download:

/invc/xfspeed/qqpcmgr/download/QQPCDownload_home_310056.exe

Full analysis: https://app.any.run/tasks/d79af44b-8cef-45ab-bbcd-b24fcd38705e
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: November 10, 2024, 23:32:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
xor-url
generic
gcleaner
dcrat
cobaltstrike
susp-powershell
wmi-base64
cve-2022-30190
exploit
vmprotect
pyinstaller
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5A62673F15F4071C8AD5172BB8A608D7

SHA1:

568C19C3564EDCBCBB5E1E726A6E6C22661F4A55

SHA256:

22DD982448FD14109631DE9CDF7B255442EDA61B384C9CF638981826DC4CFE37

SSDEEP:

98304:+yfAY2verYf46nwRLkbDaZfGIfuMgs+qLH7+PZrx4QGbFMvz0DM6bO6fXYPZXRuQ:GnWRE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCRTP.exe (PID: 3928)

    • Registers / Runs the DLL via REGSVR32.EXE

      • QQPCMgr_Setup.exe (PID: 4080)
      • QMFileSmashProSetup_17.3.26212.301__1729671312556.exe (PID: 10708)

    • Actions looks like stealing of personal data

      • QQPCRTP.exe (PID: 3928)

    • Runs injected code in another process

      • TrayRocketInjectHelper64.exe (PID: 7252)

    • Application was injected by another process

      • explorer.exe (PID: 4616)

    • DCRAT has been detected (YARA)

      • QQPCRTP.exe (PID: 3928)

    • XORed URL has been found (YARA)

      • QQPCRTP.exe (PID: 3928)

    • GCLEANER has been detected (YARA)

      • QQPCRTP.exe (PID: 3928)

    • COBALTSTRIKE has been detected (YARA)

      • QQPCRTP.exe (PID: 3928)

    • CVE-2022-30190 detected

      • QQPCRTP.exe (PID: 3928)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • QQPCDownload_home_310056.exe (PID: 6240)
      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCTray.exe (PID: 6948)
      • qmbinsx64.exe (PID: 4012)
      • QQPCRTP.exe (PID: 3928)
      • TpkUpdate.exe (PID: 10136)
      • QMDL.exe (PID: 8424)
      • QMDynamicPackageSetup_17.3.26212.301__1729671312556.exe (PID: 10684)
      • QQPCExternal.exe (PID: 9300)
      • QMFileSmashProSetup_17.3.26212.301__1729671312556.exe (PID: 10708)
      • QQPCExternal.exe (PID: 6772)
      • 15541.exe (PID: 7116)
      • svchost.exe (PID: 628)

    • Process requests binary or script from the Internet

      • QQPCDownload_home_310056.exe (PID: 6240)

    • Potential Corporate Privacy Violation

      • QQPCDownload_home_310056.exe (PID: 6240)

    • The process verifies whether the antivirus software is installed

      • QQPCDownload_home_310056.exe (PID: 6240)
      • cacls.exe (PID: 6196)
      • QQPCSoftCmd.exe (PID: 2088)
      • 15541.exe (PID: 7140)
      • 15541.exe (PID: 7116)
      • QQPCRTP.exe (PID: 1880)
      • regsvr32.exe (PID: 3020)
      • regsvr32.exe (PID: 1500)
      • explorer.exe (PID: 4616)
      • QQPCRTP.exe (PID: 2692)
      • QQPCRTP.exe (PID: 6832)
      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCTray.exe (PID: 3524)
      • UpdateTrayIcon.exe (PID: 860)
      • QQPCRTP.exe (PID: 3928)
      • QQPCTray.exe (PID: 6948)
      • QQPCExternal.exe (PID: 5944)
      • QMHwDrX64.exe (PID: 2652)
      • QQPCExternal.exe (PID: 7192)
      • qmbinsx64.exe (PID: 4012)
      • TrayRocketInjectHelper64.exe (PID: 7252)
      • QMAIService.exe (PID: 7088)
      • qmbsrv.exe (PID: 7276)

    • Uses ICACLS.EXE to modify access control lists

      • QQPCMgr_Setup.exe (PID: 4080)
      • cmd.exe (PID: 616)
      • cmd.exe (PID: 6816)
      • cmd.exe (PID: 6400)
      • QMDL.exe (PID: 8424)

    • The process drops C-runtime libraries

      • QQPCMgr_Setup.exe (PID: 4080)
      • QMFileSmashProSetup_17.3.26212.301__1729671312556.exe (PID: 10708)

    • Searches for installed software

      • QQPCMgr_Setup.exe (PID: 4080)
      • svchost.exe (PID: 628)
      • QQPCRTP.exe (PID: 3928)

    • Starts CMD.EXE for commands execution

      • QQPCMgr_Setup.exe (PID: 4080)

    • Process drops legitimate windows executable

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCTray.exe (PID: 6948)
      • QQPCRTP.exe (PID: 3928)
      • QMDynamicPackageSetup_17.3.26212.301__1729671312556.exe (PID: 10684)
      • QMFileSmashProSetup_17.3.26212.301__1729671312556.exe (PID: 10708)

    • Creates a software uninstall entry

      • QQPCMgr_Setup.exe (PID: 4080)

    • Creates or modifies Windows services

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCRTP.exe (PID: 3928)
      • QQPCTray.exe (PID: 6948)

    • Creates files in the driver directory

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCTray.exe (PID: 6948)
      • qmbinsx64.exe (PID: 4012)

    • Drops 7-zip archiver for unpacking

      • QQPCMgr_Setup.exe (PID: 4080)

    • The process creates files with name similar to system file names

      • QQPCMgr_Setup.exe (PID: 4080)

    • Starts application with an unusual extension

      • cmd.exe (PID: 608)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 608)

    • Executes as Windows Service

      • 15541.exe (PID: 7116)
      • QQPCRTP.exe (PID: 3928)
      • qmbsrv.exe (PID: 7276)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1500)
      • regsvr32.exe (PID: 3020)

    • Checks Windows Trust Settings

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCTray.exe (PID: 6948)
      • QQPCRTP.exe (PID: 3928)

    • Reads security settings of Internet Explorer

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCTray.exe (PID: 6948)

    • Drops a system driver (possible attempt to evade defenses)

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCTray.exe (PID: 6948)
      • qmbinsx64.exe (PID: 4012)

    • Reads Microsoft Outlook installation path

      • QQPCTray.exe (PID: 6948)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 628)

    • Application launched itself

      • QQPCExternal.exe (PID: 5944)
      • QQPCExternal.exe (PID: 7192)
      • QQPCMgrUpdate.exe (PID: 7568)
      • QMCheckNetwork.exe (PID: 10000)

    • Connects to unusual port

      • QQPCRTP.exe (PID: 3928)
      • 15541.exe (PID: 7116)
      • QQPCTray.exe (PID: 6948)

    • There is functionality for communication over UDP network (YARA)

      • QQPCRTP.exe (PID: 3928)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • QMDynamicPackageSetup_17.3.26212.301__1729671312556.exe (PID: 10684)
      • QMFileSmashProSetup_17.3.26212.301__1729671312556.exe (PID: 10708)

  • INFO

    • Creates files or folders in the user directory

      • QQPCDownload_home_310056.exe (PID: 6240)
      • QQPCMgr_Setup.exe (PID: 4080)
      • 15541.exe (PID: 7140)
      • explorer.exe (PID: 4616)
      • QQPCTray.exe (PID: 6948)

    • Create files in a temporary directory

      • QQPCDownload_home_310056.exe (PID: 6240)
      • QQPCMgr_Setup.exe (PID: 4080)
      • UpdateTrayIcon.exe (PID: 860)
      • UpdateTrayIcon64.exe (PID: 5100)
      • QQPCRTP.exe (PID: 3928)

    • Checks supported languages

      • QQPCDownload_home_310056.exe (PID: 6240)
      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCSoftCmd.exe (PID: 2088)
      • QQPCRTP.exe (PID: 1880)
      • chcp.com (PID: 5940)
      • 15541.exe (PID: 7140)
      • 15541.exe (PID: 7116)
      • QQPCRTP.exe (PID: 2692)
      • QQPCRTP.exe (PID: 6832)
      • QQPCRTP.exe (PID: 3928)
      • QQPCTray.exe (PID: 6948)
      • QQPCTray.exe (PID: 3524)
      • UpdateTrayIcon.exe (PID: 860)
      • UpdateTrayIcon64.exe (PID: 5100)
      • QQPCExternal.exe (PID: 5944)
      • QMAIService.exe (PID: 7088)
      • QMHwDrX64.exe (PID: 2652)
      • QQPCExternal.exe (PID: 7192)
      • qmbinsx64.exe (PID: 4012)
      • TrayRocketInjectHelper64.exe (PID: 7252)
      • qmbsrv.exe (PID: 7276)

    • Creates files in the program directory

      • QQPCDownload_home_310056.exe (PID: 6240)
      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCSoftCmd.exe (PID: 2088)
      • 15541.exe (PID: 7116)
      • QQPCRTP.exe (PID: 3928)
      • QQPCTray.exe (PID: 6948)

    • Reads the computer name

      • QQPCDownload_home_310056.exe (PID: 6240)
      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCSoftCmd.exe (PID: 2088)
      • QQPCRTP.exe (PID: 1880)
      • 15541.exe (PID: 7140)
      • 15541.exe (PID: 7116)
      • QQPCRTP.exe (PID: 2692)
      • QQPCRTP.exe (PID: 6832)
      • QQPCRTP.exe (PID: 3928)
      • QQPCTray.exe (PID: 6948)
      • UpdateTrayIcon64.exe (PID: 5100)
      • QQPCTray.exe (PID: 3524)
      • QQPCExternal.exe (PID: 5944)
      • QMHwDrX64.exe (PID: 2652)
      • QMAIService.exe (PID: 7088)
      • QQPCExternal.exe (PID: 7192)
      • qmbinsx64.exe (PID: 4012)
      • TrayRocketInjectHelper64.exe (PID: 7252)

    • Reads security settings of Internet Explorer

      • backgroundTaskHost.exe (PID: 5740)

    • Reads the machine GUID from the registry

      • QQPCDownload_home_310056.exe (PID: 6240)
      • QQPCMgr_Setup.exe (PID: 4080)
      • 15541.exe (PID: 7140)
      • 15541.exe (PID: 7116)
      • QQPCTray.exe (PID: 6948)
      • QQPCRTP.exe (PID: 3928)

    • Reads the software policy settings

      • backgroundTaskHost.exe (PID: 5740)
      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCRTP.exe (PID: 3928)

    • Checks proxy server information

      • backgroundTaskHost.exe (PID: 5740)
      • QQPCMgr_Setup.exe (PID: 4080)

    • Sends debugging messages

      • QQPCMgr_Setup.exe (PID: 4080)
      • QQPCSoftCmd.exe (PID: 2088)
      • qmbinsx64.exe (PID: 4012)
      • explorer.exe (PID: 4616)

    • Changes the display of characters in the console

      • cmd.exe (PID: 608)

    • Process checks whether UAC notifications are on

      • QQPCTray.exe (PID: 6948)

    • Found Base64 encoded access to Marshal class via PowerShell (YARA)

      • QQPCRTP.exe (PID: 3928)

    • UPX packer has been detected

      • QQPCRTP.exe (PID: 3928)

    • Found Base64 encoded reference to WMI classes (YARA)

      • QQPCRTP.exe (PID: 3928)

    • PyInstaller has been detected (YARA)

      • QQPCRTP.exe (PID: 3928)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • QQPCRTP.exe (PID: 3928)

    • VMProtect protector has been detected

      • QQPCRTP.exe (PID: 3928)

    • Found Base64 encoded network access via PowerShell (YARA)

      • QQPCRTP.exe (PID: 3928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:06 19:56:48+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 393216
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x13cb8
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.6.27
ProductVersionNumber: 2.0.6.27
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileDescription: 腾讯电脑管家在线安装程序
FileVersion: 2.0.6.27
LegalCopyright: Copyright (C) 1998 - 2018 Tencent. All Rights Reserved.
ProductName: 腾讯电脑管家
ProductVersion: 2.0.6.27
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
225
Monitored processes
91
Malicious processes
25
Suspicious processes
1

Behavior graph

Click at the process to see the details
start qqpcdownload_home_310056.exe qqpcmgr_setup.exe cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cacls.exe no specs conhost.exe no specs qqpcsoftcmd.exe qqpcrtp.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs 15541.exe 15541.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs qqpcrtp.exe no specs qqpcrtp.exe no specs #XOR-URL qqpcrtp.exe qqpctray.exe qqpctray.exe no specs updatetrayicon.exe no specs updatetrayicon64.exe no specs qqpcexternal.exe no specs qmaiservice.exe no specs qmhwdrx64.exe no specs qmbinsx64.exe conhost.exe no specs qqpcexternal.exe no specs trayrocketinjecthelper64.exe no specs qmbsrv.exe no specs svchost.exe backgroundtaskhost.exe conhost.exe no specs svchost.exe qqpcmgrupdate.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcmgrupdate.exe no specs qqpcmgrupdate.exe no specs qqpcmgr.exe no specs qqpctray.exe no specs qqpcupdateavlib.exe no specs qmchecknetwork.exe no specs tsvulfixinc64.exe no specs qmchecknetwork.exe no specs tpkupdate.exe qmdl.exe icacls.exe no specs conhost.exe no specs qmtoolwidget.exe no specs qmaiservice.exe no specs qmaiservice.exe no specs qmgarbageautoclean.exe no specs qmdynamicpackagesetup_17.3.26212.301__1729671312556.exe qmlogcenter.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qqpcexternal.exe no specs qmlspping.exe no specs qmsignscan.exe no specs qmfilesmashprosetup_17.3.26212.301__1729671312556.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs filesmashpro.exe no specs qqpcexternal.exe compattelrunner.exe no specs conhost.exe no specs qqpcexternal.exe qqpcexternal.exe no specs qqpcexternal.exe no specs explorer.exe qqpcdownload_home_310056.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
608"C:\WINDOWS\system32\cmd.exe" "/c "chcp 65001 && C:\WINDOWS\system32\netsh.exe -f C:\Users\admin\AppData\Local\Temp\Tencent\QQPCMgr\~9ce6f\firewallLog.txt"C:\Windows\SysWOW64\cmd.exeQQPCMgr_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
616cmd.exe /C icacls C:\Windows\System32\vcruntime140.dll /grant Administrator:FC:\Windows\System32\cmd.exeQQPCMgr_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
628C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\aepic.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
860"C:\Users\admin\AppData\Local\Temp\Tencent\QQPCMgr\~9ce6f\UpdateTrayIcon.exe" -t QQPCTray.exe -c 1 -p 1 -v 0 -h "" -d "C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\"C:\Users\admin\AppData\Local\Temp\Tencent\QQPCMgr\~9ce6f\UpdateTrayIcon.exeQQPCMgr_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tencent\qqpcmgr\~9ce6f\updatetrayicon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1428"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\QMContextScan64.dll"C:\Windows\SysWOW64\regsvr32.exeQQPCMgr_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1500"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\QMContextScan.dll"C:\Windows\SysWOW64\regsvr32.exeQQPCMgr_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1588\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCompatTelRunner.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1880"C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\QQPCRTP.exe" -iC:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\QQPCRTP.exeQQPCMgr_Setup.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
腾讯电脑管家-实时防护服务
Exit code:
0
Version:
17,3,26212,301
Modules
Images
c:\program files (x86)\tencent\qqpcmgr\17.3.26212.301\qqpcrtp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
2000"C:\Windows\System32\icacls.exe" C:\Users\admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel lowC:\Windows\SysWOW64\icacls.exeQMDL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
33 266
Read events
30 119
Write events
3 080
Delete events
67

Modification events

(PID) Process:(628) svchost.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:writeName:C:\Users\admin\Desktop\QQPCDownload_home_310056.exe
Value:
534143500100000000000000070000002800000010461F006A2420000100000000000000000001060001000050BB64EDDDACD5010000000000000000
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\qqpcdownload_hom|c2b21a1ebc8c3fe1
Operation:writeName:ProgramId
Value:
0006d7d2f9be3e62adbf6015f62a3b945ca100000408
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\qqpcdownload_hom|c2b21a1ebc8c3fe1
Operation:writeName:FileId
Value:
0000568c19c3564edcbcbb5e1e726a6e6c22661f4a55
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\qqpcdownload_hom|c2b21a1ebc8c3fe1
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\desktop\qqpcdownload_home_310056.exe
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\qqpcdownload_hom|c2b21a1ebc8c3fe1
Operation:writeName:LongPathHash
Value:
qqpcdownload_hom|c2b21a1ebc8c3fe1
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\qqpcdownload_hom|c2b21a1ebc8c3fe1
Operation:writeName:Name
Value:
QQPCDownload_home_310056.exe
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\qqpcdownload_hom|c2b21a1ebc8c3fe1
Operation:writeName:OriginalFileName
Value:
(PID) Process:(628) svchost.exeKey:\REGISTRY\A\{29be79a5-57a6-0465-820f-232e8531f509}\Root\InventoryApplicationFile\qqpcdownload_hom|c2b21a1ebc8c3fe1
Operation:writeName:Publisher
Value:
Executable files
964
Suspicious files
820
Text files
278
Unknown types
11

Dropped files

PID
Process
Filename
Type
6240QQPCDownload_home_310056.exeC:\Users\admin\AppData\Roaming\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe
MD5:
SHA256:
6240QQPCDownload_home_310056.exeC:\Users\admin\AppData\Local\Temp\TencentDownload\~8b87b\beacon_sdk.dllexecutable
MD5:3FF08933E37878F67C49A3F80E3E0E87
SHA256:FBA261918A232743C0DF837F299536A8459489B17F295C3EB3A3A880E938BD9B
6240QQPCDownload_home_310056.exeC:\Users\admin\AppData\Local\Temp\TencentDownload\~8b87b\setup.xmlxml
MD5:2C9F16ADE01EA007674602C1C12EA4F9
SHA256:E43B23732553D22C582E6F584B24DEA3EBA2D28053F42797AAC481B9AA6B3310
6240QQPCDownload_home_310056.exeC:\Users\admin\AppData\Local\Temp\TencentDownload\~8b87b\QQPCDownload.dllexecutable
MD5:F657A4B694C03741A3B72C92FF0968AF
SHA256:B38DB6805FBFFD9C13E20A1E32177CA261AB1295DE10C2397651DA449758EE98
6240QQPCDownload_home_310056.exeC:\ProgramData\Tencent\DeskUpdate\GuidList.dbtext
MD5:0579887C09ACE8C1589A310202D01376
SHA256:0BC1E9E326ABF28C2B7587DD8DDAFB77364B9B06A7EEFFDED6D3033767496FC5
6240QQPCDownload_home_310056.exeC:\ProgramData\Tencent\DeskUpdate\GlobalMgr.dbtext
MD5:E89B633DA624C519C9D054220B2EBF1C
SHA256:503CCD64AC2D466F744DA04B94B5F0ECE1E28E0411F5542BDB2CF976EA708DD7
6240QQPCDownload_home_310056.exeC:\Users\admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.dbtext
MD5:6EC9B69DD0120A89D4E8D5C9B74DD059
SHA256:D041801C2358FE7E017B5A938727E07E5B2A1815FFD77D7592BFC409E656345C
6240QQPCDownload_home_310056.exeC:\ProgramData\Tencent\DeskUpdate\GuidReport.dattext
MD5:6A84643077F08F59EA457F53F653388A
SHA256:B63B5B11E3827ED7D8E6172A6863238ACA1B60C0B1AD829E5EB3E5532A247A8B
6240QQPCDownload_home_310056.exeC:\ProgramData\Tencent\DeskUpdate\Guid.dbtext
MD5:5155FE24A1938EDAF5FFEBE522EBDAC4
SHA256:53915EA87C0F011A7F57D0700B086A162B0A36BADE3729A5DE429628338A3B97
5740backgroundTaskHost.exeC:\Users\admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.locktext
MD5:F49655F856ACB8884CC0ACE29216F511
SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
94
TCP/UDP connections
479
DNS requests
99
Threats
53

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6240
QQPCDownload_home_310056.exe
GET
200
43.135.106.184:80
http://c.gj.qq.com/packconfig?serviceid=2230&clientver=1000&gjguid=19a2e31294b94e3cb84ac7bae503eeb4&check=27282021&livetime=0
unknown
whitelisted
4080
QQPCMgr_Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA3a8v5R87LpTLtpWkpRdPw%3D
unknown
whitelisted
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6240
QQPCDownload_home_310056.exe
GET
200
43.135.106.184:80
http://c.gj.qq.com/fcgi-bin/downurlquery?id=310056&guid=QN2U1b7Dzh61TUFFiYH809nK9TdyILMM4Fe7geHYyp1owJoz9X45Et2816bZXRB1&ver=15.10.10395.201
unknown
whitelisted
2776
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6240
QQPCDownload_home_310056.exe
GET
119.188.150.28:80
http://dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/portal/PCMgr_Setup_17_3_26212_301_806853.exe
unknown
whitelisted
6240
QQPCDownload_home_310056.exe
GET
206
119.188.150.28:80
http://dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/portal/PCMgr_Setup_17_3_26212_301_806853.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1588
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4360
SearchApp.exe
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.9
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.142
whitelisted
master.etl.desktop.qq.com
  • 157.255.4.39
whitelisted
c.gj.qq.com
  • 43.135.106.184
  • 43.135.106.117
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.72
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.74
whitelisted
th.bing.com
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.187
  • 184.86.251.22
  • 184.86.251.19
  • 184.86.251.27
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Invalid HTTP Method
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Generic Protocol Command Decode
SURICATA HTTP Request line incomplete
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Invalid HTTP Method
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Invalid HTTP Method
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Invalid HTTP Method
Process
Message
QQPCMgr_Setup.exe
"cacls" "C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301" /t /e /c /g SYSTEM:f
QQPCSoftCmd.exe
=========== mem dump after here is valid ========
QQPCMgr_Setup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\QQPCRTP.exe" -e
QQPCMgr_Setup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\QQPCRTP.exe" -s
QQPCMgr_Setup.exe
"C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\QQPCTray.exe" /regrun
QQPCMgr_Setup.exe
"C:\Users\admin\AppData\Local\Temp\Tencent\QQPCMgr\~9ce6f\UpdateTrayIcon.exe" -t QQPCTray.exe -c 1 -p 1 -v 0 -h "" -d "C:\Program Files (x86)\Tencent\QQPCMgr\17.3.26212.301\"
qmbinsx64.exe
GetOutputLog open SOFTWARE\Tencent\QQPCMgr\LogCfg fail getlasterror=0
qmbinsx64.exe
InitLog Output type is 0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/invc/xfspeed/qqpcmgr/download/QQPCDownload_home_310056.exe