Malware Analysis Report

2025-08-05 21:11

Sample ID 240110-hw5bjsbhe3
Target 4fe6a78b3acc6e4f636891bc5e4bd982
SHA256 c2c66ec47fc9c969de74cbb8ae050243e5c51e8033811cb04bd3b975d0037d1b
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c2c66ec47fc9c969de74cbb8ae050243e5c51e8033811cb04bd3b975d0037d1b

Threat Level: Shows suspicious behavior

The file 4fe6a78b3acc6e4f636891bc5e4bd982 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Loads dropped DLL

VMProtect packed file

Unsigned PE

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-10 07:06

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-10 07:06

Reported

2024-01-10 07:20

Platform

win7-20231215-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049} C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0} C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B} C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe

"C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ad.----------.com udp
US 8.8.8.8:53 hi.----------.com udp
US 8.8.8.8:53 hi.----------.com udp

Files

memory/3044-0-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-2-0x0000000077C40000-0x0000000077C41000-memory.dmp

memory/3044-1-0x0000000077C40000-0x0000000077C41000-memory.dmp

memory/3044-8-0x0000000010000000-0x0000000010006000-memory.dmp

memory/3044-10-0x00000000025D0000-0x0000000002624000-memory.dmp

memory/3044-7-0x00000000025D0000-0x0000000002624000-memory.dmp

memory/3044-11-0x00000000025D0000-0x0000000002624000-memory.dmp

memory/3044-13-0x00000000025D0000-0x0000000002624000-memory.dmp

memory/3044-12-0x00000000025D0000-0x0000000002624000-memory.dmp

memory/3044-14-0x0000000000400000-0x00000000008A9000-memory.dmp

\Users\Admin\AppData\Roaming\mymacro\qdisp.dll

MD5 7171bc500507f070355c8903e0ea6d3d
SHA1 073d479fdbd1f2af5d494e90b950098be63dee75
SHA256 3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c
SHA512 a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

memory/3044-27-0x0000000002900000-0x000000000290F000-memory.dmp

\Users\Admin\AppData\Local\Temp\rjhook.dll

MD5 929f56b46242fa68a616374a5403689b
SHA1 45b4ade1f0cc2bf13e74d9801eee5c7abee3c3b2
SHA256 767b2e735693a9455a23b19e7a94643fd6095fa1158cbe22f612d657ebbb670d
SHA512 81c69649efff9d320533bcb3256d42c671877e1d48f9df99134c514aa2d888d11ded13b9d3447949881513e376cf4644b41b997cad2a9ffb51f4f45ca3cdc641

memory/3044-30-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-31-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-32-0x0000000010000000-0x0000000010006000-memory.dmp

memory/3044-34-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-37-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-40-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-43-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-46-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-49-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-52-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-55-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-58-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-61-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-64-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-67-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/3044-70-0x0000000000400000-0x00000000008A9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-10 07:06

Reported

2024-01-10 07:18

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0} C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049} C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B} C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine" C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe

"C:\Users\Admin\AppData\Local\Temp\4fe6a78b3acc6e4f636891bc5e4bd982.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 ad.----------.com udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 hi.----------.com udp
US 8.8.8.8:53 hi.----------.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 93.184.221.240:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
US 20.231.121.79:80 tcp
US 204.79.197.200:443 g.bing.com tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 209.135.221.88.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 93.184.221.240:80 tcp

Files

memory/2856-0-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-2-0x00000000778C3000-0x00000000778C4000-memory.dmp

memory/2856-1-0x00000000778C2000-0x00000000778C3000-memory.dmp

memory/2856-12-0x0000000002D90000-0x0000000002DE4000-memory.dmp

memory/2856-17-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-18-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-16-0x0000000002D90000-0x0000000002DE4000-memory.dmp

memory/2856-33-0x0000000004740000-0x000000000474F000-memory.dmp

memory/2856-15-0x0000000002D90000-0x0000000002DE4000-memory.dmp

memory/2856-14-0x0000000002D90000-0x0000000002DE4000-memory.dmp

memory/2856-13-0x0000000002D90000-0x0000000002DE4000-memory.dmp

memory/2856-11-0x0000000002D90000-0x0000000002DE4000-memory.dmp

memory/2856-10-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2856-9-0x0000000002D90000-0x0000000002DE4000-memory.dmp

memory/2856-37-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-38-0x0000000010000000-0x0000000010006000-memory.dmp

memory/2856-40-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-43-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-46-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-49-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-52-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-55-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-58-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-61-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-64-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-67-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-70-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-73-0x0000000000400000-0x00000000008A9000-memory.dmp

memory/2856-76-0x0000000000400000-0x00000000008A9000-memory.dmp