Analysis Overview
SHA256
b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3
Threat Level: Shows suspicious behavior
The file b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3 was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-27 21:29
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 21:29
Reported
2024-06-27 21:31
Platform
win7-20240508-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2141090C-41C1-49F2-89F5-9080BABC3D37}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF93216-9AF7-449C-9799-6D61B482B83A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E19D44E6-3823-496F-8910-5A1FD13CC3CC}\ = "Gcystk.MKwaste" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\VERSION\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75181003-A35F-44DE-8C73-D4045FE3E2F3}\ = "Gcystk.MKbq" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2945D07-8275-40CF-A3E5-6AD470C2030F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7A121C8-A441-4453-B95F-9164B0CB4A06}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E401CA78-981F-4D7C-AB4F-F3DC8DE8192A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2945D07-8275-40CF-A3E5-6AD470C2030F}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKxwgm\Clsid\ = "{0A5D657D-481B-49B2-9D77-9D7900252C5D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKbq\ = "Gcystk.MKbq" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EE141EC-F944-4CF1-884F-37BBC1C7FF1F}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSxwgm\ = "Gcystk.YSxwgm" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2141090C-41C1-49F2-89F5-9080BABC3D37}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8502AB19-4DC3-417D-B205-BB758535EA8A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19F04266-D781-4384-AE6E-FA3CAF2CAE6A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25B054A1-413D-4EE7-81F5-158A176858A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5044D997-C084-4462-A195-DC7DA7DCA3B9} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E19D44E6-3823-496F-8910-5A1FD13CC3CC}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSttcc\Clsid\ = "{8502AB19-4DC3-417D-B205-BB758535EA8A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B6C34550-C74E-4B1B-8876-68A521FB9742}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5318905-0CBF-45E3-A0C4-8AF4F3FE2C4F}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8502AB19-4DC3-417D-B205-BB758535EA8A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D136F61D-9768-4AE7-8393-B71A4FBC9014}\VERSION\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF93216-9AF7-449C-9799-6D61B482B83A}\ = "Gcystk.MKyxblm" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EE141EC-F944-4CF1-884F-37BBC1C7FF1F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ = "_MKyxblm" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\ = "_YScsys" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKdgnblm | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A5D657D-481B-49B2-9D77-9D7900252C5D}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKwnym | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F941CA21-BDC6-4727-A598-9B6ECE447357}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19F04266-D781-4384-AE6E-FA3CAF2CAE6A}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B}\ = "MKpjmcg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5044D997-C084-4462-A195-DC7DA7DCA3B9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSpjxt19\Clsid\ = "{F03F3421-B7FD-4235-A416-F34A9A827F2A}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSTKxtDk\Clsid\ = "{D136F61D-9768-4AE7-8393-B71A4FBC9014}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC19810B-0EF3-4DAF-870E-1DC0569D82E7} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19F04266-D781-4384-AE6E-FA3CAF2CAE6A}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B1D26D19-7C30-4961-8BB5-B06C10E426D6}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79B83961-A315-4AC9-9E21-38746A7D4330}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 492 wrote to memory of 1056 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 492 wrote to memory of 1056 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 492 wrote to memory of 1056 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 492 wrote to memory of 1056 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 492 wrote to memory of 1056 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 492 wrote to memory of 1056 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 492 wrote to memory of 1056 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll
Network
Files
memory/1056-29-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1056-36-0x00000000111ED000-0x0000000011676000-memory.dmp
memory/1056-35-0x0000000011000000-0x0000000011D73000-memory.dmp
memory/1056-34-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1056-32-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1056-30-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1056-27-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1056-24-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1056-22-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1056-19-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1056-17-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1056-14-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1056-12-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/1056-9-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1056-7-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1056-5-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1056-4-0x0000000000170000-0x0000000000171000-memory.dmp
memory/1056-2-0x0000000000170000-0x0000000000171000-memory.dmp
memory/1056-0-0x0000000000170000-0x0000000000171000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 21:29
Reported
2024-06-27 21:31
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
134s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C786A521-77A2-4004-BC34-28E0D1F99C72}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99DBE9B8-B956-4619-B6B9-CF510110BA50}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5318905-0CBF-45E3-A0C4-8AF4F3FE2C4F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\ = "_MKwnym" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\ = "_Ysdb" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F90EAE82-1DF9-44E0-BAC5-681DCA837182}\ = "_Ysdb" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8631E1B9-3A1E-458D-B1D9-A3E4920154F3}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{25B054A1-413D-4EE7-81F5-158A176858A4}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B1D26D19-7C30-4961-8BB5-B06C10E426D6}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8502AB19-4DC3-417D-B205-BB758535EA8A}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{94083FB4-AD9C-4783-A810-E9AF17392420}\VERSION\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79B83961-A315-4AC9-9E21-38746A7D4330}\ = "_MKxpjx" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C786A521-77A2-4004-BC34-28E0D1F99C72}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F941CA21-BDC6-4727-A598-9B6ECE447357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D3B5B44-649A-4309-B8AF-24D717823305}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A5D657D-481B-49B2-9D77-9D7900252C5D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKpjxt19\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2141090C-41C1-49F2-89F5-9080BABC3D37}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E2FB26C-D525-49CD-B338-70B4A3EF2BE5} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{984E04D1-E45E-4E21-AFD1-20CFF687FE37}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSxwgm\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKxpjx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\TypeLib\ = "{984E04D1-E45E-4E21-AFD1-20CFF687FE37}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5044D997-C084-4462-A195-DC7DA7DCA3B9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{731A321A-9F08-4C06-8906-202E1CE366AE}\ = "Gcystk.YSxwgm" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03F3421-B7FD-4235-A416-F34A9A827F2A}\VERSION\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52EF0FAB-0831-40F2-8DA2-9DF5AEF4790F}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5318905-0CBF-45E3-A0C4-8AF4F3FE2C4F}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AEA4B76E-75EF-4FBA-979F-8F3314E29C9B}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B6C34550-C74E-4B1B-8876-68A521FB9742} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8F8F06E-B019-4E5B-9DD5-F5E9911C911C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10A2CBD6-6E71-46BA-8F5C-A20730A51BB3}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF93216-9AF7-449C-9799-6D61B482B83A} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10A2CBD6-6E71-46BA-8F5C-A20730A51BB3}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D136F61D-9768-4AE7-8393-B71A4FBC9014}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E2FB26C-D525-49CD-B338-70B4A3EF2BE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D3B5B44-649A-4309-B8AF-24D717823305}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.YSTKxt\Clsid\ = "{EF401D34-408E-412F-8DD9-21EFD29128EA}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKwgm\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59F9A209-B554-459C-B9FB-3D35AFD7EEFD}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFC6B696-5DD9-40A4-9EEA-E3F60A32E4FA}\ProxyStubClsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{984E04D1-E45E-4E21-AFD1-20CFF687FE37}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D62CB474-F708-4038-A789-E7E4961062B5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F941CA21-BDC6-4727-A598-9B6ECE447357}\ = "_YSpjxt19" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Gcystk.MKwaste\Clsid\ = "{E19D44E6-3823-496F-8910-5A1FD13CC3CC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF401D34-408E-412F-8DD9-21EFD29128EA}\VERSION\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E66D572C-F033-419F-9237-B9BE14F7C25D}\ProgID\ = "Gcystk.MKpjxt19" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E2FB26C-D525-49CD-B338-70B4A3EF2BE5}\ = "MKpjxt19" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFC6B696-5DD9-40A4-9EEA-E3F60A32E4FA}\ = "_MKdgnblm" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\VERSION | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A1561C0-B766-42E6-8378-20138C63CBC9}\VERSION\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1276 wrote to memory of 3972 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1276 wrote to memory of 3972 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1276 wrote to memory of 3972 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\b98360a30f4557891c833e51acc655e83ea462c9479ff8410ff66093d4a6a3f3.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/3972-2-0x0000000000A20000-0x0000000000A21000-memory.dmp
memory/3972-1-0x0000000000A10000-0x0000000000A11000-memory.dmp
memory/3972-3-0x0000000000A50000-0x0000000000A51000-memory.dmp
memory/3972-7-0x0000000002240000-0x0000000002241000-memory.dmp
memory/3972-6-0x00000000111ED000-0x0000000011676000-memory.dmp
memory/3972-5-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/3972-4-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/3972-0-0x00000000008E0000-0x00000000008E1000-memory.dmp
memory/3972-10-0x0000000011000000-0x0000000011D73000-memory.dmp
memory/3972-11-0x0000000011000000-0x0000000011D73000-memory.dmp