Malware Analysis Report

2025-01-02 07:25

Sample ID 240913-w3wjwa1err
Target 09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a
SHA256 09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a
Tags
floxif backdoor discovery persistence privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a

Threat Level: Known bad

The file 09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a was found to be: Known bad.

Malicious Activity Summary

floxif backdoor discovery persistence privilege_escalation trojan upx

Floxif, Floodfix

Detects Floxif payload

Event Triggered Execution: AppInit DLLs

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 18:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-13 18:27

Reported

2024-09-13 18:29

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a.dll

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3050F360-98B5-11CF-BB82-00AA00BDCE0B}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3050F361-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\AsynchronousInterface\ = "{9D973E3B-F610-4F03-83D3-AED90C3237AC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7819A000-56F5-432F-BF43-662A11261696}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2AC06F23-3274-4224-AE7E-F897EDF15FE9}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6BAE7E5-C740-4996-B9C9-AD4D3A6898D1}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79EAC9C5-BAF9-11CE-8C82-00AA004BA90B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3050F360-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1525E844-B912-4558-85CF-B1A3FE27D354}\ = "IPhishingFilterManagerCallback" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3853EAB3-ADB3-4BE8-9C96-C883B98E76AD}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DF68E2D-7484-4851-9B87-F6DDA1B8B446}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32FBF42-EFFB-4862-B164-6565C2EF32F4}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5357E238-FB12-4ACA-A930-CAB7832B84BF}\ = "IXFeedsManager" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E289DEAB-F709-49A9-B99E-282364074571} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DF621C3-87C2-447C-9F34-F15D5321D423}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{595611CD-13B0-47A1-9116-5B6A4F378E8B}\ = "INavigationTarget" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{850AF9D6-7309-40B5-BDB8-786C106B2153}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AC7516E-E6BB-4A69-B63F-E841904DC5A6}\NumMethods\ = "10" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{85DA4432-40BA-4221-8CA0-730B85E615AE}\NumMethods\ = "5" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5664125F-4E10-4E90-98E4-E4513D955A14}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{92549FB6-2504-4018-83C5-0A950DF000F2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E4E1084-4290-4E24-BB44-31F0B9F9F9C4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E9B00E4-9846-11D1-A1EE-00C04FC2FBE1}\NumMethods\ = "6" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5664125F-4E10-4E90-98E4-E4513D955A14}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0199568A-F46D-4B53-99F6-F637E08314B2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{41DC24D8-6B81-41C4-832C-FE172CB3A582}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8F1998D-9163-4F98-BF2C-3FF2C3FEF6DE}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9E89500-30FA-11D0-B724-00AA006C1A01}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1146E6DE-3122-4484-897C-D8226160BEFA}\SynchronousInterface\ = "{F31F9DC3-3F01-4399-A14C-32D7AC4A734E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3051046C-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BAA342A0-2DED-11D0-86F4-00A0C913F750}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60941754-A6CD-418B-A952-91CCDECFEF51}\NumMethods\ = "29" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9AEA8A59-E0C9-40F1-87DD-757061D56177} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD3D809A-0D91-4C71-856D-096877D72B7A}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29C3390D-B55C-482E-9E92-1E0064B5CA54} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2C867E6-69D6-46F2-A611-DED9A4BD7FEF}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C963678-3A51-4B88-8531-98B90B6508F2}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D318FB7E-FF28-497E-A566-9DF09E6C503B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F457174-09A5-493D-A222-A2385C138A25}\ = "IUserFilter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104A7-98B5-11CF-BB82-00AA00BDCE0B}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5357E238-FB12-4ACA-A930-CAB7832B84BF} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7964B769-234A-4BB1-A5F4-90454C8AD07E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{663FEA43-FBEF-4859-94F5-D3FAA238D3BD}\ = "INavigationBand" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A88E90A6-DD82-437A-B89C-DC2977EB7BA9} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE528E77-3716-4EB7-956D-F5E37502E12A} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}\ = "ITabWindowManager" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A73A59C5-2C26-4501-83D9-4EAD966CF20D}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E322340-E4A8-4292-9D52-24E5B7B08253}\ = "ILCIEThreadRef" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58562769-ED52-42F7-8403-4963514E1F11}\ = "IActiveScriptStringCompare" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D5F78C80-5252-11CF-90FA-00AA0042106E}\NumMethods\ = "17" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B32FBF42-EFFB-4862-B164-6565C2EF32F4}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A57684A-3480-4D0B-920A-C21912455D94}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9706DA66-D17C-48A5-B42D-39963D174DC0}\NumMethods\ = "31" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1630852E-1263-465B-98E5-FE60FFEC4AC2}\ = "IXFeedEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{67431840-C511-11CF-89A9-00A0C9054129}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F457174-09A5-493D-A222-A2385C138A25}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DF68E2D-7484-4851-9B87-F6DDA1B8B446}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1630852E-1263-465B-98E5-FE60FFEC4AC2}\NumMethods\ = "11" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{891FCAAB-1FB2-44A5-BB4B-0D764DFE88CC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{86D52E11-94A8-11D0-82AF-00C04FD5AE38}\ = "ITargetFrame2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A71A0808-0F88-11D1-BA19-00C04FD912D0}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 4556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 4556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 4556 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/4556-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/4556-7-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 18:27

Reported

2024-09-13 18:29

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a.dll

Signatures

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Windows\SysWOW64\regsvr32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86D52E11-94A8-11D0-82AF-00C04FD5AE38}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{146E5396-3B32-49AC-901E-4C4A82FEE8C5}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{739CBF5D-5AED-49F8-AD1C-540094411664}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F72C8D96-6DBD-11D1-A1E8-00C04FC2FBE1}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCC8-4E68-101B-A2BC-00AA00404770}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F6DC-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C963678-3A51-4B88-8531-98B90B6508F2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EC704BA-E1D4-45C5-9B59-BFAE07D9F04E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BC0EC710-A3ED-4F99-B14F-5FD59FDACEA3}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BFD074F8-3A54-4FB3-8771-277D3E2031C5}\SynchronousInterface\ = "{41DC24D8-6B81-41C4-832C-FE172CB3A582}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E4E1084-4290-4E24-BB44-31F0B9F9F9C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{75CB4DB9-6DA0-4DA3-83CE-422B6A433346}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDEFF51C-B112-44D0-A5EB-676073FFCE9E}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E322340-E4A8-4292-9D52-24E5B7B08253}\ = "ILCIEThreadRef" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{02000584-947B-4FB3-ABB0-11F8C782D4DA}\NumMethods\ = "11" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDB9EF13-045C-4C0A-808E-3294C59703B4}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A2F8555-8498-4DD5-BAB9-DBA681C5CF4E}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\ = "ITravelLogRecoveryData" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D2CC27B-E2FC-4ABD-909F-D1401DA6E82F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F35F-98B5-11CF-BB82-00AA00BDCE0B}\NumMethods\ = "6" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{22B6D492-0F88-11D1-BA19-00C04FD912D0}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\AsynchronousInterface\ = "{9D973E3B-F610-4F03-83D3-AED90C3237AC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{725E61EC-59A5-4859-B516-54C71A3929A3}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A497816A-C55D-4F05-B9E3-2E0D28E77BA2}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD3D809A-0D91-4C71-856D-096877D72B7A}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{09653054-DC7E-4E92-BF9A-0BC578273545}\NumMethods\ = "15" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F72C8D97-6DBD-11D1-A1E8-00C04FC2FBE1}\NumMethods\ = "8" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33627A56-8C9A-4430-8FD1-B5F5C771AFB6}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0199568A-F46D-4B53-99F6-F637E08314B2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D5140C1-7436-11CE-8034-00AA006009FA}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C374CE57-E034-4327-AA86-6B5D71CE604F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C374A41-BAE4-11CF-BF7D-00AA006946EE}\NumMethods\ = "8" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1146E6DE-3122-4484-897C-D8226160BEFA}\SynchronousInterface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D91B8947-F8CA-4508-A58A-2D8A49BF6111} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0ACB838F-A152-4108-AB65-06E73C92EE5F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73C105EE-9DFF-4A07-B83C-7EFF290C266E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A436D7D2-17C3-4EF4-A1E8-5C86FAFF26C0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DF621C3-87C2-447C-9F34-F15D5321D423}\NumMethods\ = "12" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD3D809A-0D91-4C71-856D-096877D72B7A}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B4BF6DA0-BFBA-4CBF-B03A-6C55FA20AF65} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54A8F188-9EBD-4795-AD16-9B4945119636}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3051046B-98B5-11CF-BB82-00AA00BDCE0B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F361-98B5-11CF-BB82-00AA00BDCE0B}\NumMethods\ = "4" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D0BBCCF-D991-4B95-A03D-C3F03A729FF9}\ = "IELowUtilBroker" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9DF68E2D-7484-4851-9B87-F6DDA1B8B446}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B61C454-C2A2-4685-8885-9752F9A3F28F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F6A76981-4245-4415-8A38-D2790017AD73} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{305104A7-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{768B08BE-40A0-44BE-A52C-65211D3F93A8}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCCB-4E68-101B-A2BC-00AA00404770}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDB9EF13-045C-4C0A-808E-3294C59703B4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F457174-09A5-493D-A222-A2385C138A25}\NumMethods\ = "16" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B61C454-C2A2-4685-8885-9752F9A3F28F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{87CC5D04-EAFA-4833-9820-8F986530CC00} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{305104A9-98B5-11CF-BB82-00AA00BDCE0B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48A98A1F-5CDD-47EE-9286-DB04A3EB7CE1}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43EFC137-1403-4E73-89FC-A49FDBFC09EC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{893D639F-BBC7-4473-8FFE-A5D198149479} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDD019A1-DD0D-422F-9915-66E7C244BC81}\NumMethods\ = "13" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0F2D35B3-DB34-4966-BEA6-59C7CD203862}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{595611CD-13B0-47A1-9116-5B6A4F378E8B}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{25A161E8-96FB-49F5-AF56-93B4BAE5A01B}\ProxyStubClsid32\ = "{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1872 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1872 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1872 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1872 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1872 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1872 wrote to memory of 1992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\09d4e85c188660146fe539322aa7b3295d05a986c66a87f28606dcd18337ff8a.dll

Network

N/A

Files

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/1992-3-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1992-6-0x0000000010000000-0x0000000010030000-memory.dmp