Analysis Overview
SHA256
5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2
Threat Level: Known bad
The file 5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2 was found to be: Known bad.
Malicious Activity Summary
Detects executables packed with ASPack
Detects executables packed with ASPack
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 21:34
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 21:34
Reported
2024-05-10 21:37
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
105s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CPPXP.EXE = "C:\\Program Files (x86)\\spoolsv.exe" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ms7002.dll | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| File created | C:\Windows\SysWOW64\RMNXXOU.EXE | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\svchost.exe | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| File created | C:\Program Files (x86)\KAKNN.EXE | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| File created | C:\Program Files (x86)\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE %1" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE %1" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Program Files (x86)\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\RMNXXOU.EXE" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe
"C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
C:\Program Files (x86)\svchost.exe
"C:\Program Files (x86)\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1608-4-0x0000000000730000-0x0000000000731000-memory.dmp
C:\Windows\SysWOW64\RMNXXOU.EXE
| MD5 | 8cdb7f78e0a662b6b3ff256f6dc1382c |
| SHA1 | 48fe220c574135e0d72e9d11abcde1b2ca6b9867 |
| SHA256 | e41443e32604f2a6cea7d64cb05d4d94be4406e99f66e2fb6ab47ca761885583 |
| SHA512 | d98ecb1bfe4206f240618152e9cf3c6df64256a0eaf2a29d6ffa171528742af8b7abc9395c71046218eeee91daa3b2b7f1a0519eee6196c17737119f94736559 |
C:\Windows\SysWOW64\Ms7002.dll
| MD5 | 876a2a99b81968f5b26e3cbe12063d2b |
| SHA1 | 7afa8f33b691b2651b65eb07220cc2fda4b7537c |
| SHA256 | f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0 |
| SHA512 | ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1 |
C:\Program Files (x86)\svchost.exe
| MD5 | d21fe3030da81994cdd2b66e5b16e3d5 |
| SHA1 | 9cdfa988a7e737b98dbba313c7c7fa8db15844a7 |
| SHA256 | 5198c43b0b9cc4997ebad0eb6d532270e4d251e32696792f0e0775df0c279bc1 |
| SHA512 | 961ad0b1aec1efa1818574ce8d972d95d3f8b7b046f25a878d533af6fc2f0fceb7668e07f592f8ac6a1e7eeb3009dd6c496e976c22aefe5f16e40b878e99580a |
memory/3756-26-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/3756-27-0x00000000023D0000-0x00000000023D1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 21:34
Reported
2024-05-10 21:37
Platform
win7-20240508-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Detects executables packed with ASPack
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QGPZ.EXE = "C:\\PerfLogs\\lsm.exe" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\QGPZ.EXE | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| File created | C:\Windows\SysWOW64\Ms7002.dll | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\JULPJS.EXE %1" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\PerfLogs\\QGPZ.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\PerfLogs\\QGPZ.EXE \"%1\"" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\QGPZ.EXE %1" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\QGPZ.EXE" | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" | C:\Windows\SysWOW64\Regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe
"C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe"
C:\Windows\SysWOW64\Regsvr32.exe
Regsvr32.exe C:\Windows\system32\Ms7002.dll /s
Network
Files
memory/2196-0-0x0000000000320000-0x0000000000321000-memory.dmp
C:\PerfLogs\QGPZ.EXE
| MD5 | 17a4baa2ff411b044fa4ef0c79dadcce |
| SHA1 | bb3cf67ef015492ff1bac3cd7c417d95fdecdf1e |
| SHA256 | 5e45626efe05a5d79891ccb5a346454334d81d267930eb04206caf366945caf9 |
| SHA512 | 0fdc617379bd0d0722b6d3f662135cb22cce419877ab862a3ee61dbf26f81bbec95a03a1778763cc366c3db86d8317198719641e7dbfed6076999ecd24705918 |
C:\filedebug
| MD5 | d44278b3875508535bb9a47444c62a7e |
| SHA1 | e7bb52b794172861a5da948a2794b5cd5094f724 |
| SHA256 | 0eb706ca46ceab81ddfcebef071c91aa662f61adb8fd9a537805f786d5d02884 |
| SHA512 | c63a3d95ffffc3fa810bb452aa1e9c0aa4efff8e8d6427735fba81b9402c02cbf3592e067582b1128c7899d1b9398c276ef5e1e21841403cac22ab85eb2bc0d8 |
C:\Windows\SysWOW64\Ms7002.dll
| MD5 | 876a2a99b81968f5b26e3cbe12063d2b |
| SHA1 | 7afa8f33b691b2651b65eb07220cc2fda4b7537c |
| SHA256 | f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0 |
| SHA512 | ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1 |