Malware Analysis Report

2025-08-05 21:25

Sample ID 231222-nm3z1shahn
Target 88adccaaa565b5f653bc4dbae68a743f
SHA256 bfa718d6906897aa810b7a7aeff88c6f4188af7be215acebbec5fbdd875575e2
Tags
persistence upx vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bfa718d6906897aa810b7a7aeff88c6f4188af7be215acebbec5fbdd875575e2

Threat Level: Shows suspicious behavior

The file 88adccaaa565b5f653bc4dbae68a743f was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx vmprotect

UPX packed file

VMProtect packed file

Executes dropped EXE

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Adds Run key to start application

AutoIT Executable

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 11:31

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 11:31

Reported

2023-12-22 11:34

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQNetBar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ImageCtrl\\QQNetBar.exe -auto_start -hide" C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe

"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe /e,C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

"C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
CN 222.187.223.80:11111 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 rptdata.wb.qq.com udp
CN 61.241.53.198:80 rptdata.wb.qq.com tcp
CN 61.241.53.198:80 rptdata.wb.qq.com tcp
CN 61.241.53.198:80 rptdata.wb.qq.com tcp
CN 222.187.223.80:11111 tcp
US 8.8.8.8:53 80.223.187.222.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.ini

MD5 3bf136f7f83643b7f5eba261bb4c2ffa
SHA1 32d155fe5d99056407bb9073e4eb782c9f3b884d
SHA256 3d3c9c28ce7db48aa5d1833de2bfa0b8727279a3643b32ec9096e164d556b815
SHA512 1f1629a3f67f3f7773af28dbc89b4dacd5b73385f5af1aaa37b6de7fc2a389664c62ca7f36a782103a7613903c4453390fd95ac258e1165d993da972a108253f

C:\Users\Admin\AppData\Local\Temp\autB643.tmp

MD5 afc6668c86265923b89c489e896993fb
SHA1 6e806156a09ff9104cb81121ce9db4b606dd5ca3
SHA256 daabb89d386c0616759e23394d0059799c6f28b84052d945b6bc8d753691518c
SHA512 71624fd81dc966e41d79d64d438b0d82d1c14b2b911dd1c4e5759badafc646d610478113dd70c93b44f6d2051be1bae91d60f564f4d506a37a4188c94fdecb8e

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

MD5 e79eda3505dd686caa34f2d04e6e887a
SHA1 d5ba460a65fa92c7a42e257b53c6ba1dbe69a55f
SHA256 cd55b27aa688b31139a5aea7468653ecbac411a73d98ef0e1c5d67777addc608
SHA512 4c73187d331bb5a503e83ac80da9fd9a7613769c0c5cbc7f36aaebd7efeee5a95d67049c0948b50e4b4211834e7bfd2436223109529791095bf835a98dac0797

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe

MD5 044bdfed06765dcc3e48c4e0bd956814
SHA1 e6db6c3475c2a6edf6889e5eed618f0e422aeb14
SHA256 fa5175e4de390a8d7fbe9cf9668552ed941e034552ecf4614918e02776ef543c
SHA512 ba40cd87494f73fa50bb6b6d9e0f7155e2269761a1921dd365c45cd34dfff2461b222be34138bf7e37bca69f2d7d85d53acb96ce184740fca99a6b752e1f221d

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll

MD5 5f5b1fa457fce8d2064128a2ae557a89
SHA1 4bf02c5bb870cc79cfdc73668b0346415725243d
SHA256 cd2ff17694c0735119324e83efd923f54ca62d9059e1da22e5b2b34c637092d0
SHA512 6e1fa803a64bdcc9df285816891e00f78db45bfcc1da6bb500be3e3a92bf23cb4e9b52926261cb7a9e1115e9c11468f378b37b30dc27285003397350fc3342d1

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\ui.dat

MD5 765c39ba7093f60ec92611231451da5c
SHA1 d54eeb7d9b3d5ecc41f5ab7fe8d5ad1dab85bc2e
SHA256 7462f7a447795628daa07fcf207992c8bbeddfe9d85016424194b2964f3fa0f9
SHA512 ce27812adf1670b168f79a600e3582dcf30148a6e2878d81c41ee114606b2dd06bbf8c7b8eee749f297d43c7d586e200b2b35defeb0712200585e4d1d7f461c4

memory/4788-61-0x0000000010000000-0x000000001003C000-memory.dmp

memory/4788-59-0x0000000075460000-0x00000000755F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll

MD5 15714a17b896262e732a872c896f50c4
SHA1 3eafd92988d64f04df7e4e209b90d7b06733e3d5
SHA256 e4405d0dac6b1e5a2f7fa23c4702f6656d389be667e264ec16f2fb05622e7a5a
SHA512 b8191e23d5dfec744f9634117dd65e4d18157d8e466b9771bbc71c3e4f6c143081ee3abc718fddaccd5aa0054883b8eaff5a560141867104edc6a412982d393c

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

MD5 4a114d607b2c4f8fef3a773048fd0af4
SHA1 6be18de9040d924ecaa55052d6d6a045b03ce583
SHA256 4c8d020d9b68d1cd1dc822b4e91dc36ba0491ecfbc93de9cc42fb540fa88f6a4
SHA512 28166a34897e93408bf8be1ba75152f641f32332f8037fea282d0b22a0a9936662b72075bb01d1989dfc864c1dbffde3b68477f2adefad1409fc381856c38f64

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

MD5 2c478d1e0a928dcd9dee488b9b073260
SHA1 d64f514ac454741ec02092af332b5bb8a5983a07
SHA256 9b7190617da5d0b37bd803104eb2f7d2718ee926c256a8895d29ecb6e4ff8482
SHA512 e01b1b6fc655bac7d7d156dba6147b7ece2084626fa972454308b6615e9b8b8ad7b7788b844ccc21613815f39cff1fcdfe8bd0cc41c2d23a71a60ef20cb6d2d8

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll

MD5 13dc935c33f2ebdad54db30e360f1dea
SHA1 1a98b92a76ac7dc4ef700bf49ec50c61d68ac463
SHA256 ae5776a6360d506542388147d8a66cc0e3b6c477ecd41ab745912b4c97be2ccd
SHA512 09fea3714a241484c3600eac77e2e554d3e353cb1c25d23eaa0ab350496297c74ca7d395fd315eb3b983870e7912b162581cdec5464e5dc3ae7c741c8db3b4e9

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll

MD5 e7253e344ad8e41b0b1f1daa590ccdc2
SHA1 5bdc3b37e19059ec3102f24ed0221346cfe901bf
SHA256 206c018417188f27ab8711884a7e90f2962dc75dcae0986e3a7d051b51b4d425
SHA512 6ffda0e972e2d8fab89299394a785a8d3352a6cb35e7558404223d3b4ff4e3d1f5713af616239de29e4c89d2ae891a8d279289525aa0facb17ac3a828fb3df3c

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll

MD5 1f0a03cefa0160b3921a39a061e081d9
SHA1 cbc9648e8240c298252085a89d6f131c50499abc
SHA256 1a8cb2642185eae9e714c9228968e6a3398cc2f4f77b343cac2a8de0cce9c30b
SHA512 cc3f283485acb7e364ee36aeb9a6f6f5e672f032e1015d015e102c58e5bb70570d0b68a5a3f3885b34b8bbc6597ea73195cb352c74ccb220fe5dc356d9dc6fee

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll

MD5 3009f42f8ad97987660c789ee2efbb26
SHA1 67efb360c73273545c16e6e412d2308b107a57f5
SHA256 3803b31255ec6b2f745d232dace93c7affdb0d1491fa6917886ad7dd2f29fe1d
SHA512 d0b1bd5514fbf2dcfc674d1b1f9581109c50d59e9dd20278239e3d7a8eab8e9f9e7adb9cc9de5458d6bf9cf6a2a44d6163ad1f2ef735146f70362f2ee1963d32

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcp100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

memory/3204-75-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/3204-77-0x0000000000D60000-0x0000000000D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\log\QQNetBar.log

MD5 9429ffbca2ddab43f28256484c9aae08
SHA1 510bb0e6ee5cdc5a1b5c0915f52cce262395db97
SHA256 d2de38c210d4b69dd8232374672fb4463e6ce488820e9fe246036af78b9f05cb
SHA512 79614d487ec176d8262bb6b5832f5216f81a4b999ff1904f64154a39b9adffd58c8b0de0f82cce33082f1e59a6d02bc2b56c7bd35729aa2ee9ab42090ddbfc79

memory/4788-82-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4788-83-0x0000000075460000-0x00000000755F3000-memory.dmp

memory/3204-86-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/3204-87-0x0000000000400000-0x00000000007CB000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 11:31

Reported

2023-12-22 11:34

Platform

win7-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQNetBar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ImageCtrl\\QQNetBar.exe -auto_start -hide" C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
PID 1352 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
PID 1352 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
PID 1352 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
PID 2736 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe C:\Windows\explorer.exe
PID 2736 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe C:\Windows\explorer.exe
PID 2736 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe C:\Windows\explorer.exe
PID 2736 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe C:\Windows\explorer.exe
PID 2756 wrote to memory of 2592 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
PID 2756 wrote to memory of 2592 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
PID 2756 wrote to memory of 2592 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
PID 2756 wrote to memory of 2592 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

Processes

C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe

"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /e,C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

"C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"

Network

Country Destination Domain Proto
CN 222.187.223.80:11111 tcp
US 8.8.8.8:53 rptdata.wb.qq.com udp
CN 61.241.53.198:80 rptdata.wb.qq.com tcp
CN 61.241.53.198:80 rptdata.wb.qq.com tcp
CN 61.241.53.198:80 rptdata.wb.qq.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\profile.ini

MD5 afc6668c86265923b89c489e896993fb
SHA1 6e806156a09ff9104cb81121ce9db4b606dd5ca3
SHA256 daabb89d386c0616759e23394d0059799c6f28b84052d945b6bc8d753691518c
SHA512 71624fd81dc966e41d79d64d438b0d82d1c14b2b911dd1c4e5759badafc646d610478113dd70c93b44f6d2051be1bae91d60f564f4d506a37a4188c94fdecb8e

\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe

MD5 044bdfed06765dcc3e48c4e0bd956814
SHA1 e6db6c3475c2a6edf6889e5eed618f0e422aeb14
SHA256 fa5175e4de390a8d7fbe9cf9668552ed941e034552ecf4614918e02776ef543c
SHA512 ba40cd87494f73fa50bb6b6d9e0f7155e2269761a1921dd365c45cd34dfff2461b222be34138bf7e37bca69f2d7d85d53acb96ce184740fca99a6b752e1f221d

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll

MD5 079c4783b8bbd68008c5cabe79a99785
SHA1 b9aa4377ecaff0493309a7d2199414c676a41d05
SHA256 d9aaabd737915903e1677046d7efe935ef734c2dd200dd3b472ecae7dc6c33fb
SHA512 660080af21233bd85410fc8002c5d3fc65111749ac824b2210e59e3ef13ab724e62e269323bcced0776b881ca9b1efd2d31fadb822c5149d403bf71558e1e7b2

memory/2736-60-0x0000000074CC0000-0x0000000074E53000-memory.dmp

memory/2736-62-0x0000000010000000-0x000000001003C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\ui.dat

MD5 765c39ba7093f60ec92611231451da5c
SHA1 d54eeb7d9b3d5ecc41f5ab7fe8d5ad1dab85bc2e
SHA256 7462f7a447795628daa07fcf207992c8bbeddfe9d85016424194b2964f3fa0f9
SHA512 ce27812adf1670b168f79a600e3582dcf30148a6e2878d81c41ee114606b2dd06bbf8c7b8eee749f297d43c7d586e200b2b35defeb0712200585e4d1d7f461c4

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.ini

MD5 3bf136f7f83643b7f5eba261bb4c2ffa
SHA1 32d155fe5d99056407bb9073e4eb782c9f3b884d
SHA256 3d3c9c28ce7db48aa5d1833de2bfa0b8727279a3643b32ec9096e164d556b815
SHA512 1f1629a3f67f3f7773af28dbc89b4dacd5b73385f5af1aaa37b6de7fc2a389664c62ca7f36a782103a7613903c4453390fd95ac258e1165d993da972a108253f

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

MD5 282805e5b4bdd8d7baeaa79d5134692c
SHA1 68a85702b669ba281ef1f21342b715f6ddf60463
SHA256 ab7ee36b272b2bf6486081d64a5776e2fb2a0997b2f2d694053ad61e17e67ea0
SHA512 345dbc54e692291938b995c652a305d821a104d5c5949ed29ff107b06a0191da25828418980bdf914b6dc8442f4041710edc61199418a7bf8c01b2ba194e0806

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll

MD5 01880bb3ca6c8f35eab0c02060651bb0
SHA1 5959950d50b464903f06704f9d8d84d13be1ee42
SHA256 6dd12ea5899adc328fb51c3c742ab3ded431d08ec1325098d447ab536f0221e2
SHA512 7d35c9ff2f0e2fc9c1e8909e098462d9d23bef05edc3012746019f63a6da3a61db5add2d534780e14b463911ec723d61bac524fe901a25250fbc294c0f354ad2

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

MD5 c6576ada75e8f6f42c63ff0e7400ccf1
SHA1 4819c1015a5f77122bc656f1163f7d2deced435a
SHA256 e72ccecbcff75c06906dd0658162d0b75a88bfc8eeaef42ca4ee6a2200d8f2a6
SHA512 0203b91185a7df4f2b3a6b3a900002babbe8aaacbacae8734dd540a6297b8c4a1f0d1642e723a6728293549684c18bdcbed013e4f1d6ede07750f99ff064be5c

\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll

MD5 fc91f733fe8e145d596a5cecc362c3a2
SHA1 33782f889a5ecabfd8147d4fe1648add88c6a20d
SHA256 5f2ef0b864cbc179c74706dd8ab05b66fcc472d7f1c117e7610070907e6aedab
SHA512 3251a17c3923bdb83ca52d0119eaf67dcaf3b8c42f6287abe1171aab188afa5426c8e28d81d64efff388849e31bcdf9fa2e703346cf906dc478e235ced1183f1

\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcp100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\MSVCR100.dll

MD5 f9db05a8a9e19661b334d968a71122bf
SHA1 0369d6c2b6cec49c3dd8bb4c5662d9b5eb267843
SHA256 bc29b6ca92b56bd2d68fc1751d42454664a8c8074b5f7cba24be911f57a809a5
SHA512 f308715df2bf81e24da37f7f135ec1ee45ffb59e1096bf7fcebbe835dbd5cb036015392240dbe1662702e2f54817fed229b919eccfd93bad5f4028952c2a8631

\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll

MD5 8d6b3dc733bc202aa367e684f1dc21e8
SHA1 1c585947eaf4b195c70777ce67fd37398588298e
SHA256 ae3474bc13b7c1ae9c82c19fc00c650811abbda71ab6b831d4a7883977f1746c
SHA512 596bf72e5b4a40450c01bea43dabad619f7cf8205cfb6f2e3f2fee79b9941955e74bebed1ac58d868924d977e9a9babd234e06df8c2e4097a91dccbb95b7db25

memory/2592-76-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2592-81-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2592-79-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2592-78-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/2592-83-0x00000000776A0000-0x00000000776A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ImageCtrl\log\QQNetBar.log

MD5 b07634ebee925741ecc708b75a4fe757
SHA1 b486bb70199bfac445a29895b7e7301a03fc174d
SHA256 0466129495a99ff762ce0cfb517039c91c0a455e3a1240a02af0dbb065ea7759
SHA512 6fddd679a5b4b588674892d25c052b7bcf79f10ab511441756f1d141e35d6e9e3365d5defc91dfb0f4fcdce7d9d7a1be3764ddc75c9d2c236abc91fa0b75ef51

memory/2736-87-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2736-88-0x0000000074CC0000-0x0000000074E53000-memory.dmp

memory/2592-91-0x0000000000400000-0x00000000007CB000-memory.dmp