80d48eb263fe58d5a0afaa20679c5824c9f5fdce8a6707e5c9ef3c8817011938

Analysis

Target

gdxh1.dll
Size

1.2MB
MD5

4dc5ec6b3db2a95f5ac9334210b4e9fb
SHA1

24a0e46ac825cad7d5d9a7a79d02f6d07450bcb0
SHA256

80d48eb263fe58d5a0afaa20679c5824c9f5fdce8a6707e5c9ef3c8817011938
SHA512

f0935a7873dfc7b4edd8e40bcaaad11a15b232a6bc2cbbf29505d958f0a2818d341c33586216e9f12e53c202a6a84602a37347dfd7318f89820bc8a9da175ff3

Score

1^/10

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeexplorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

4052 regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1444 wrote to memory of 4052	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 4052	1444	regsvr32.exe	regsvr32.exe
PID 1444 wrote to memory of 4052	1444	regsvr32.exe	regsvr32.exe
PID 4052 wrote to memory of 632	4052	regsvr32.exe	explorer.exe
PID 4052 wrote to memory of 632	4052	regsvr32.exe	explorer.exe
PID 4052 wrote to memory of 632	4052	regsvr32.exe	explorer.exe
PID 4052 wrote to memory of 632	4052	regsvr32.exe	explorer.exe
PID 4052 wrote to memory of 632	4052	regsvr32.exe	explorer.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\gdxh1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\gdxh1.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:632

memory/632-131-0x0000000000000000-mapping.dmp

Download
memory/632-132-0x0000000000520000-0x00000000005AF000-memory.dmp

Filesize
572KB

Download
memory/4052-124-0x0000000000000000-mapping.dmp

Download
memory/4052-125-0x0000000010000000-0x000000001008F000-memory.dmp

Filesize
572KB

Download