Analysis Overview
SHA256
bfa718d6906897aa810b7a7aeff88c6f4188af7be215acebbec5fbdd875575e2
Threat Level: Shows suspicious behavior
The file 88adccaaa565b5f653bc4dbae68a743f was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
VMProtect packed file
Executes dropped EXE
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Adds Run key to start application
AutoIT Executable
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 11:31
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 11:31
Reported
2023-12-22 11:34
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
167s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQNetBar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ImageCtrl\\QQNetBar.exe -auto_start -hide" | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe
"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /e,C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
"C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| CN | 222.187.223.80:11111 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rptdata.wb.qq.com | udp |
| CN | 61.241.53.198:80 | rptdata.wb.qq.com | tcp |
| CN | 61.241.53.198:80 | rptdata.wb.qq.com | tcp |
| CN | 61.241.53.198:80 | rptdata.wb.qq.com | tcp |
| CN | 222.187.223.80:11111 | tcp | |
| US | 8.8.8.8:53 | 80.223.187.222.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.ini
| MD5 | 3bf136f7f83643b7f5eba261bb4c2ffa |
| SHA1 | 32d155fe5d99056407bb9073e4eb782c9f3b884d |
| SHA256 | 3d3c9c28ce7db48aa5d1833de2bfa0b8727279a3643b32ec9096e164d556b815 |
| SHA512 | 1f1629a3f67f3f7773af28dbc89b4dacd5b73385f5af1aaa37b6de7fc2a389664c62ca7f36a782103a7613903c4453390fd95ac258e1165d993da972a108253f |
C:\Users\Admin\AppData\Local\Temp\autB643.tmp
| MD5 | afc6668c86265923b89c489e896993fb |
| SHA1 | 6e806156a09ff9104cb81121ce9db4b606dd5ca3 |
| SHA256 | daabb89d386c0616759e23394d0059799c6f28b84052d945b6bc8d753691518c |
| SHA512 | 71624fd81dc966e41d79d64d438b0d82d1c14b2b911dd1c4e5759badafc646d610478113dd70c93b44f6d2051be1bae91d60f564f4d506a37a4188c94fdecb8e |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
| MD5 | e79eda3505dd686caa34f2d04e6e887a |
| SHA1 | d5ba460a65fa92c7a42e257b53c6ba1dbe69a55f |
| SHA256 | cd55b27aa688b31139a5aea7468653ecbac411a73d98ef0e1c5d67777addc608 |
| SHA512 | 4c73187d331bb5a503e83ac80da9fd9a7613769c0c5cbc7f36aaebd7efeee5a95d67049c0948b50e4b4211834e7bfd2436223109529791095bf835a98dac0797 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
| MD5 | 044bdfed06765dcc3e48c4e0bd956814 |
| SHA1 | e6db6c3475c2a6edf6889e5eed618f0e422aeb14 |
| SHA256 | fa5175e4de390a8d7fbe9cf9668552ed941e034552ecf4614918e02776ef543c |
| SHA512 | ba40cd87494f73fa50bb6b6d9e0f7155e2269761a1921dd365c45cd34dfff2461b222be34138bf7e37bca69f2d7d85d53acb96ce184740fca99a6b752e1f221d |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll
| MD5 | 5f5b1fa457fce8d2064128a2ae557a89 |
| SHA1 | 4bf02c5bb870cc79cfdc73668b0346415725243d |
| SHA256 | cd2ff17694c0735119324e83efd923f54ca62d9059e1da22e5b2b34c637092d0 |
| SHA512 | 6e1fa803a64bdcc9df285816891e00f78db45bfcc1da6bb500be3e3a92bf23cb4e9b52926261cb7a9e1115e9c11468f378b37b30dc27285003397350fc3342d1 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\ui.dat
| MD5 | 765c39ba7093f60ec92611231451da5c |
| SHA1 | d54eeb7d9b3d5ecc41f5ab7fe8d5ad1dab85bc2e |
| SHA256 | 7462f7a447795628daa07fcf207992c8bbeddfe9d85016424194b2964f3fa0f9 |
| SHA512 | ce27812adf1670b168f79a600e3582dcf30148a6e2878d81c41ee114606b2dd06bbf8c7b8eee749f297d43c7d586e200b2b35defeb0712200585e4d1d7f461c4 |
memory/4788-61-0x0000000010000000-0x000000001003C000-memory.dmp
memory/4788-59-0x0000000075460000-0x00000000755F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll
| MD5 | 15714a17b896262e732a872c896f50c4 |
| SHA1 | 3eafd92988d64f04df7e4e209b90d7b06733e3d5 |
| SHA256 | e4405d0dac6b1e5a2f7fa23c4702f6656d389be667e264ec16f2fb05622e7a5a |
| SHA512 | b8191e23d5dfec744f9634117dd65e4d18157d8e466b9771bbc71c3e4f6c143081ee3abc718fddaccd5aa0054883b8eaff5a560141867104edc6a412982d393c |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
| MD5 | 4a114d607b2c4f8fef3a773048fd0af4 |
| SHA1 | 6be18de9040d924ecaa55052d6d6a045b03ce583 |
| SHA256 | 4c8d020d9b68d1cd1dc822b4e91dc36ba0491ecfbc93de9cc42fb540fa88f6a4 |
| SHA512 | 28166a34897e93408bf8be1ba75152f641f32332f8037fea282d0b22a0a9936662b72075bb01d1989dfc864c1dbffde3b68477f2adefad1409fc381856c38f64 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
| MD5 | 2c478d1e0a928dcd9dee488b9b073260 |
| SHA1 | d64f514ac454741ec02092af332b5bb8a5983a07 |
| SHA256 | 9b7190617da5d0b37bd803104eb2f7d2718ee926c256a8895d29ecb6e4ff8482 |
| SHA512 | e01b1b6fc655bac7d7d156dba6147b7ece2084626fa972454308b6615e9b8b8ad7b7788b844ccc21613815f39cff1fcdfe8bd0cc41c2d23a71a60ef20cb6d2d8 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll
| MD5 | 13dc935c33f2ebdad54db30e360f1dea |
| SHA1 | 1a98b92a76ac7dc4ef700bf49ec50c61d68ac463 |
| SHA256 | ae5776a6360d506542388147d8a66cc0e3b6c477ecd41ab745912b4c97be2ccd |
| SHA512 | 09fea3714a241484c3600eac77e2e554d3e353cb1c25d23eaa0ab350496297c74ca7d395fd315eb3b983870e7912b162581cdec5464e5dc3ae7c741c8db3b4e9 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll
| MD5 | e7253e344ad8e41b0b1f1daa590ccdc2 |
| SHA1 | 5bdc3b37e19059ec3102f24ed0221346cfe901bf |
| SHA256 | 206c018417188f27ab8711884a7e90f2962dc75dcae0986e3a7d051b51b4d425 |
| SHA512 | 6ffda0e972e2d8fab89299394a785a8d3352a6cb35e7558404223d3b4ff4e3d1f5713af616239de29e4c89d2ae891a8d279289525aa0facb17ac3a828fb3df3c |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll
| MD5 | 1f0a03cefa0160b3921a39a061e081d9 |
| SHA1 | cbc9648e8240c298252085a89d6f131c50499abc |
| SHA256 | 1a8cb2642185eae9e714c9228968e6a3398cc2f4f77b343cac2a8de0cce9c30b |
| SHA512 | cc3f283485acb7e364ee36aeb9a6f6f5e672f032e1015d015e102c58e5bb70570d0b68a5a3f3885b34b8bbc6597ea73195cb352c74ccb220fe5dc356d9dc6fee |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll
| MD5 | 3009f42f8ad97987660c789ee2efbb26 |
| SHA1 | 67efb360c73273545c16e6e412d2308b107a57f5 |
| SHA256 | 3803b31255ec6b2f745d232dace93c7affdb0d1491fa6917886ad7dd2f29fe1d |
| SHA512 | d0b1bd5514fbf2dcfc674d1b1f9581109c50d59e9dd20278239e3d7a8eab8e9f9e7adb9cc9de5458d6bf9cf6a2a44d6163ad1f2ef735146f70362f2ee1963d32 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\MSVCR100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcp100.dll
| MD5 | e3c817f7fe44cc870ecdbcbc3ea36132 |
| SHA1 | 2ada702a0c143a7ae39b7de16a4b5cc994d2548b |
| SHA256 | d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf |
| SHA512 | 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe |
memory/3204-75-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/3204-77-0x0000000000D60000-0x0000000000D61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\log\QQNetBar.log
| MD5 | 9429ffbca2ddab43f28256484c9aae08 |
| SHA1 | 510bb0e6ee5cdc5a1b5c0915f52cce262395db97 |
| SHA256 | d2de38c210d4b69dd8232374672fb4463e6ce488820e9fe246036af78b9f05cb |
| SHA512 | 79614d487ec176d8262bb6b5832f5216f81a4b999ff1904f64154a39b9adffd58c8b0de0f82cce33082f1e59a6d02bc2b56c7bd35729aa2ee9ab42090ddbfc79 |
memory/4788-82-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4788-83-0x0000000075460000-0x00000000755F3000-memory.dmp
memory/3204-86-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/3204-87-0x0000000000400000-0x00000000007CB000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 11:31
Reported
2023-12-22 11:34
Platform
win7-20231215-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQNetBar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ImageCtrl\\QQNetBar.exe -auto_start -hide" | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe
"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /e,C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
"C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 222.187.223.80:11111 | tcp | |
| US | 8.8.8.8:53 | rptdata.wb.qq.com | udp |
| CN | 61.241.53.198:80 | rptdata.wb.qq.com | tcp |
| CN | 61.241.53.198:80 | rptdata.wb.qq.com | tcp |
| CN | 61.241.53.198:80 | rptdata.wb.qq.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\profile.ini
| MD5 | afc6668c86265923b89c489e896993fb |
| SHA1 | 6e806156a09ff9104cb81121ce9db4b606dd5ca3 |
| SHA256 | daabb89d386c0616759e23394d0059799c6f28b84052d945b6bc8d753691518c |
| SHA512 | 71624fd81dc966e41d79d64d438b0d82d1c14b2b911dd1c4e5759badafc646d610478113dd70c93b44f6d2051be1bae91d60f564f4d506a37a4188c94fdecb8e |
\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
| MD5 | 044bdfed06765dcc3e48c4e0bd956814 |
| SHA1 | e6db6c3475c2a6edf6889e5eed618f0e422aeb14 |
| SHA256 | fa5175e4de390a8d7fbe9cf9668552ed941e034552ecf4614918e02776ef543c |
| SHA512 | ba40cd87494f73fa50bb6b6d9e0f7155e2269761a1921dd365c45cd34dfff2461b222be34138bf7e37bca69f2d7d85d53acb96ce184740fca99a6b752e1f221d |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll
| MD5 | 079c4783b8bbd68008c5cabe79a99785 |
| SHA1 | b9aa4377ecaff0493309a7d2199414c676a41d05 |
| SHA256 | d9aaabd737915903e1677046d7efe935ef734c2dd200dd3b472ecae7dc6c33fb |
| SHA512 | 660080af21233bd85410fc8002c5d3fc65111749ac824b2210e59e3ef13ab724e62e269323bcced0776b881ca9b1efd2d31fadb822c5149d403bf71558e1e7b2 |
memory/2736-60-0x0000000074CC0000-0x0000000074E53000-memory.dmp
memory/2736-62-0x0000000010000000-0x000000001003C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\ui.dat
| MD5 | 765c39ba7093f60ec92611231451da5c |
| SHA1 | d54eeb7d9b3d5ecc41f5ab7fe8d5ad1dab85bc2e |
| SHA256 | 7462f7a447795628daa07fcf207992c8bbeddfe9d85016424194b2964f3fa0f9 |
| SHA512 | ce27812adf1670b168f79a600e3582dcf30148a6e2878d81c41ee114606b2dd06bbf8c7b8eee749f297d43c7d586e200b2b35defeb0712200585e4d1d7f461c4 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.ini
| MD5 | 3bf136f7f83643b7f5eba261bb4c2ffa |
| SHA1 | 32d155fe5d99056407bb9073e4eb782c9f3b884d |
| SHA256 | 3d3c9c28ce7db48aa5d1833de2bfa0b8727279a3643b32ec9096e164d556b815 |
| SHA512 | 1f1629a3f67f3f7773af28dbc89b4dacd5b73385f5af1aaa37b6de7fc2a389664c62ca7f36a782103a7613903c4453390fd95ac258e1165d993da972a108253f |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
| MD5 | 282805e5b4bdd8d7baeaa79d5134692c |
| SHA1 | 68a85702b669ba281ef1f21342b715f6ddf60463 |
| SHA256 | ab7ee36b272b2bf6486081d64a5776e2fb2a0997b2f2d694053ad61e17e67ea0 |
| SHA512 | 345dbc54e692291938b995c652a305d821a104d5c5949ed29ff107b06a0191da25828418980bdf914b6dc8442f4041710edc61199418a7bf8c01b2ba194e0806 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll
| MD5 | 01880bb3ca6c8f35eab0c02060651bb0 |
| SHA1 | 5959950d50b464903f06704f9d8d84d13be1ee42 |
| SHA256 | 6dd12ea5899adc328fb51c3c742ab3ded431d08ec1325098d447ab536f0221e2 |
| SHA512 | 7d35c9ff2f0e2fc9c1e8909e098462d9d23bef05edc3012746019f63a6da3a61db5add2d534780e14b463911ec723d61bac524fe901a25250fbc294c0f354ad2 |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
| MD5 | c6576ada75e8f6f42c63ff0e7400ccf1 |
| SHA1 | 4819c1015a5f77122bc656f1163f7d2deced435a |
| SHA256 | e72ccecbcff75c06906dd0658162d0b75a88bfc8eeaef42ca4ee6a2200d8f2a6 |
| SHA512 | 0203b91185a7df4f2b3a6b3a900002babbe8aaacbacae8734dd540a6297b8c4a1f0d1642e723a6728293549684c18bdcbed013e4f1d6ede07750f99ff064be5c |
\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll
| MD5 | fc91f733fe8e145d596a5cecc362c3a2 |
| SHA1 | 33782f889a5ecabfd8147d4fe1648add88c6a20d |
| SHA256 | 5f2ef0b864cbc179c74706dd8ab05b66fcc472d7f1c117e7610070907e6aedab |
| SHA512 | 3251a17c3923bdb83ca52d0119eaf67dcaf3b8c42f6287abe1171aab188afa5426c8e28d81d64efff388849e31bcdf9fa2e703346cf906dc478e235ced1183f1 |
\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcp100.dll
| MD5 | e3c817f7fe44cc870ecdbcbc3ea36132 |
| SHA1 | 2ada702a0c143a7ae39b7de16a4b5cc994d2548b |
| SHA256 | d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf |
| SHA512 | 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe |
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\MSVCR100.dll
| MD5 | f9db05a8a9e19661b334d968a71122bf |
| SHA1 | 0369d6c2b6cec49c3dd8bb4c5662d9b5eb267843 |
| SHA256 | bc29b6ca92b56bd2d68fc1751d42454664a8c8074b5f7cba24be911f57a809a5 |
| SHA512 | f308715df2bf81e24da37f7f135ec1ee45ffb59e1096bf7fcebbe835dbd5cb036015392240dbe1662702e2f54817fed229b919eccfd93bad5f4028952c2a8631 |
\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll
| MD5 | 8d6b3dc733bc202aa367e684f1dc21e8 |
| SHA1 | 1c585947eaf4b195c70777ce67fd37398588298e |
| SHA256 | ae3474bc13b7c1ae9c82c19fc00c650811abbda71ab6b831d4a7883977f1746c |
| SHA512 | 596bf72e5b4a40450c01bea43dabad619f7cf8205cfb6f2e3f2fee79b9941955e74bebed1ac58d868924d977e9a9babd234e06df8c2e4097a91dccbb95b7db25 |
memory/2592-76-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2592-81-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2592-79-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2592-78-0x0000000000400000-0x00000000007CB000-memory.dmp
memory/2592-83-0x00000000776A0000-0x00000000776A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\log\QQNetBar.log
| MD5 | b07634ebee925741ecc708b75a4fe757 |
| SHA1 | b486bb70199bfac445a29895b7e7301a03fc174d |
| SHA256 | 0466129495a99ff762ce0cfb517039c91c0a455e3a1240a02af0dbb065ea7759 |
| SHA512 | 6fddd679a5b4b588674892d25c052b7bcf79f10ab511441756f1d141e35d6e9e3365d5defc91dfb0f4fcdce7d9d7a1be3764ddc75c9d2c236abc91fa0b75ef51 |
memory/2736-87-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2736-88-0x0000000074CC0000-0x0000000074E53000-memory.dmp
memory/2592-91-0x0000000000400000-0x00000000007CB000-memory.dmp