Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Qhost.A

Trojan.Qhost.A

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 4,758
Threat Level: 80 % (High)
Infected Computers: 14,893
First Seen: February 3, 2012
Last Seen: April 1, 2026
OS(es) Affected: Windows

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
Panda Suspicious file
AVG Generic_r.AIN
Ikarus Win32.Kryptik
GData Win32:Kryptik-GUU
McAfee-GW-Edition Artemis!CA15A0C5CEC4
AntiVir TR/Kryptik.guu.5
Comodo UnclassifiedMalware
Kaspersky HEUR:Trojan.Win32.Generic
Avast Win32:Kryptik-GUU [Trj]
NOD32 a variant of Win32/Kryptik.ZWJ
AVG Suspicion: unknown virus
GData Win32:Kryptik-GYR
Microsoft Trojan:Win32/Qhosts.AJ
McAfee-GW-Edition Artemis!AA6B6E439BED
AntiVir TR/Kryptik.GYR

Analysis Report

General information

Family Name: Trojan.Qhost.A
Signature status: No Signature

Known Samples

MD5: f2f035e0b98c76a44003221336f6cfd4
SHA1: 75926c2ce368759be0d68d33963fe5e48e6bd01e
SHA256: 1B309AA066A72D52386B796F50FD52E67BE4ABCEE4BB1A1E8C3EFBF688CB67E8
File Size: 2.93 MB, 2926592 bytes
MD5: a1cb8b737cfce5e2247e977a92aee09a
SHA1: a3410c0f99f11759dc9743123c5d3cff388f19a2
SHA256: 82D7322FD21DC7730242233A5E78B20A2D4A6883C445B38522FCBF8DACAF8418
File Size: 47.62 KB, 47616 bytes
MD5: d53519d87e35ea0cbd27bdae0485f136
SHA1: 129dd3dfa2736ac2539534550450b5ef83227e33
SHA256: 5E31D1A32089CFD3EBCB6CB886F25201BD10204C24C912EF20094A23796B2677
File Size: 111.62 KB, 111616 bytes
MD5: 925113ecb6570b1dc4374f1d0003ff5c
SHA1: d59b1a4553e3dbcdb6a4281a3a5b4c1e47245821
SHA256: 111424CB986005C969EBEE0B42AF3E53429ACF71E87F8E567136B4335E98DB60
File Size: 3.12 MB, 3124265 bytes
MD5: 3ef9ccfef93215fa3e311965c6212625
SHA1: 716efa71e50aae03664162aaedcc2bc5bf0d1cb7
SHA256: DF389BFC14FC124CEEF1C5646EA2D981DEA6006B319A4A14918AC7E3012EB589
File Size: 4.37 MB, 4368384 bytes
Show More
MD5: 40d31c32a22c7639f0fe14346a163df8
SHA1: b47d7f09a0a4878c36ec16b363e30f7f18866ca4
SHA256: FB60D3BC858A1FF558A4B04F2B0A49E0DFED17950ACF333E6A30B47735F27DA2
File Size: 118.78 KB, 118784 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments
  • Computer Query Tool For MRP
  • Multi-OEM Branding & OEM Activation {NOT FOR PROFIT}
Company Name
  • Anemeros
  • Microsoft
  • MRP
  • MRP {NOT FOR PROFIT}
  • Sonatrach Activité Amont
File Description
  • DeCompile For MRP {NOT FOR PROFIT}
  • Query Tool
File Version
  • 140. 0. 10. 2021
  • 2. 0. 1. 8
  • 1.00
  • 1. 0. 0. 0
Internal Name Win
Legal Copyright
  • Direction HSE Amont
  • MRP
  • MRP {NOT FOR PROFIT}
Original Filename Win.exe
Product Name
  • Multi-OEM/Retail Project #3 {MDL}
  • OEM Query Tool For MRP
  • Produits chimiques
  • Win
Product Version
  • 140. 0. 10. 2021
  • 2. 0. 1. 8
  • 1.00
  • 1. 0. 0. 1
  • 1. 0. 0. 0

File Traits

  • 2+ executable sections
  • HighEntropy
  • No Version Info
  • packed
  • x86

Block Information

Total Blocks: 227
Potentially Malicious Blocks: 115
Whitelisted Blocks: 108
Unknown Blocks: 4

Visual Map

x x x x 0 x 0 0 x 0 0 0 x x x x 0 0 x x x 0 0 0 x x x 0 x x x 0 0 x x x x 0 x 0 0 0 x x x ? 0 0 x x x x 0 0 x x 0 x x 0 x 0 0 0 x x x ? 0 0 x x 0 0 x x 0 x x x x 0 0 0 x x x x 0 0 x 0 0 x x 0 0 x x 0 x x 0 x x 0 0 0 x x x 0 0 x x x x x x x x 0 x x 0 0 0 x x x 0 0 0 0 0 0 0 x x x x x x 0 0 0 x x x x 0 x x x x x x x 0 x 0 0 0 x x x x ? x x 0 0 0 0 0 0 x x x x x x x x x ? x x 0 0 x x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • QHost.E
  • QHost.GB
  • Qhost.A
  • Qhost.GD

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\programdata\tempm\7za.exe Generic Write,Read Attributes
c:\programdata\tempm\decompile.cmd Generic Write,Read Attributes
c:\programdata\tempm\extract.exe Generic Write,Read Attributes
c:\programdata\tempm\install.7z Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\banish.cmd Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\mrp_qt Write Attributes
c:\users\user\appdata\local\temp\mrp_qt\bdtbt.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\diskmodelnamew7.vbs Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\displayinfo.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\generic_2.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\generic_4.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\getinstdate.vbs Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\gpuadaptors.vbs Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\inspectre.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\isssd.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\keyinfo.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\mbrgpt.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\mrp-qt2.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\msvcp110.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\msvcr110.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\newsku.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\oldsku.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\pkconfig.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\qtoemtest.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\querydisks.vbs Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mrp_qt\rcodes.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\qtlog.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\qtlog.log Generic Write,Read Attributes
c:\users\user\downloads\dbasechem.vbs Generic Write,Read Attributes
c:\windows\cleanupmrp.cmd Generic Write,Read Attributes
c:\windows\setup\mrp3 Write Attributes
c:\windows\setup\mrp3\mrpversion.tag Generic Write,Read Attributes
c:\windows\system.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\syswow64\extract.cmd Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꑝ㢛ᣜǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 硹㣱ᣜǜ RegNtPreCreateKey
HKLM\software\mrp3:: RegNtPreCreateKey
HKLM\software\mrp3\datavars:: RegNtPreCreateKey
HKLM\software\mrp3\datavars::mrp_relocationflag Yes RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::!cleanmrpup C:\WINDOWS\CleanUpMRP.cmd RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\security center::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications  RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317 € RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662 RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655 RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324 # RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993 ƻ RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986 http://kluczewsko.gmina.pl/images/xs.jpghttp://www.data-ps.or RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331 RegNtPreCreateKey
HKCU\software\apcr::u1_0 ᅕ쒧 RegNtPreCreateKey
HKCU\software\apcr::u2_0 RegNtPreCreateKey
HKCU\software\apcr::u3_0 権ă RegNtPreCreateKey
HKCU\software\apcr::u4_0 RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\b47d7f09a0a4878c36ec16b363e30f7f18866ca4_0000118784 c:\users\user\downloads\b47d7f09a0a4878c36ec16b363e30f7f18866ca4_0000118784:*:enabled:@shell32.dll,-1 RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtUserCallNoParam
  • win32u.dll!NtUserConsoleControl
  • win32u.dll!NtUserCreateEmptyCursorObject
  • win32u.dll!NtUserGetDC
  • win32u.dll!NtUserGetGUIThreadInfo
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetProcessWindowStation
  • win32u.dll!NtUserGetThreadState
  • win32u.dll!NtUserReleaseDC
  • win32u.dll!NtUserSelectPalette
  • win32u.dll!NtUserSetCursorIconData
  • win32u.dll!NtUserSetProcessDpiAwarenessContext
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx

Shell Command Execution

"C:\ProgramData\TempM\Decompile.cmd" > NUL
C:\ProgramData\TempM\extract.exe "C:\ProgramData\TempM\extract.exe"
"C:\Windows\System32\extract.cmd" > NUL
WriteConsole: 'mode' is not re
C:\WINDOWS\Sysnative\attrib.exe Attrib "C:\WINDOWS\Setup\MRP3" +h +s
Show More
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe add "HKLM\Software\MRP3" /f
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe add "HKLM\Software\MRP3\DataVars" /f
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe add "HKLM\Software\MRP3\DataVars" /v "MRP_ReLocationFlag" /t REG_SZ /d "Yes" /f
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "!CleanMRPup" /t REG_SZ /d "C:\WINDOWS\CleanUpMRP.cmd" /f
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v "ImageState"
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC /locale:ms_409 CPU GET Architecture /value
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v "Enabled"
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "BuildLabEx"
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
C:\WINDOWS\Sysnative\bcdedit.exe bcdedit /enum {current}
WriteConsole: Access is denied
C:\WINDOWS\Sysnative\reg.exe REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "MRPChkX" /f
WriteConsole: The batch file c
wscript.exe "c:\users\user\downloads\dbasechem.vbs"
"C:\Users\Qwezwkkt\AppData\Local\Temp\banish.cmd"
C:\WINDOWS\system32\takeown.exe TAKEOWN /F ""
C:\WINDOWS\system32\icacls.exe ICACLS "" /grant "Qwezwkkt":F
"C:\Users\Qwakkzfr\AppData\Local\Temp\MRP_QT\MRP-QT2.cmd"
C:\WINDOWS\system32\mode.com mode con cols=90 lines=18
C:\WINDOWS\system32\attrib.exe Attrib "C:\Users\Qwakkzfr\AppData\Local\Temp\MRP_QT" +h
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC OS GET LocalDateTime /value
C:\WINDOWS\Sysnative\timeout.exe TIMEOUT /T 2 /Nobreak
C:\WINDOWS\System32\Wbem\WMIC.exe wmic os get osarchitecture /value
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ECHO "
C:\WINDOWS\Sysnative\findstr.exe FINDSTR "64"
C:\WINDOWS\Sysnative\findstr.exe FINDSTR "32"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ECHO x86 "
C:\WINDOWS\Sysnative\findstr.exe FINDSTR "86"
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CompositionEditionID"
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f "Microsoft-Windows-*Edition~31bf3856ad364e35" /k
C:\WINDOWS\system32\find.exe FIND /I "CurrentVersion"
C:\WINDOWS\System32\Wbem\WMIC.exe WMIC PATH SoftwareLicensingProduct WHERE (Name LIKE 'Windows%' AND PartialProductKey is not NULL) GET LicenseFamily /VALUE
C:\WINDOWS\Sysnative\reg.exe C:\WINDOWS\Sysnative\reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID

Related Posts

Trending

Most Viewed

Loading...