6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Size

303KB
MD5

6eb2bc2e124b39d3414fdfdc390ae66b
SHA1

15ac9abb629bd2666ff009c02645ad66b62d188d
SHA256

6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7
SHA512

f269167c802475057b9ed2e16c5dc44500819a92459bf6ce802d9eec67c9dfb8e7ac18ab19ebb9ea085fd98ec40baea2e26b63199dfc24470b681ce1cf8bc03c
SSDEEP

1536:0ZBjYiP7iDSTmwFjD53oFrjID8cpC9ieVy6dnPhDqxgbPeojwJAuiD:YNHjiWVFX53mzx4N64xgbP

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wyptnzvm.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\qwpwntlv.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\lpflyvzg.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\qnzssxxh.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\hsfcyiql.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\cpxkmyao.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\lauhsorz.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\pueqxlgt.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\fknawrge.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\reznxeme.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\jdhomucj.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ifwptqfd.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\plrqqmfi.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\swrawecv.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\nztbsbwt.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\xnoggaoa.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\puvtfptu.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\tskxqzfp.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\jyiztalv.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\vqsoryzo.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\imkinwdo.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\oakawokw.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\esrbayiv.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ulxrlrst.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ogadthai.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ryfxlbkg.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\msozfjqp.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\hoexfdrp.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\wxybzyda.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\hqlufcyw.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ymdckttb.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\sabcfhcs.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\xgdgdtmh.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\brgnlnfm.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\kfwchnkp.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\hqclawsb.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\bdeqexbu.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\mowtkjex.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\cvfjgkwq.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\luhacybx.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ewimwtue.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\mietzngl.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\xuhxgsfr.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\yycfuxrz.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\xfsjmbsc.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\vcibxihy.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\igrkfpma.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\fcbquugq.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ezymdgge.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\segsyekq.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\ebiwhjnz.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\leuyixif.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\kyklfxfj.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\vcmuowrp.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\txbpandh.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\zstywhrn.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\dikiowoy.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\haclwntv.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\uxxoqhzi.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\sstgyyjd.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\sgywymdi.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\hwguxogq.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\lwxfuhko.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Windows\SysWOW64\fpgjbfxv.dll	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\cnixuzsv.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\lzotnhsm.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ocqxbljc.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ikhddtea.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\vmnrnftl.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\qwwtnquw.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\intpfxle.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\jfvpxlsw.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\wcbqecij.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\psljpbiu.exe	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C599241-6926-101B-9992-00000B65C6F9}\InprocServer32\ = "C:\\Windows\\SysWow64\\jqpfkgpa.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E182020-F460-11CE-9BCD-00AA00608E01}\InprocServer32\ = "C:\\Windows\\SysWow64\\welnqmnj.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39490AAE-F9B3-6FEA-B2E9-2A3650828934}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8A7954B-FD3F-2DCF-876A-47C83E9B5EB3}\ = "xchoazmbrqhsrvzl"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8A7954B-FD3F-2DCF-876A-47C83E9B5EB3}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD0FC9-9F5B-BC30-5190-C17E410BF0BF}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\qwwtnquw.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22c6c651-f6ea-46be-bc83-54e83314c67f}\InProcServer32\ = "C:\\Windows\\SysWow64\\tzimvtwy.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A7006CC-89E6-852B-C5A1-61F8EA8080BF}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F4D95DA-CCBE-3BB1-948C-85098C813B88}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F748B5F0-15D0-11CE-BF0D-00AA0044BB60}\InprocServer32\ = "C:\\Windows\\SysWow64\\sabcfhcs.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\bnijldaq.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC9F2F90-E877-11CE-9F68-00AA00574A4F}\InprocServer32\ = "C:\\Windows\\SysWow64\\luhacybx.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DB36CF-A4B4-F0A5-31B4-4B293AE7B5A2}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39490AAE-F9B3-6FEA-B2E9-2A3650828934}\ = "emdtwflkixoyidsp"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A60334F-F421-DC67-FAF8-EF1B53B3D674}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\wcbqecij.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD0FC9-9F5B-BC30-5190-C17E410BF0BF}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD2775D-F31C-F60D-7D3E-392176D8B3E8}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\uaofutrx.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A60334F-F421-DC67-FAF8-EF1B53B3D674}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD2775D-F31C-F60D-7D3E-392176D8B3E8}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\psljpbiu.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DB36CF-A4B4-F0A5-31B4-4B293AE7B5A2}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5728F10E-27CC-101B-A8EF-00000B65C5F8}\InprocServer32\ = "C:\\Windows\\SysWow64\\vnyxdgnb.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\kggfayza.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C73865E0-2A95-0FBE-6EBC-BC02BAAF8C03}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DB36CF-A4B4-F0A5-31B4-4B293AE7B5A2}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\jfvpxlsw.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F4D95DA-CCBE-3BB1-948C-85098C813B88}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\cnixuzsv.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD2775D-F31C-F60D-7D3E-392176D8B3E8}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD2775D-F31C-F60D-7D3E-392176D8B3E8}\ = "faaehjclaimdvymo"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2C8D7D5-F750-95D4-65CF-5CFAA74306D2}\ = "lzqqgcpcpyxderse"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\nakffpmn.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\vbeewain.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\dppjspzp.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c73f6f30-97a0-4ad1-a08f-540d4e9bc7b9}\InProcServer32\ = "C:\\Windows\\SysWow64\\itanfnyq.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\InprocServer32\ = "C:\\Windows\\SysWow64\\sstgyyjd.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A60334F-F421-DC67-FAF8-EF1B53B3D674}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8A7954B-FD3F-2DCF-876A-47C83E9B5EB3}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\rwveijpl.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A7006CC-89E6-852B-C5A1-61F8EA8080BF}\ = "zzfrlzjsyzcmfkug"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46E31370-3F7A-11CE-BED6-00AA00611080}\InprocServer32\ = "C:\\Windows\\SysWow64\\jqljarpv.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\kcxaofal.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\xmnpqptf.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8A7954B-FD3F-2DCF-876A-47C83E9B5EB3}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ocqxbljc.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A7006CC-89E6-852B-C5A1-61F8EA8080BF}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\vmnrnftl.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{338E9310-7C07-11CE-8CA9-00AA0044BB60}\InprocServer32\ = "C:\\Windows\\SysWow64\\vfamzebz.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE1CC4E0-F69A-8C34-637E-41619F719524}\ = "iwsnookcykdxmuql"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\somdzgqh.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\InprocServer32\ = "C:\\Windows\\SysWow64\\nztbsbwt.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE1CC4E0-F69A-8C34-637E-41619F719524}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE1CC4E0-F69A-8C34-637E-41619F719524}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\intpfxle.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39490AAE-F9B3-6FEA-B2E9-2A3650828934}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F4D95DA-CCBE-3BB1-948C-85098C813B88}\ = "lyplrfttiqpiivfx"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2C8D7D5-F750-95D4-65CF-5CFAA74306D2}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\feaxzllg.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\InprocServer32\ = "C:\\Windows\\SysWow64\\vywabxgz.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\InprocServer32\ = "C:\\Windows\\SysWow64\\bclqedog.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocServer32\ = "C:\\Windows\\SysWow64\\spkxszxo.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2C8D7D5-F750-95D4-65CF-5CFAA74306D2}\LocalServer32	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\InprocServer32\ = "C:\\Windows\\SysWow64\\mnpgjiwj.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD0FC9-9F5B-BC30-5190-C17E410BF0BF}	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{972C4270-11FD-11CE-B841-00AA004CD6D8}\InprocServer32\ = "C:\\Windows\\SysWow64\\zjgjshsq.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C73865E0-2A95-0FBE-6EBC-BC02BAAF8C03}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ikhddtea.exe"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC20920-DA4E-11CE-B943-00AA006887B4}\InprocServer32\ = "C:\\Windows\\SysWow64\\mcgxcnmk.dll"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DB36CF-A4B4-F0A5-31B4-4B293AE7B5A2}\ = "vihqbrxvslmjbawb"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A60334F-F421-DC67-FAF8-EF1B53B3D674}\ = "lpwbqkfklhdonlnj"	6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe

C:\Users\Admin\AppData\Local\Temp\6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe
"C:\Users\Admin\AppData\Local\Temp\6154bafaeddaf29c99a82df22eeb25a58ed3b06d80f257ca7ec6971317341ad7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1712-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1712-56-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download
memory/1712-57-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads