URL:

https://guanjia.qq.com/sem/497/index.html?ADTAG=media.buy.baidu.110084

Full analysis: https://app.any.run/tasks/2b565e19-73e6-421b-a9f2-b6e0b13712cb
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: September 11, 2019, 19:07:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MD5:

6B22C0220172472D753173069CDE3B91

SHA1:

EA9E0EE205907E1ACBFF0B536A42BA047C67C86E

SHA256:

61FB5DD25FC88963F537D9BAE30E6D3D760DAC6B68E170AD709E3C831709D969

SSDEEP:

3:N8xsNkAIK6M45NsMwiHFQ5Tn:2MktlN1wjn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • QQPCDownload110084.exe (PID: 2072)
      • QQPCDownload110084.exe (PID: 2400)
      • RemNPX.exe (PID: 3248)
      • QMCheckNetwork.exe (PID: 3368)
      • UpdateTrayIcon.exe (PID: 2980)
      • InstallUninstallCube.exe (PID: 3388)
      • QMSuperScan.exe (PID: 2244)
      • QMCheckNetwork.exe (PID: 3172)
      • QQPCRTP.exe (PID: 4000)
      • QQPCRTP.exe (PID: 1304)
      • QQPCSoftCmd.exe (PID: 3944)
      • QQPCRTP.exe (PID: 2532)
      • QQPCRTP.exe (PID: 3460)
      • QQPCTray.exe (PID: 3512)
      • QQPCTray.exe (PID: 936)
      • VolSnapshot.exe (PID: 664)
      • QQTrayMonitor.exe (PID: 1684)
      • QQPCRealTimeSpeedup.exe (PID: 5624)
      • QQPCMgr.exe (PID: 4912)
      • QQTrayMonitor.exe (PID: 4900)
      • QQPCTray.exe (PID: 4904)
      • QQPCTxtExt.exe (PID: 4576)
      • QQPCSoftMgr.exe (PID: 5668)
      • QQTrayMonitor.exe (PID: 4944)
      • QQPCExternal.exe (PID: 5108)
      • QQPCSoftCmd.exe (PID: 4784)
      • qmdl.exe (PID: 4440)
      • qbclient.exe (PID: 5164)
      • QQRepair.exe (PID: 5888)
      • qmdl.exe (PID: 4544)
      • QMBlueScreenFixSetup_13.3.20238.213__1554086049648.exe (PID: 5068)
      • QMRealTimeSpeedupSetup_13.3.20238.213__1554086049648.exe (PID: 4744)
      • QQPCPatch.exe (PID: 5332)
      • VolSnapshot.exe (PID: 1264)
      • VolSnapshot.exe (PID: 4800)
      • QQPCSoftConfig.exe (PID: 5032)
      • qbclient.exe (PID: 2928)
      • QQPCTray.exe (PID: 3448)
      • QQPCLeakScan.exe (PID: 3036)
      • qmsp.exe (PID: 5412)
      • moduptdel.exe (PID: 4872)
      • windows6.1-kb304001-x86-x64.exe (PID: 4308)
      • QQPCTray.exe (PID: 5432)

    • Registers / Runs the DLL via REGSVR32.EXE

      • QQPCMgr_Setup.exe (PID: 2308)
      • QQPCTray.exe (PID: 936)

    • Loads dropped or rewritten executable

      • QQPCSoftCmd.exe (PID: 3944)
      • QQPCDownload110084.exe (PID: 2072)
      • QQPCRTP.exe (PID: 4000)
      • regsvr32.exe (PID: 3140)
      • QMSuperScan.exe (PID: 2244)
      • regsvr32.exe (PID: 3616)
      • regsvr32.exe (PID: 3848)
      • regsvr32.exe (PID: 1528)
      • QQPCTray.exe (PID: 3512)
      • QQPCRTP.exe (PID: 1304)
      • QQPCRTP.exe (PID: 2532)
      • QMCheckNetwork.exe (PID: 3172)
      • QMCheckNetwork.exe (PID: 3368)
      • QQPCRTP.exe (PID: 3460)
      • QQPCTray.exe (PID: 936)
      • InstallUninstallCube.exe (PID: 3388)
      • QQTrayMonitor.exe (PID: 1684)
      • VolSnapshot.exe (PID: 664)
      • QQPCRealTimeSpeedup.exe (PID: 5624)
      • regsvr32.exe (PID: 4216)
      • QQTrayMonitor.exe (PID: 4900)
      • QQPCSoftMgr.exe (PID: 5668)
      • QQPCMgr.exe (PID: 4912)
      • QQPCTray.exe (PID: 4904)
      • QQTrayMonitor.exe (PID: 4944)
      • QQPCTxtExt.exe (PID: 4576)
      • QQPCExternal.exe (PID: 5108)
      • QQPCSoftCmd.exe (PID: 4784)
      • qmdl.exe (PID: 4440)
      • QQRepair.exe (PID: 5888)
      • qbclient.exe (PID: 5164)
      • qmdl.exe (PID: 4544)
      • firefox.exe (PID: 3644)
      • explorer.exe (PID: 276)
      • QMBlueScreenFixSetup_13.3.20238.213__1554086049648.exe (PID: 5068)
      • QQPCPatch.exe (PID: 5332)
      • VolSnapshot.exe (PID: 1264)
      • VolSnapshot.exe (PID: 4800)
      • qbclient.exe (PID: 2928)
      • QQPCTray.exe (PID: 5432)
      • qmsp.exe (PID: 5412)
      • QQPCTray.exe (PID: 3448)
      • QQPCLeakScan.exe (PID: 3036)
      • QQPCSoftConfig.exe (PID: 5032)

    • Changes the autorun value in the registry

      • QQPCMgr_Setup.exe (PID: 2308)
      • QQRepair.exe (PID: 5888)
      • QQPCRTP.exe (PID: 3460)

    • Actions looks like stealing of personal data

      • QQPCRTP.exe (PID: 3460)
      • QQPCTray.exe (PID: 936)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3644)
      • QQPCDownload110084.exe (PID: 2072)
      • QQPCMgr_Setup.exe (PID: 2308)
      • QQPCTray.exe (PID: 936)
      • QQPCRTP.exe (PID: 3460)
      • QQPCRealTimeSpeedup.exe (PID: 5624)
      • qmdl.exe (PID: 4440)
      • QMBlueScreenFixSetup_13.3.20238.213__1554086049648.exe (PID: 5068)
      • QQPCPatch.exe (PID: 5332)

    • Creates files in the user directory

      • QQPCDownload110084.exe (PID: 2072)
      • QQPCMgr_Setup.exe (PID: 2308)
      • QQPCSoftCmd.exe (PID: 3944)
      • QMSuperScan.exe (PID: 2244)
      • QQPCTray.exe (PID: 936)
      • qmdl.exe (PID: 4440)
      • explorer.exe (PID: 276)

    • Low-level read access rights to disk partition

      • QQPCDownload110084.exe (PID: 2072)
      • QQPCMgr_Setup.exe (PID: 2308)
      • QMSuperScan.exe (PID: 2244)
      • QQPCRTP.exe (PID: 3460)
      • QQPCTray.exe (PID: 936)
      • QQPCTray.exe (PID: 4904)
      • QQRepair.exe (PID: 5888)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 3140)
      • regsvr32.exe (PID: 1528)
      • regsvr32.exe (PID: 3616)
      • regsvr32.exe (PID: 3848)
      • QQPCTray.exe (PID: 936)
      • regsvr32.exe (PID: 4216)

    • Modifies the open verb of a shell class

      • QQPCMgr_Setup.exe (PID: 2308)
      • QQPCTray.exe (PID: 936)

    • Uses NETSH.EXE for network configuration

      • QQPCMgr_Setup.exe (PID: 2308)

    • Creates files in the Windows directory

      • QQPCMgr_Setup.exe (PID: 2308)
      • QQPCRTP.exe (PID: 3460)
      • QQPCTray.exe (PID: 936)

    • Creates or modifies windows services

      • QQPCMgr_Setup.exe (PID: 2308)
      • QQPCRTP.exe (PID: 3460)
      • QQPCTray.exe (PID: 936)
      • QQRepair.exe (PID: 5888)

    • Creates a software uninstall entry

      • QQPCMgr_Setup.exe (PID: 2308)

    • Creates files in the program directory

      • QQPCSoftCmd.exe (PID: 3944)
      • QQPCRTP.exe (PID: 4000)
      • QMSuperScan.exe (PID: 2244)
      • QQPCMgr_Setup.exe (PID: 2308)
      • InstallUninstallCube.exe (PID: 3388)
      • QQPCRTP.exe (PID: 3460)
      • QQPCTray.exe (PID: 936)
      • QQPCRealTimeSpeedup.exe (PID: 5624)
      • QQPCTray.exe (PID: 4904)
      • QQRepair.exe (PID: 5888)
      • QMBlueScreenFixSetup_13.3.20238.213__1554086049648.exe (PID: 5068)
      • QMRealTimeSpeedupSetup_13.3.20238.213__1554086049648.exe (PID: 4744)
      • qmdl.exe (PID: 4440)
      • QQPCPatch.exe (PID: 5332)
      • QQPCLeakScan.exe (PID: 3036)
      • QQPCSoftMgr.exe (PID: 5668)

    • Creates files in the driver directory

      • QQPCMgr_Setup.exe (PID: 2308)
      • QQPCTray.exe (PID: 936)
      • QQPCRTP.exe (PID: 3460)

    • Application launched itself

      • QMCheckNetwork.exe (PID: 3172)
      • QQPCTray.exe (PID: 936)

    • Executed as Windows Service

      • QQPCRTP.exe (PID: 3460)
      • vssvc.exe (PID: 3372)

    • Uses REG.EXE to modify Windows registry

      • regsvr32.exe (PID: 3616)

    • Searches for installed software

      • QQPCTray.exe (PID: 936)
      • QQPCRTP.exe (PID: 3460)
      • QQPCSoftMgr.exe (PID: 5668)

    • Starts SC.EXE for service management

      • QQRepair.exe (PID: 5888)

    • Uses ICACLS.EXE to modify access control list

      • qmdl.exe (PID: 4440)

    • Reads Internet Cache Settings

      • qbclient.exe (PID: 5164)
      • qbclient.exe (PID: 2928)
      • explorer.exe (PID: 276)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 3644)

    • Reads settings of System Certificates

      • firefox.exe (PID: 3644)
      • QQPCRTP.exe (PID: 3460)
      • qmdl.exe (PID: 4440)
      • QQPCPatch.exe (PID: 5332)
      • QQPCLeakScan.exe (PID: 3036)

    • Application launched itself

      • firefox.exe (PID: 3644)
      • firefox.exe (PID: 2768)

    • Creates files in the user directory

      • firefox.exe (PID: 3644)
      • WINWORD.EXE (PID: 2204)
      • WINWORD.EXE (PID: 5340)

    • Dropped object may contain Bitcoin addresses

      • QQPCMgr_Setup.exe (PID: 2308)
      • QMBlueScreenFixSetup_13.3.20238.213__1554086049648.exe (PID: 5068)
      • QQPCPatch.exe (PID: 5332)
      • qmdl.exe (PID: 4440)

    • Reads the hosts file

      • qbclient.exe (PID: 5164)
      • qbclient.exe (PID: 2928)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 276)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2204)
      • WINWORD.EXE (PID: 5340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
75
Malicious processes
45
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe qqpcdownload110084.exe no specs qqpcdownload110084.exe qqpcmgr_setup.exe cacls.exe no specs regsvr32.exe no specs qqpcsoftcmd.exe netsh.exe no specs qqpcrtp.exe no specs remnpx.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs qmsuperscan.exe qqpctray.exe no specs qqpcrtp.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs qmchecknetwork.exe qqpcrtp.exe no specs qmchecknetwork.exe qqpcrtp.exe qqpctray.exe updatetrayicon.exe no specs installuninstallcube.exe qqtraymonitor.exe volsnapshot.exe vssvc.exe no specs qqpcrealtimespeedup.exe regsvr32.exe no specs qqtraymonitor.exe qqpcmgr.exe qqpctray.exe qqpcsoftmgr.exe qqtraymonitor.exe qqpctxtext.exe no specs qqpcexternal.exe qmdl.exe qqpcsoftcmd.exe qbclient.exe qqrepair.exe qmdl.exe no specs explorer.exe sc.exe no specs icacls.exe no specs qmbluescreenfixsetup_13.3.20238.213__1554086049648.exe qmrealtimespeedupsetup_13.3.20238.213__1554086049648.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs qqpcpatch.exe volsnapshot.exe volsnapshot.exe qqpcsoftconfig.exe qbclient.exe winword.exe no specs qqpctray.exe no specs winword.exe no specs qqpctray.exe qmsp.exe qqpcleakscan.exe moduptdel.exe no specs windows6.1-kb304001-x86-x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
276C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
664"C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\VolSnapshot.exe" 00000003000000010501010000000000000205010000000000000003050150000000C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\VolSnapshot.exe
QQPCRTP.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
卷影工具
Exit code:
0
Version:
13.3.20238.213
Modules
Images
c:\program files\tencent\qqpcmgr\13.3.20238.213\volsnapshot.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
936"C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\QQPCTray.exe" /regrunC:\Program Files\Tencent\QQPCMgr\13.3.20238.213\QQPCTray.exe
QQPCMgr_Setup.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
电脑管家
Exit code:
0
Version:
13.3.20238.213
Modules
Images
c:\program files\tencent\qqpcmgr\13.3.20238.213\qqpctray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
940"C:\Windows\system32\sc.exe" start QQPCRtpC:\Windows\system32\sc.exeQQRepair.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1056
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1264"C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\VolSnapshot.exe" 00000003000000010501010000000000000205010000000000000003050150000000C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\VolSnapshot.exe
QQPCRTP.exe
User:
SYSTEM
Company:
Tencent
Integrity Level:
SYSTEM
Description:
卷影工具
Exit code:
0
Version:
13.3.20238.213
Modules
Images
c:\program files\tencent\qqpcmgr\13.3.20238.213\volsnapshot.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1304"C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\QQPCRTP.exe" -eC:\Program Files\Tencent\QQPCMgr\13.3.20238.213\QQPCRTP.exeQQPCMgr_Setup.exe
User:
admin
Company:
Tencent
Integrity Level:
HIGH
Description:
电脑管家-实时防护服务
Exit code:
0
Version:
13,3,20238,213
Modules
Images
c:\program files\tencent\qqpcmgr\13.3.20238.213\qqpcrtp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
1528"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\QMContextScan.dll"C:\Windows\system32\regsvr32.exeQQPCMgr_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1636reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}\iexplore\AllowedDomains\*" /fC:\Windows\system32\reg.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1684"C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\QQTrayMonitor.exe" -start 936 1C:\Program Files\Tencent\QQPCMgr\13.3.20238.213\QQTrayMonitor.exe
QQPCTray.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\tencent\qqpcmgr\13.3.20238.213\qqtraymonitor.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1688"C:\Windows\system32\sc.exe" start QQPCRtpC:\Windows\system32\sc.exeQQRepair.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1056
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
17 739
Read events
11 506
Write events
6 146
Delete events
87

Modification events

(PID) Process:(3644) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
91D0A53601000000
(PID) Process:(2768) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
7C2FA23601000000
(PID) Process:(276) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:308046O0NS4N39PO
Value:
00000000090000000E000000CC190500000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF605D425CD146D50100000000
(PID) Process:(276) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000001C0000002600000093800C00090000000E000000CC1905003300300038003000340036004200300041004600340041003300390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000F70003003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B495744400010082020000020000000000000000000000D0E23C0243F4957495B495744400010082020000020000000000000034E33C02E0E23C02ABF69574F0E43C0234E33C0203F69574F5F395740BF69574F83A8C7C000000006014EE01000000000000000001000000F0E43C0229F495740000000095B49574F83A8C7C11000000B8451A00B0451A003173A574DC2F250AFEFFFFFF0BF69574A2F59574A8E300007DB48C7C5CE33C0282910A76A8E33C0260E33C0227950A7600000000B4F2F40188E33C02CD940A76B4F2F40128EEF4012CE43C02E1940A760000000028EEF4012CE43C0290E33C02090000000E000000CC1905003300300038003000340036004200300041004600340041003300390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000F70003003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B495744400010082020000020000000000000000000000D0E23C0243F4957495B495744400010082020000020000000000000034E33C02E0E23C02ABF69574F0E43C0234E33C0203F69574F5F395740BF69574F83A8C7C000000006014EE01000000000000000001000000F0E43C0229F495740000000095B49574F83A8C7C11000000B8451A00B0451A003173A574DC2F250AFEFFFFFF0BF69574A2F59574A8E300007DB48C7C5CE33C0282910A76A8E33C0260E33C0227950A7600000000B4F2F40188E33C02CD940A76B4F2F40128EEF4012CE43C02E1940A760000000028EEF4012CE43C0290E33C02090000000E000000CC1905003300300038003000340036004200300041004600340041003300390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000F70003003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B495744400010082020000020000000000000000000000D0E23C0243F4957495B495744400010082020000020000000000000034E33C02E0E23C02ABF69574F0E43C0234E33C0203F69574F5F395740BF69574F83A8C7C000000006014EE01000000000000000001000000F0E43C0229F495740000000095B49574F83A8C7C11000000B8451A00B0451A003173A574DC2F250AFEFFFFFF0BF69574A2F59574A8E300007DB48C7C5CE33C0282910A76A8E33C0260E33C0227950A7600000000B4F2F40188E33C02CD940A76B4F2F40128EEF4012CE43C02E1940A760000000028EEF4012CE43C0290E33C02
(PID) Process:(3644) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
1
(PID) Process:(3644) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3644) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(276) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000001C0000002600000093800C00090000000E000000CC19050033003000380030003400360042003000410046003400410033003900430042000000390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000ED0001003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B49574440001008202000002000000000000000000000080AE350378AD3503CCE23C023DA90A7600000000FBFFFF7FF0E23C02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000CB944503E5944503CB944503000000000000000000000000080000002E006C00E72F997711000000B8451A00B0451A0000001700E72F9977C0889D75A4E3000005B48C7C54E33C0282910A76A4E33C0258E33C0227950A7600000000B4F2F40180E33C02CD940A76B4F2F4012CE43C0228EEF401E1940A760000000028EEF4012CE43C0288E33C02090000000E000000CC19050033003000380030003400360042003000410046003400410033003900430042000000390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000ED0001003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B49574440001008202000002000000000000000000000080AE350378AD3503CCE23C023DA90A7600000000FBFFFF7FF0E23C02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000CB944503E5944503CB944503000000000000000000000000080000002E006C00E72F997711000000B8451A00B0451A0000001700E72F9977C0889D75A4E3000005B48C7C54E33C0282910A76A4E33C0258E33C0227950A7600000000B4F2F40180E33C02CD940A76B4F2F4012CE43C0228EEF401E1940A760000000028EEF4012CE43C0288E33C02090000000E000000CC19050033003000380030003400360042003000410046003400410033003900430042000000390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000ED0001003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B49574440001008202000002000000000000000000000080AE350378AD3503CCE23C023DA90A7600000000FBFFFF7FF0E23C02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000CB944503E5944503CB944503000000000000000000000000080000002E006C00E72F997711000000B8451A00B0451A0000001700E72F9977C0889D75A4E3000005B48C7C54E33C0282910A76A4E33C0258E33C0227950A7600000000B4F2F40180E33C02CD940A76B4F2F4012CE43C0228EEF401E1940A760000000028EEF4012CE43C0288E33C02
(PID) Process:(3644) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(276) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000001C0000002600000093800C00090000000E000000CC19050033003000380030003400360042003000410046003400410033003900430042000000390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000F50001003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B49574440001008202000002000000000000000000000080AE350378AD3503CCE23C023DA90A7600000000FBFFFF7FF0E23C02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000CB944503E5944503CB944503000000000000000000000000080000002E006C00E72F997711000000B8451A00B0451A0000001700E72F9977C0889D75A4E3000005B48C7C54E33C0282910A76A4E33C0258E33C0227950A7600000000B4F2F40180E33C02CD940A76B4F2F4012CE43C0228EEF401E1940A760000000028EEF4012CE43C0288E33C02090000000E000000CC19050033003000380030003400360042003000410046003400410033003900430042000000390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000F50001003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B49574440001008202000002000000000000000000000080AE350378AD3503CCE23C023DA90A7600000000FBFFFF7FF0E23C02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000CB944503E5944503CB944503000000000000000000000000080000002E006C00E72F997711000000B8451A00B0451A0000001700E72F9977C0889D75A4E3000005B48C7C54E33C0282910A76A4E33C0258E33C0227950A7600000000B4F2F40180E33C02CD940A76B4F2F4012CE43C0228EEF401E1940A760000000028EEF4012CE43C0288E33C02090000000E000000CC19050033003000380030003400360042003000410046003400410033003900430042000000390043004200000095743CE23C0200000000BC8A9D7564E03C020000000028E23C02EDE095775C633800FEFFFFFF8B8D9977108B997701000000010000000000000054E23C021CE23C0238E23C026C87B175010000000000000054E23C027F87B175353C8C7C00000000BCE73C02020000008202000095B49574000000000000000000001073FCE13C0200000000A0E63C0265E1B2758559010BFEFFFFFF7F87B175F36BB175E186B175BD388C7CBCE73C0210000000F50001003C003E00BCE73C02D0E63C02000000000000000000000000000008028CE43C020000080284E23C02000000000000107300000000000000000000000044000100B4E23C02571B3D7795B49574440001008202000002000000000000000000000080AE350378AD3503CCE23C023DA90A7600000000FBFFFF7FF0E23C02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000CB944503E5944503CB944503000000000000000000000000080000002E006C00E72F997711000000B8451A00B0451A0000001700E72F9977C0889D75A4E3000005B48C7C54E33C0282910A76A4E33C0258E33C0227950A7600000000B4F2F40180E33C02CD940A76B4F2F4012CE43C0228EEF401E1940A760000000028EEF4012CE43C0288E33C02
Executable files
772
Suspicious files
670
Text files
1 214
Unknown types
264

Dropped files

PID
Process
Filename
Type
3644firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4jsonlz4
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.binbinary
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstorebinary
MD5:
SHA256:
3644firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
81
DNS requests
109
Threats
33

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2072
QQPCDownload110084.exe
GET
203.205.138.45:80
http://dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/update/PCMgr_Setup_133_20238_213.exe
CN
whitelisted
3644
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3644
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3644
firefox.exe
POST
200
104.18.20.226:80
http://ocsp2.globalsign.com/gsorganizationvalsha2g2
US
der
1.54 Kb
whitelisted
2072
QQPCDownload110084.exe
GET
200
203.205.218.69:80
http://c.gj.qq.com/packconfig?serviceid=2230&clientver=1000&gjguid=542c88427ed7f88db1ef45cfb7ad7895&check=6364593&livetime=0
CN
binary
1.28 Kb
whitelisted
2072
QQPCDownload110084.exe
GET
200
203.205.218.69:80
http://c.gj.qq.com/fcgi-bin/downurlquery?id=110084&guid=QN2U1b7Dzh7H5HoIop8HCeuJZm5e50KKnvPi3ecNa8MgzP1DKvkq99UnnPO/wt%2BS&ver=13.0.24.101
CN
text
856 b
whitelisted
3644
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
3644
firefox.exe
POST
200
104.18.20.226:80
http://ocsp2.globalsign.com/gsorganizationvalsha2g2
US
der
1.54 Kb
whitelisted
3644
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3644
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3644
firefox.exe
52.36.193.139:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
3644
firefox.exe
52.33.147.163:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3644
firefox.exe
52.222.163.241:443
firefox.settings.services.mozilla.com
Amazon.com, Inc.
US
unknown
3644
firefox.exe
203.205.146.22:443
guanjia.qq.com
Tencent Building, Kejizhongyi Avenue
CN
malicious
3644
firefox.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3644
firefox.exe
172.217.22.42:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3644
firefox.exe
203.205.158.62:80
s.pc.qq.com
Tencent Building, Kejizhongyi Avenue
CN
suspicious
3644
firefox.exe
203.205.158.62:443
s.pc.qq.com
Tencent Building, Kejizhongyi Avenue
CN
suspicious
3644
firefox.exe
104.18.20.226:80
ocsp2.globalsign.com
Cloudflare Inc
US
shared
3644
firefox.exe
13.225.78.104:443
content-signature-2.cdn.mozilla.net
US
suspicious

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 52.36.193.139
  • 34.210.145.79
  • 52.26.8.178
whitelisted
search.r53-2.services.mozilla.com
  • 52.26.8.178
  • 34.210.145.79
  • 52.36.193.139
whitelisted
push.services.mozilla.com
  • 54.149.38.36
whitelisted
autopush.prod.mozaws.net
  • 54.149.38.36
whitelisted
snippets.cdn.mozilla.net
  • 13.224.185.215
whitelisted
d228z91au11ukj.cloudfront.net
  • 13.224.185.215
whitelisted
tiles.services.mozilla.com
  • 52.33.147.163
  • 35.166.89.106
  • 52.43.93.252
  • 52.24.113.72
  • 52.10.184.57
  • 52.35.186.10
  • 52.11.24.67
  • 52.33.232.96
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.33.232.96
  • 52.11.24.67
  • 52.35.186.10
  • 52.10.184.57
  • 52.24.113.72
  • 52.43.93.252
  • 35.166.89.106
  • 52.33.147.163
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
1060
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
2072
QQPCDownload110084.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2072
QQPCDownload110084.exe
Misc activity
ADWARE [PTsecurity] QQ_games PUP Installer
2072
QQPCDownload110084.exe
Misc activity
ADWARE [PTsecurity] QQ_games PUP Installer
2308
QQPCMgr_Setup.exe
Generic Protocol Command Decode
SURICATA TLS error message encountered
2308
QQPCMgr_Setup.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2308
QQPCMgr_Setup.exe
Generic Protocol Command Decode
SURICATA TLS error message encountered
2308
QQPCMgr_Setup.exe
Misc activity
ADWARE [PTsecurity] QQ_games PUP Installer
2308
QQPCMgr_Setup.exe
Misc activity
ADWARE [PTsecurity] QQ_games PUP Installer
Process
Message
QQPCMgr_Setup.exe
"cacls" "C:\Program Files\Tencent\QQPCMgr\13.3.20238.213" /t /e /c /g SYSTEM:f
QQPCSoftCmd.exe
=========== mem dump after here is valid ========
QQPCMgr_Setup.exe
CreateService
QQPCMgr_Setup.exe
0
QQPCMgr_Setup.exe
StartService
QQPCMgr_Setup.exe
0
QQPCMgr_Setup.exe
CreateService
QQPCMgr_Setup.exe
0
QQPCMgr_Setup.exe
StartService
QQPCMgr_Setup.exe
0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://guanjia.qq.com/sem/497/index.html?ADTAG=media.buy.baidu.110084