901348154f072cdb8b7cd610a4eb1528ad4

SHA256
a40645e8846fbdae981eaa55ca7d8a5680c36832dc87ba33c986608e897b3021

SHA512
28eacefbcc8e77b16c1f547b2ce8a2f6227c29f6201fe4036987f6895b24bf256e51c5561b0e57ff76f4efb1d1835b8f7f708908a8f12cd353f1a31b7ab70a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\slide_pic4.png

Filesize
128KB

MD5
9cffe028cc27113e168dec08a21fdafc

SHA1
2d18b4eeb007e7a445bbdb89d8d88d5146028ecf

SHA256
443680c7f48421c42018b6bb234bc841856ef90d3c565eed9a4490f68d33eb9e

SHA512
c06cf482f1574e35eacd831681fff0f71692c92505456d846b0c561d817356faa5e3a325819aba9e67b8e886c2e3e034f7f2b7417bf68cb3e4c91693d11526fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{57ECF1ED-E564-46bf-9F3B-19BF94992EB7}

Filesize
164B

MD5
81a71f6feec26723958f2364a4f1aefe

SHA1
3d4605cfd771aedb8ba51389074a60e5a38775ad

SHA256
f244b12a1e911c84dcfea45a49885cf48307d2ddc4c1ac7c1aa21bc310bebd80

SHA512
84f9f20e3a381f1c3cafce07bdfeffd77e19bf0007245e95a80a97fa71e16d877e12ec8d57e8a9e60d008e08b38c9fd670f5374a058980f019590ed1dafd59c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C17DC9EA-7646-4ecd-82C1-B764846D4DD9}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E091C0A4-06FA-4643-B7EA-8DFBC556D563}

Filesize
196B

MD5
ab26731b252deef6b604003e2151d881

SHA1
b22acbe07d76599010b6f8eaefe7ee25fb818ec1

SHA256
cbca8a0769e0443b24378590d67902c60dc6cb82a1bba3a20d5b89acb508ab7b

SHA512
dd695e0c650c66956ecf0376108f2190d444eaea7ff53ddbca14e3e758ef52ff0cb66e414eac403d53b4b65fb1c8caf704a392ff9774a7227968a0958f1e462b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\夸克.lnk

Filesize
1KB

MD5
22ad4610389f6b3bc548ac162579f6da

SHA1
91f3f71d17c3cfc5f6330b708a4d656bed220ac5

SHA256
6ecaa126e7e885860b898ff9fd5d89d15f8f395e208d369fa8e0760347e53893

SHA512
855fbd3aec9f0e586255b57667eee26a621ac51e8057c1ab731ff2c85481ab33c67ec6690e1cdbad0c7ae78a6734bb630c6586cd8f57dd323d76031f0e530dfd

Download Submit
C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\MSVCP140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\aut.png

Filesize
1.2MB

MD5
0b846c766cf68e97186768f90a6f1dc3

SHA1
4eb4d6e71010a6271b0069b987810af309cc435c

SHA256
938612173627510e1de7307f0b43aab14a68db2431cd20a5146ddab5f51fe162

SHA512
211dfdd38f4dca38bafde4de0b0f6ddd2a059f9227ee0e383b732be053cf7f463c472bd6a73ced6515478d45c504b47efc590fb49aade24d4020542c21e08957

Download Submit
C:\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\view.png

Filesize
656KB

MD5
c7fcb87d72e42e2afea521eefc18c307

SHA1
aebf2826d9eb14bf7321292b11771f5b6d00f46f

SHA256
4f6df300a860f9b40099817f1390d9bd777e63ff6cbf17199d0dd58f871c4bea

SHA512
713eb6069dc2e805c66106112554b39751ca7ec3f8344cfa7cc1e681fe15a0de6ecbd5d78a391c1e12e796eb9f2e135aa9c024b96d12a17bb918de83390c47c4

Download Submit
C:\Windows\Installer\MSI2178.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
C:\Windows\Temp\Cab30E2.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar318D.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\users\public\documents\all.zip

Filesize
2.6MB

MD5
be34bdeb6982a01cdfe6df3d6e206be6

SHA1
07e98b85ff05ceec5ef4b857da5b8e3e23780d75

SHA256
76ec04644cbad0eeb343ac7bed749654c8709b6491bf157a39a1230b922d68ea

SHA512
daee0be5417f7ee2f7a57781a9422432b6a775b103dbc6d64b8314c02b042ba84a5b64f329829fd2d3714c99315e611c314ee49dcea7142cbcaa9d87108a855a

Download Submit
\Program Files\Quark\1.9.0.151\quark_elf.dll

Filesize
2.1MB

MD5
50e1cc38762d502decede80c35ebf5c0

SHA1
5a39045e8549dbb718a57e9fc9c8c7bcd786b24d

SHA256
0a601fc23a329de771ed22c81006fd60d90193b430d91d5a8b67d6074116d38a

SHA512
391c30fcd389dee627edf0f8b0efde47926451868d07929fff3538e494ec371bc5c4a7b8ee4b6e38f41b2975f29bc4b8f94669c2c11b9a4043fad1c975d76011

Download Submit
\Program Files\Quark\quark.exe

Filesize
6.1MB

MD5
596161d315f0d702c9a978f3d55b27eb

SHA1
7d4ae091643af968656438d578777fe974509ead

SHA256
3fe472c2dcd795ca4b96927e7a93280f646f0fcecd67e6f3c8baaa166272d287

SHA512
aab235af3dd4bf426f5ca43790b050d7f56ddc20365539a9dffa0421b97f79eb80959b1ee270548e62b30a98aec39cdc9a860d8ba4acf3169389c265c497a586

Download Submit
\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\quark_installer.dll

Filesize
5.3MB

MD5
b31bea725314c3ec2f2ff23e118f5b0a

SHA1
97cd231ab71d677c52a7f6f5a75bfe26c557d2b1

SHA256
e28a8444cb8c0db045826c970ca3923777bb1cc4c1ce726d517c211b4d895f51

SHA512
3f25f24faed1e9ed10f837d735ad238e01aeac9e6bf88536ef1fb93535fa97f7711e2804e6f89d91842361c3fe2dd740b8cc9932c465f034d8ea2019d9a4362d

Download Submit
\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\quark_tag_helper.dll

Filesize
892KB

MD5
bd37130928db4f8245d6d604434eae4d

SHA1
c3ab37d4d0051d538f022ccc06b22f0d151e3382

SHA256
5ae84c087fdafabb6ddcb6475b7c0d67e7d370311acad3eb9421b883e9156223

SHA512
9d4148c15375a804db8a5c6e2710854243c60278f45e10e9f7a98fe094d86515b129342ed677fde041f4589f7a890e6bc26fb0ab368cd3df8d3dba7cc6b3cc56

Download Submit
\Users\Admin\AppData\Local\Temp\is-39DOD.tmp\utdid32.dll

Filesize
2.7MB

MD5
fd44a952cb004915655747725b356f6a

SHA1
a74b55f947f67a908e9af3b61633a91cf0640e3f

SHA256
6c5683782d834e852807fc7a543c93ab4266af7b88bbf63dff78a69fbd4a748b

SHA512
57dfb261fdd19158eb8d417ff8f14fe70a5eec91f5eb588e751d18712451c584090efff4739646267fd481b63ad6fff02abb578577ace06855bbf531ff800b35

Download Submit
\Users\Admin\AppData\Local\Temp\is-VH52J.tmp\QuarkPC_V1.9.0.151_pc_pf30002.tmp

Filesize
3.4MB

MD5
fbfd322c7e5cb761804964de560c0a2a

SHA1
fabfa92c011b2414feb3b6e3834675918821d29a

SHA256
d4014646153b10b3142be99366e4aa0c7097304dc9daffb505ffae7580d1efa0

SHA512
562424295999d52358f42590158545f51799f91dd323a2201a25e7d03ab7003efe398d07f7ba831d4ff7ac44ce091b1acc410ba02626e1881b7f7b8a3293ece0

Download Submit
\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\down.exe

Filesize
2.1MB

MD5
f336e647ce054d13fd1e42cc21863964

SHA1
25add856849dbf8fd97184a4419a9e4b4da8cf99

SHA256
cf9cf2b8584c3b38d345f4aa681f3a381d017f2f54690813937a9a7b77388080

SHA512
24b8597ba42eea158452dd6b8873ed585dd5a168d40fb3a7380a34af81534ba70aeb1b728e0fda971f8654c8ca0416655d3f8a2299d74fb57e79430d59f7a47b

Download Submit
\Users\Admin\FB72DBD7-7B4E-499D-8E14-000045DFCFB6\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
memory/264-49-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download
memory/784-235-0x00000000000F0000-0x000000000016B000-memory.dmp

Filesize
492KB

Download
memory/784-73-0x00000000000F0000-0x000000000016B000-memory.dmp

Filesize
492KB

Download
memory/784-79-0x00000000000F0000-0x000000000016B000-memory.dmp

Filesize
492KB

Download
memory/784-234-0x00000000000F0000-0x000000000016B000-memory.dmp

Filesize
492KB

Download
memory/784-419-0x00000000000F0000-0x000000000016B000-memory.dmp

Filesize
492KB

Download
memory/1032-1117-0x0000000005D40000-0x0000000005D4F000-memory.dmp

Filesize
60KB

Download
memory/1032-469-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-1116-0x0000000000400000-0x0000000000766000-memory.dmp

Filesize
3.4MB

Download
memory/1032-625-0x0000000000400000-0x0000000000766000-memory.dmp

Filesize
3.4MB

Download
memory/1032-532-0x0000000000400000-0x0000000000766000-memory.dmp

Filesize
3.4MB

Download
memory/1032-533-0x0000000005D40000-0x0000000005D4F000-memory.dmp

Filesize
60KB

Download
memory/1032-529-0x0000000001FA0000-0x00000000020E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-530-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-504-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-499-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-494-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-423-0x0000000000400000-0x0000000000766000-memory.dmp

Filesize
3.4MB

Download
memory/1032-474-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-479-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-484-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-489-0x00000000037A0000-0x00000000038E0000-memory.dmp

Filesize
1.2MB

Download
memory/1032-428-0x0000000000400000-0x0000000000766000-memory.dmp

Filesize
3.4MB

Download
memory/1032-459-0x0000000005D40000-0x0000000005D4F000-memory.dmp

Filesize
60KB

Download
memory/1636-1118-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1636-418-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1636-392-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2268-390-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2364-1289-0x000000000BEF0000-0x000000000BF02000-memory.dmp

Filesize
72KB

Download
memory/2416-91-0x0000000001CE0000-0x0000000001CF0000-memory.dmp

Filesize
64KB

Download