49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Size

203KB
MD5

0ebbf3f5d0d9819fd918db884f1ff000
SHA1

952c0058d5b2ebc2be654b5b5657dad5ecc73ae4
SHA256

49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec
SHA512

6761d9e494f99483a951fd011032cf509aaa30aea65a2cd3a3ccc6830a0d8214e84117f5fbe48ca17da7fd1d7b0648fb8449747cea68629ccd2bc95b81279c2c
SSDEEP

1536:0XHQpkJ48z6MJMoy+B7Dx7/xbxSm7YBzoqH5rn+I2iURGgSvrIqGLzLqvI5GcA7P:wwpkJ4Cy+xx/xbkmqH5r+IDQ+Qfu

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kkbvikoo.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\uhhrwggz.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\uonqqzha.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\polaqgfp.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\hvcbwnpl.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\lkyanqir.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\dluafxsq.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\zkqgzfzc.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\xojllygo.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\hminzxyc.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\duvydltb.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\waffjiyt.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\yhlbsfeg.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\xjfcjvjf.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\lrdydqkj.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\uxjctdhl.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\cyscrlrr.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\zzrkeofc.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\prbrpojy.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\yqewnvha.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\ieqgjsnx.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\mbinltrc.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\invuarlb.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\bxquuoop.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\cbcfipih.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\kibcbwmd.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\vcfbqtig.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\huwogpbr.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\kdvjdlwu.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\swbkzoje.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\dqnplooc.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\rstmimkz.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\ypsmxhih.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\iebaeetl.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\drdqwkoq.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\brdcfncp.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\mdyparfa.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\ssrboaqr.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\opmirnpg.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\oteuidhx.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\skyybjzj.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\mvmtxcxz.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\ntqgrnjl.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\wesecvdy.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\fnbiavvo.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\bcvgcjya.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\hsszyamb.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\jtzwelrb.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\gordfstb.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\zbiajcjp.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\tzuqcerc.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\wujlmoms.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\ysfnlzff.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\kouygbfb.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\rjjnwgra.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\cddxiqta.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\owhmhdci.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\simnzbou.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\eqotciml.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\qilerfjr.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\nplljwwn.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\zjvwpkgp.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\racxusjw.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Windows\SysWOW64\crzoaorj.dll	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ikhddtea.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\jfvpxlsw.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\ocqxbljc.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\intpfxle.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\vmnrnftl.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\cnixuzsv.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\qwwtnquw.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\psljpbiu.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\lzotnhsm.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\wcbqecij.exe	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{972C4270-11FD-11CE-B841-00AA004CD6D8}\InprocServer32\ = "C:\\Windows\\SysWow64\\xqoohzey.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c73f6f30-97a0-4ad1-a08f-540d4e9bc7b9}\InProcServer32\ = "C:\\Windows\\SysWow64\\nwlqhoqn.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39490AAE-F9B3-6FEA-B2E9-2A3650828934}\ = "eqimywveblhhsihs"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39490AAE-F9B3-6FEA-B2E9-2A3650828934}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\lzotnhsm.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBDD1ED9-4556-F456-352F-6B405B9B6ADE}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mwtfhcwc.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A60334F-F421-DC67-FAF8-EF1B53B3D674}\ = "agqxncbxzkbxlpbn"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A7006CC-89E6-852B-C5A1-61F8EA8080BF}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\vmnrnftl.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{338E9310-7C07-11CE-8CA9-00AA0044BB60}\InprocServer32\ = "C:\\Windows\\SysWow64\\obgdktvb.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39490AAE-F9B3-6FEA-B2E9-2A3650828934}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\tgvbhuvt.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\InprocServer32\ = "C:\\Windows\\SysWow64\\niukhfhd.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE1CC4E0-F69A-8C34-637E-41619F719524}\ = "fvfcnmbmqrotqbtr"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE1CC4E0-F69A-8C34-637E-41619F719524}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\intpfxle.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39490AAE-F9B3-6FEA-B2E9-2A3650828934}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A60334F-F421-DC67-FAF8-EF1B53B3D674}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\wcbqecij.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46E31370-3F7A-11CE-BED6-00AA00611080}\InprocServer32\ = "C:\\Windows\\SysWow64\\obrwuipa.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\lrdydqkj.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8A7954B-FD3F-2DCF-876A-47C83E9B5EB3}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F4D95DA-CCBE-3BB1-948C-85098C813B88}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DB36CF-A4B4-F0A5-31B4-4B293AE7B5A2}\ = "mvurrqlvqodkmaey"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD2775D-F31C-F60D-7D3E-392176D8B3E8}\ = "wvtvhspllehygmhe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\hsszyamb.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\InprocServer32\ = "C:\\Windows\\SysWow64\\vdurxzsu.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\napjjuwh.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7A9C6E0-EFF2-101A-8185-00DD01108C6B}\InprocServer32\ = "C:\\Windows\\SysWow64\\gdhpzbfc.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD0FC9-9F5B-BC30-5190-C17E410BF0BF}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\InprocServer32\ = "C:\\Windows\\SysWow64\\webunfdq.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\ntkulmcx.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EE1CC4E0-F69A-8C34-637E-41619F719524}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DB36CF-A4B4-F0A5-31B4-4B293AE7B5A2}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\jfvpxlsw.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A60334F-F421-DC67-FAF8-EF1B53B3D674}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD0FC9-9F5B-BC30-5190-C17E410BF0BF}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\uorhrvvn.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\tcbbyrhq.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\ = "C:\\Windows\\SysWow64\\gzebpoxp.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC9F2F90-E877-11CE-9F68-00AA00574A4F}\InprocServer32\ = "C:\\Windows\\SysWow64\\sgztmuac.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\InprocServer32\ = "C:\\Windows\\SysWow64\\wlhncsid.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9DB36CF-A4B4-F0A5-31B4-4B293AE7B5A2}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8A7954B-FD3F-2DCF-876A-47C83E9B5EB3}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ocqxbljc.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD2775D-F31C-F60D-7D3E-392176D8B3E8}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBDD1ED9-4556-F456-352F-6B405B9B6ADE}\ = "raabyzckhbnopusk"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5728F10E-27CC-101B-A8EF-00000B65C5F8}\InprocServer32\ = "C:\\Windows\\SysWow64\\mhjayxtm.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\InprocServer32\ = "C:\\Windows\\SysWow64\\ivkyxrmk.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD0FC9-9F5B-BC30-5190-C17E410BF0BF}\LocalServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\qwwtnquw.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD2775D-F31C-F60D-7D3E-392176D8B3E8}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22c6c651-f6ea-46be-bc83-54e83314c67f}\InProcServer32\ = "C:\\Windows\\SysWow64\\mzcxkupp.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\zrjmmnyv.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F4D95DA-CCBE-3BB1-948C-85098C813B88}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C73865E0-2A95-0FBE-6EBC-BC02BAAF8C03}\ = "hwcytiqpssatwfkf"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A7006CC-89E6-852B-C5A1-61F8EA8080BF}\ = "wpjeqhkgwvbyhkyh"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F748B5F0-15D0-11CE-BF0D-00AA0044BB60}\InprocServer32\ = "C:\\Windows\\SysWow64\\fjjqokzs.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C73865E0-2A95-0FBE-6EBC-BC02BAAF8C03}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBDD1ED9-4556-F456-352F-6B405B9B6ADE}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\ = "C:\\Windows\\SysWow64\\ncfrgllu.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F4D95DA-CCBE-3BB1-948C-85098C813B88}\ = "kwhjrxychtpelpsi"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3FD0FC9-9F5B-BC30-5190-C17E410BF0BF}\ = "okdzfgotfknffmbu"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8A7954B-FD3F-2DCF-876A-47C83E9B5EB3}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A7006CC-89E6-852B-C5A1-61F8EA8080BF}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\InprocServer32\ = "C:\\Windows\\SysWow64\\hvmqsaoj.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C73865E0-2A95-0FBE-6EBC-BC02BAAF8C03}	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBDD1ED9-4556-F456-352F-6B405B9B6ADE}\LocalServer32	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32\ = "C:\\Windows\\SysWow64\\xgvmfbnb.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E182020-F460-11CE-9BCD-00AA00608E01}\InprocServer32\ = "C:\\Windows\\SysWow64\\zkqgzfzc.dll"	49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe

C:\Users\Admin\AppData\Local\Temp\49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe
"C:\Users\Admin\AppData\Local\Temp\49b030839d846cda6d04cbaa982a5a17f062c2f041f5a74f3b7a38d7c33dfaec.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1780-56-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download
memory/1780-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1780-57-0x0000000000020000-0x000000000003D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads