0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-05-2022 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe
Size

2.3MB
MD5

85fb0ee4d7db16493aa9e0095b9adbd2
SHA1

6b1625fc64825b5e38606cd4e5a8336b0cd76ef9
SHA256

0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480
SHA512

8dc756f1c5ec5fabe27f70b5da15b97fa462eecd8f0589480fff957d15841361d23bfb81d1b5a0517e3ccba0f8752f8b0b9e01167481b0dcf388d3e0cc0b821f

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ACyijoXGXU29wDD.exe

pid process

1996 ACyijoXGXU29wDD.exe
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Loads dropped DLL 4 IoCs

Processes:

0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exeACyijoXGXU29wDD.exeregsvr32.exeregsvr32.exe

pid process

1032 0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe
1996 ACyijoXGXU29wDD.exe
1536 regsvr32.exe
1728 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
1996	ACyijoXGXU29wDD.exe

pid	process
1032	0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe
1996	ACyijoXGXU29wDD.exe
1536	regsvr32.exe
1728	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

ACyijoXGXU29wDD.exe

description	ioc	process
File created	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.dll	ACyijoXGXU29wDD.exe
File opened for modification	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.dll	ACyijoXGXU29wDD.exe
File created	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.tlb	ACyijoXGXU29wDD.exe
File opened for modification	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.tlb	ACyijoXGXU29wDD.exe
File created	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.dat	ACyijoXGXU29wDD.exe
File opened for modification	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.dat	ACyijoXGXU29wDD.exe
File created	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.x64.dll	ACyijoXGXU29wDD.exe
File opened for modification	C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.x64.dll	ACyijoXGXU29wDD.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeACyijoXGXU29wDD.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{aa5fc823-af42-434c-936a-d8368af7fad1}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{aa5fc823-af42-434c-936a-d8368af7fad1}\	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{aa5fc823-af42-434c-936a-d8368af7fad1}	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{aa5fc823-af42-434c-936a-d8368af7fad1}	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{aa5fc823-af42-434c-936a-d8368af7fad1}\	ACyijoXGXU29wDD.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeACyijoXGXU29wDD.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA5FC823-AF42-434C-936A-D8368AF7FAD1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_.9\CLSID	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\HELPDIR	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ = "ILocalStorage"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib\Version = "1.0"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\0	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ProxyStubClsid32	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ = "ILocalStorage"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\FLAGS\ = "0"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_\CurVer\ = "Paa5fc823_af42_434c_936a_d8368af7fad1_.9"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib\Version = "1.0"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AA5FC823-AF42-434C-936A-D8368AF7FAD1}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\Version = "1.0"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\ = "Vaaudix"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\ProgID\ = "Paa5fc823_af42_434c_936a_d8368af7fad1_.9"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\Programmable	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib\Version = "1.0"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\Programmable\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\TypeLib	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ProxyStubClsid32	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_.9\ = "Vaaudix"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\ProxyStubClsid32	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{138E44EF-8988-4DC7-8F48-FBC4FCEF83D1}\TypeLib	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BB50CC62-09E1-4DD9-912C-F1DA4D6D71D8}\ = "IRegistry"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ = "IPlaghinMein"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_\ = "Vaaudix"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_.9\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_\CLSID\ = "{aa5fc823-af42-434c-936a-d8368af7fad1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\VersionIndependentProgID\ = "Paa5fc823_af42_434c_936a_d8368af7fad1_"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\InprocServer32\ = "C:\\Program Files (x86)\\Vaaudix\\G2lJpSM4A9nVdJ.dll"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ProxyStubClsid32	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\Version = "1.0"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\ = "Vaaudix"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{41F978F3-431A-4464-A789-5C0692D562FB}\1.0\0\win32	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\TypeLib\ = "{41F978F3-431A-4464-A789-5C0692D562FB}"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\TypeLib\Version = "1.0"	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}\ = "IRuntime"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_.9	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_\CurVer\ = "Paa5fc823_af42_434c_936a_d8368af7fad1_.9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1}\Programmable\	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E481A870-86C7-44E1-97DF-E759FC147CBE}\ProxyStubClsid32	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE332809-93C1-48DF-929F-AEC0BC4BFCFE}	ACyijoXGXU29wDD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Paa5fc823_af42_434c_936a_d8368af7fad1_.Paa5fc823_af42_434c_936a_d8368af7fad1_.9\CLSID\ = "{aa5fc823-af42-434c-936a-d8368af7fad1}"	regsvr32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exeACyijoXGXU29wDD.exeregsvr32.exe

description	pid	process	target process
PID 1032 wrote to memory of 1996	1032	0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe	ACyijoXGXU29wDD.exe
PID 1032 wrote to memory of 1996	1032	0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe	ACyijoXGXU29wDD.exe
PID 1032 wrote to memory of 1996	1032	0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe	ACyijoXGXU29wDD.exe
PID 1032 wrote to memory of 1996	1032	0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe	ACyijoXGXU29wDD.exe
PID 1996 wrote to memory of 1536	1996	ACyijoXGXU29wDD.exe	regsvr32.exe
PID 1996 wrote to memory of 1536	1996	ACyijoXGXU29wDD.exe	regsvr32.exe
PID 1996 wrote to memory of 1536	1996	ACyijoXGXU29wDD.exe	regsvr32.exe
PID 1996 wrote to memory of 1536	1996	ACyijoXGXU29wDD.exe	regsvr32.exe
PID 1996 wrote to memory of 1536	1996	ACyijoXGXU29wDD.exe	regsvr32.exe
PID 1996 wrote to memory of 1536	1996	ACyijoXGXU29wDD.exe	regsvr32.exe
PID 1996 wrote to memory of 1536	1996	ACyijoXGXU29wDD.exe	regsvr32.exe
PID 1536 wrote to memory of 1728	1536	regsvr32.exe	regsvr32.exe
PID 1536 wrote to memory of 1728	1536	regsvr32.exe	regsvr32.exe
PID 1536 wrote to memory of 1728	1536	regsvr32.exe	regsvr32.exe
PID 1536 wrote to memory of 1728	1536	regsvr32.exe	regsvr32.exe
PID 1536 wrote to memory of 1728	1536	regsvr32.exe	regsvr32.exe
PID 1536 wrote to memory of 1728	1536	regsvr32.exe	regsvr32.exe
PID 1536 wrote to memory of 1728	1536	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ACyijoXGXU29wDD.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{aa5fc823-af42-434c-936a-d8368af7fad1} = "1"	ACyijoXGXU29wDD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	ACyijoXGXU29wDD.exe

C:\Users\Admin\AppData\Local\Temp\0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe
"C:\Users\Admin\AppData\Local\Temp\0337269cb7824bffbf388929b90e85a93f1b01587a5b611d8cf8ea4498ac4480.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\305e4579\ACyijoXGXU29wDD.exe
  "C:\Users\Admin\AppData\Local\Temp/305e4579/ACyijoXGXU29wDD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1996
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.x64.dll"
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.dat

Filesize
7KB

MD5
42eafa20f7e713f8f3cee5acff071236

SHA1
f41dbeaaa312b1f3f0202cffecf6a468777ad92b

SHA256
2912c365fedc5e04fcfbdff983cf868d09edc5fb011bc84107b928fdb8e36c64

SHA512
bdbcdcf9aca388d804912768446d4d65c93e1eb881c527d2434d25aa7bc9ad3ab98301776e7bbed7f9b31a59a73fc2bdd39c12c78c752d46796ac0407498d565

Download Submit
C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.tlb

Filesize
4KB

MD5
0fe06b2503ac0e34dcbb7ac744f8905b

SHA1
8850ee13bfdc7e62670b67588f8b88e798f02622

SHA256
ee29d7672ab20bd7c779268d59994217be7d3704396e52785f3da70db8afb02b

SHA512
bf3df6c9dba950e63dc0b1d448e87d1387cfd63233fe9eb04cb72563bc9fb2be8bce133748be07b74e8cf47d374b0fd5641c1d8fd66886c950cad6bc771ee8e9

Download Submit
C:\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.x64.dll

Filesize
645KB

MD5
b6f8ef51a64b9e5c0bd12d6b094fb894

SHA1
c567f85cbffc4dc082782d1b0bf5d7d87daf6973

SHA256
6926610797c19bb4fe428ead47971ea3dd294618949d2a2fb581b8aaa51472bd

SHA512
99d6186f740ce036927b8e21a93984dedea677155c09029b3e301863ad35f05886a40ea8945fa23705b9fbf9ff9ed75e9d7dc4b52377ef9172d5209dd7969e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\305e4579\ACyijoXGXU29wDD.dat

Filesize
7KB

MD5
42eafa20f7e713f8f3cee5acff071236

SHA1
f41dbeaaa312b1f3f0202cffecf6a468777ad92b

SHA256
2912c365fedc5e04fcfbdff983cf868d09edc5fb011bc84107b928fdb8e36c64

SHA512
bdbcdcf9aca388d804912768446d4d65c93e1eb881c527d2434d25aa7bc9ad3ab98301776e7bbed7f9b31a59a73fc2bdd39c12c78c752d46796ac0407498d565

Download Submit
C:\Users\Admin\AppData\Local\Temp\305e4579\ACyijoXGXU29wDD.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\305e4579\ACyijoXGXU29wDD.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\305e4579\G2lJpSM4A9nVdJ.dll

Filesize
573KB

MD5
9c27278b33fe0ce981266d406b95864c

SHA1
d1e48307906270c02bb06dfe4ef57272cdabd863

SHA256
e10d1a02b2bbb39d4e3830c6cc5c2bf2a517346ab1c8772692407c49266e54c4

SHA512
c4922b608e10d96ccc185315eb286968cb87f10be60f367ef9f15c03a3b4dfff31d45e14d79607f2863b7cb8c99700483360c78f6f294a357bcd11cd2b875963

Download Submit
C:\Users\Admin\AppData\Local\Temp\305e4579\G2lJpSM4A9nVdJ.tlb

Filesize
4KB

MD5
0fe06b2503ac0e34dcbb7ac744f8905b

SHA1
8850ee13bfdc7e62670b67588f8b88e798f02622

SHA256
ee29d7672ab20bd7c779268d59994217be7d3704396e52785f3da70db8afb02b

SHA512
bf3df6c9dba950e63dc0b1d448e87d1387cfd63233fe9eb04cb72563bc9fb2be8bce133748be07b74e8cf47d374b0fd5641c1d8fd66886c950cad6bc771ee8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\305e4579\G2lJpSM4A9nVdJ.x64.dll

Filesize
645KB

MD5
b6f8ef51a64b9e5c0bd12d6b094fb894

SHA1
c567f85cbffc4dc082782d1b0bf5d7d87daf6973

SHA256
6926610797c19bb4fe428ead47971ea3dd294618949d2a2fb581b8aaa51472bd

SHA512
99d6186f740ce036927b8e21a93984dedea677155c09029b3e301863ad35f05886a40ea8945fa23705b9fbf9ff9ed75e9d7dc4b52377ef9172d5209dd7969e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{aa5fc823-af42-434c-936a-d8368af7fad1}-log.txt

Filesize
642B

MD5
56532f3fe41d07ed5cfed28077473088

SHA1
d6f3957003bb9b46ca18a8ec30c6cfff6385da22

SHA256
b26a8a8a1ace1a8d520fd3d424ee259fbb593f6102ad33e3cd54c8cb75a2e02c

SHA512
65af6c186148a547731b1ef50cd8397bd33ee2e54ca6dd2e93a6b09eee622412748c47297f53494ac3bbff0f44a4fbac3be3eeb84e93b6318535936ed97ae7af

Download Submit
\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.dll

Filesize
573KB

MD5
9c27278b33fe0ce981266d406b95864c

SHA1
d1e48307906270c02bb06dfe4ef57272cdabd863

SHA256
e10d1a02b2bbb39d4e3830c6cc5c2bf2a517346ab1c8772692407c49266e54c4

SHA512
c4922b608e10d96ccc185315eb286968cb87f10be60f367ef9f15c03a3b4dfff31d45e14d79607f2863b7cb8c99700483360c78f6f294a357bcd11cd2b875963

Download Submit
\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.x64.dll

Filesize
645KB

MD5
b6f8ef51a64b9e5c0bd12d6b094fb894

SHA1
c567f85cbffc4dc082782d1b0bf5d7d87daf6973

SHA256
6926610797c19bb4fe428ead47971ea3dd294618949d2a2fb581b8aaa51472bd

SHA512
99d6186f740ce036927b8e21a93984dedea677155c09029b3e301863ad35f05886a40ea8945fa23705b9fbf9ff9ed75e9d7dc4b52377ef9172d5209dd7969e5d

Download Submit
\Program Files (x86)\Vaaudix\G2lJpSM4A9nVdJ.x64.dll

Filesize
645KB

MD5
b6f8ef51a64b9e5c0bd12d6b094fb894

SHA1
c567f85cbffc4dc082782d1b0bf5d7d87daf6973

SHA256
6926610797c19bb4fe428ead47971ea3dd294618949d2a2fb581b8aaa51472bd

SHA512
99d6186f740ce036927b8e21a93984dedea677155c09029b3e301863ad35f05886a40ea8945fa23705b9fbf9ff9ed75e9d7dc4b52377ef9172d5209dd7969e5d

Download Submit
\Users\Admin\AppData\Local\Temp\305e4579\ACyijoXGXU29wDD.exe

Filesize
766KB

MD5
eb843f08b06cc5bb0e8bbe9f8aaa0ba6

SHA1
0813518ec2daeb0a49d7ee2c9482150cc0eb1136

SHA256
1d94c27748e7d0dc5ffd03ae99acd9c30aaa8a6e91a66beab420650f9d6e4977

SHA512
48e3ec76eeb7a54d7ae467317d03ad5f073249e38cb8be1f08a65d31c8c4fb687d8315d6093074c074fb16c782ca57f9d0ec53464d91c0998d85f54fe58324c4

Download Submit
memory/1032-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1536-64-0x0000000000000000-mapping.dmp

Download
memory/1728-68-0x0000000000000000-mapping.dmp

Download
memory/1728-69-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download