Malware Analysis Report

2025-03-15 05:42

Sample ID 240510-1e1adadh38
Target 5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2
SHA256 5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2
Tags
aspackv2 persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2

Threat Level: Known bad

The file 5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence

Detects executables packed with ASPack

Detects executables packed with ASPack

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 21:34

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 21:34

Reported

2024-05-10 21:37

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CPPXP.EXE = "C:\\Program Files (x86)\\spoolsv.exe" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File created C:\Windows\SysWOW64\RMNXXOU.EXE C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\svchost.exe C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File created C:\Program Files (x86)\KAKNN.EXE C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File created C:\Program Files (x86)\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE %1" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE %1" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\RMNXXOU.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Program Files (x86)\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\RMNXXOU.EXE" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe

"C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Program Files (x86)\svchost.exe

"C:\Program Files (x86)\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1608-4-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Windows\SysWOW64\RMNXXOU.EXE

MD5 8cdb7f78e0a662b6b3ff256f6dc1382c
SHA1 48fe220c574135e0d72e9d11abcde1b2ca6b9867
SHA256 e41443e32604f2a6cea7d64cb05d4d94be4406e99f66e2fb6ab47ca761885583
SHA512 d98ecb1bfe4206f240618152e9cf3c6df64256a0eaf2a29d6ffa171528742af8b7abc9395c71046218eeee91daa3b2b7f1a0519eee6196c17737119f94736559

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

C:\Program Files (x86)\svchost.exe

MD5 d21fe3030da81994cdd2b66e5b16e3d5
SHA1 9cdfa988a7e737b98dbba313c7c7fa8db15844a7
SHA256 5198c43b0b9cc4997ebad0eb6d532270e4d251e32696792f0e0775df0c279bc1
SHA512 961ad0b1aec1efa1818574ce8d972d95d3f8b7b046f25a878d533af6fc2f0fceb7668e07f592f8ac6a1e7eeb3009dd6c496e976c22aefe5f16e40b878e99580a

memory/3756-26-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/3756-27-0x00000000023D0000-0x00000000023D1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 21:34

Reported

2024-05-10 21:37

Platform

win7-20240508-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe"

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QGPZ.EXE = "C:\\PerfLogs\\lsm.exe" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\QGPZ.EXE C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\JULPJS.EXE %1" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\PerfLogs\\QGPZ.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\PerfLogs\\QGPZ.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\QGPZ.EXE %1" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\QGPZ.EXE" C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe

"C:\Users\Admin\AppData\Local\Temp\5678cb76017a8e4e07b951af3f1b58f79b728a8552cfb018db8c56d3375901f2.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

Network

N/A

Files

memory/2196-0-0x0000000000320000-0x0000000000321000-memory.dmp

C:\PerfLogs\QGPZ.EXE

MD5 17a4baa2ff411b044fa4ef0c79dadcce
SHA1 bb3cf67ef015492ff1bac3cd7c417d95fdecdf1e
SHA256 5e45626efe05a5d79891ccb5a346454334d81d267930eb04206caf366945caf9
SHA512 0fdc617379bd0d0722b6d3f662135cb22cce419877ab862a3ee61dbf26f81bbec95a03a1778763cc366c3db86d8317198719641e7dbfed6076999ecd24705918

C:\filedebug

MD5 d44278b3875508535bb9a47444c62a7e
SHA1 e7bb52b794172861a5da948a2794b5cd5094f724
SHA256 0eb706ca46ceab81ddfcebef071c91aa662f61adb8fd9a537805f786d5d02884
SHA512 c63a3d95ffffc3fa810bb452aa1e9c0aa4efff8e8d6427735fba81b9402c02cbf3592e067582b1128c7899d1b9398c276ef5e1e21841403cac22ab85eb2bc0d8

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1