Malware Analysis Report

2025-03-15 05:52

Sample ID 240627-1bw4jsvajj
Target b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3
SHA256 b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3

Threat Level: Shows suspicious behavior

The file b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-27 21:29

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 21:29

Reported

2024-06-27 21:31

Platform

win7-20240508-en

Max time kernel

120s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2141090C-41C1-49F2-89F5-9080BABC3D37}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF93216-9AF7-449C-9799-6D61B482B83A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E19D44E6-3823-496F-8910-5A1FD13CC3CC}\ = "Gcystk.MKwaste" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75181003-A35F-44DE-8C73-D4045FE3E2F3}\ = "Gcystk.MKbq" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2945D07-8275-40CF-A3E5-6AD470C2030F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7A121C8-A441-4453-B95F-9164B0CB4A06}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E401CA78-981F-4D7C-AB4F-F3DC8DE8192A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2945D07-8275-40CF-A3E5-6AD470C2030F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKxwgm\Clsid\ = "{0A5D657D-481B-49B2-9D77-9D7900252C5D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKbq\ = "Gcystk.MKbq" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EE141EC-F944-4CF1-884F-37BBC1C7FF1F}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSxwgm\ = "Gcystk.YSxwgm" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2141090C-41C1-49F2-89F5-9080BABC3D37}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8502AB19-4DC3-417D-B205-BB758535EA8A} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19F04266-D781-4384-AE6E-FA3CAF2CAE6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25B054A1-413D-4EE7-81F5-158A176858A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5044D997-C084-4462-A195-DC7DA7DCA3B9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E19D44E6-3823-496F-8910-5A1FD13CC3CC}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSttcc\Clsid\ = "{8502AB19-4DC3-417D-B205-BB758535EA8A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6C34550-C74E-4B1B-8876-68A521FB9742}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5318905-0CBF-45E3-A0C4-8AF4F3FE2C4F}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8502AB19-4DC3-417D-B205-BB758535EA8A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D136F61D-9768-4AE7-8393-B71A4FBC9014}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF93216-9AF7-449C-9799-6D61B482B83A}\ = "Gcystk.MKyxblm" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EE141EC-F944-4CF1-884F-37BBC1C7FF1F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ = "_MKyxblm" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\ = "_YScsys" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKdgnblm C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A5D657D-481B-49B2-9D77-9D7900252C5D}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKwnym C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F941CA21-BDC6-4727-A598-9B6ECE447357}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19F04266-D781-4384-AE6E-FA3CAF2CAE6A}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B}\ = "MKpjmcg" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5044D997-C084-4462-A195-DC7DA7DCA3B9}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSpjxt19\Clsid\ = "{F03F3421-B7FD-4235-A416-F34A9A827F2A}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSTKxtDk\Clsid\ = "{D136F61D-9768-4AE7-8393-B71A4FBC9014}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC19810B-0EF3-4DAF-870E-1DC0569D82E7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19F04266-D781-4384-AE6E-FA3CAF2CAE6A}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B1D26D19-7C30-4961-8BB5-B06C10E426D6}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79B83961-A315-4AC9-9E21-38746A7D4330}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll

Network

N/A

Files

memory/1056-29-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1056-36-0x00000000111ED000-0x0000000011676000-memory.dmp

memory/1056-35-0x0000000011000000-0x0000000011D73000-memory.dmp

memory/1056-34-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1056-32-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1056-30-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1056-27-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1056-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1056-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1056-19-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1056-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1056-14-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1056-12-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/1056-9-0x0000000000190000-0x0000000000191000-memory.dmp

memory/1056-7-0x0000000000190000-0x0000000000191000-memory.dmp

memory/1056-5-0x0000000000190000-0x0000000000191000-memory.dmp

memory/1056-4-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1056-2-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1056-0-0x0000000000170000-0x0000000000171000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 21:29

Reported

2024-06-27 21:31

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

134s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C786A521-77A2-4004-BC34-28E0D1F99C72}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5318905-0CBF-45E3-A0C4-8AF4F3FE2C4F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\ = "_MKwnym" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\ = "_Ysdb" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\ = "_Ysdb" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25B054A1-413D-4EE7-81F5-158A176858A4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1D26D19-7C30-4961-8BB5-B06C10E426D6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8502AB19-4DC3-417D-B205-BB758535EA8A}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79B83961-A315-4AC9-9E21-38746A7D4330}\ = "_MKxpjx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C786A521-77A2-4004-BC34-28E0D1F99C72}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F941CA21-BDC6-4727-A598-9B6ECE447357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D3B5B44-649A-4309-B8AF-24D717823305}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A5D657D-481B-49B2-9D77-9D7900252C5D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKpjxt19\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2141090C-41C1-49F2-89F5-9080BABC3D37}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E2FB26C-D525-49CD-B338-70B4A3EF2BE5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{984E04D1-E45E-4E21-AFD1-20CFF687FE37}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSxwgm\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKxpjx C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5044D997-C084-4462-A195-DC7DA7DCA3B9}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{731A321A-9F08-4C06-8906-202E1CE366AE}\ = "Gcystk.YSxwgm" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03F3421-B7FD-4235-A416-F34A9A827F2A}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5318905-0CBF-45E3-A0C4-8AF4F3FE2C4F}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B6C34550-C74E-4B1B-8876-68A521FB9742} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10A2CBD6-6E71-46BA-8F5C-A20730A51BB3}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF93216-9AF7-449C-9799-6D61B482B83A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10A2CBD6-6E71-46BA-8F5C-A20730A51BB3}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D136F61D-9768-4AE7-8393-B71A4FBC9014}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E2FB26C-D525-49CD-B338-70B4A3EF2BE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D3B5B44-649A-4309-B8AF-24D717823305}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSTKxt\Clsid\ = "{EF401D34-408E-412F-8DD9-21EFD29128EA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKwgm\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFC6B696-5DD9-40A4-9EEA-E3F60A32E4FA}\ProxyStubClsid C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{984E04D1-E45E-4E21-AFD1-20CFF687FE37}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F941CA21-BDC6-4727-A598-9B6ECE447357}\ = "_YSpjxt19" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKwaste\Clsid\ = "{E19D44E6-3823-496F-8910-5A1FD13CC3CC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E66D572C-F033-419F-9237-B9BE14F7C25D}\ProgID\ = "Gcystk.MKpjxt19" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E2FB26C-D525-49CD-B338-70B4A3EF2BE5}\ = "MKpjxt19" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC6B696-5DD9-40A4-9EEA-E3F60A32E4FA}\ = "_MKdgnblm" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\VERSION C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\VERSION\ = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 3972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1276 wrote to memory of 3972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1276 wrote to memory of 3972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3972-2-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/3972-1-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/3972-3-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/3972-7-0x0000000002240000-0x0000000002241000-memory.dmp

memory/3972-6-0x00000000111ED000-0x0000000011676000-memory.dmp

memory/3972-5-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/3972-4-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/3972-0-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/3972-10-0x0000000011000000-0x0000000011D73000-memory.dmp

memory/3972-11-0x0000000011000000-0x0000000011D73000-memory.dmp