Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-h6nfsahe33
Target 2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c
SHA256 2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c

Threat Level: Likely malicious

The file 2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 07:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 07:21

Reported

2024-05-07 07:23

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\snawewuai\\nigok.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\snawewuai\nigok.dll C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe N/A
File opened for modification \??\c:\Program Files\snawewuai C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2268 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2268 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2268 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2268 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe
PID 2268 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe
PID 2268 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe
PID 2268 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe
PID 2492 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe

"C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ehibjdgyq.exe "C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe

C:\Users\Admin\AppData\Local\Temp\\ehibjdgyq.exe "C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\snawewuai\nigok.dll",Verify C:\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/1904-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1904-2-0x0000000000400000-0x0000000000464000-memory.dmp

\Users\Admin\AppData\Local\Temp\ehibjdgyq.exe

MD5 3a2e823f40ebb9e474c8b8bba4f5b025
SHA1 2a3acd20c779bb52688ababad24d6be747725c54
SHA256 6f4dc99acb7fee7c7dc0ab1005af73b58a8313998e8481dfb7283e1cfd1cd520
SHA512 f1cb144af4020836823c96a8340af444590cde7a3ad9955f14f429e64b35e3ade6d9c77a82ee8116c2a50a354b47e82336b514edfcdbdfb65a159514f07535b7

memory/2268-5-0x0000000000160000-0x00000000001C4000-memory.dmp

memory/2492-8-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2492-10-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\snawewuai\nigok.dll

MD5 d0c77923518986dfb80b667c7d09ee0f
SHA1 1d4f2e5fd15f90fb2b1da807844ff80b9319522c
SHA256 da96f8f5948798a1732503a53f075eda6c7b28d63ecfcfdb5a07ad1e3106cf59
SHA512 042ad19af2684d91586311d569b453e6bafe2020d78105d6ff77ff089593e6dbc6c4b719f467f8fce40d648a7f8a15b4bc7206513b107e2d9e94d65ef8659bcd

memory/2572-17-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2572-16-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2572-18-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2572-19-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2572-21-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 07:21

Reported

2024-05-07 07:23

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\zboiz\\mwvhdgyt.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\zboiz C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe N/A
File created \??\c:\Program Files\zboiz\mwvhdgyt.dll C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe C:\Windows\SysWOW64\cmd.exe
PID 4316 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe
PID 4908 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe
PID 4908 wrote to memory of 3100 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe
PID 3100 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3100 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe

"C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\moqygyyci.exe "C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe

C:\Users\Admin\AppData\Local\Temp\\moqygyyci.exe "C:\Users\Admin\AppData\Local\Temp\2b480e9f489aeec3df891a1d7f60768636b4556becd27ed02dfbfb2f769f914c.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\zboiz\mwvhdgyt.dll",Verify C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 23.73.138.82:443 www.bing.com tcp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.138.73.23.in-addr.arpa udp
US 110.34.196.36:803 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/4316-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4316-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\moqygyyci.exe

MD5 3aee152438bb12fa784ed99f222d32da
SHA1 ade3b65e4d9cf60427732bd45d928e0719398340
SHA256 b390292351a9c3566c9ea32caf8829a76ac79ffdd8551031ee145fa87baa7a9e
SHA512 0a963b70e7b931a6c8dda6f616a4aca200e6bfdbaa68b7316a87bb096d9ec4b6f998254a48b690434cf83f6c24c88cea26dc75bda8c93d358115290d217b922b

memory/3100-7-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\zboiz\mwvhdgyt.dll

MD5 4a833b0837f728cd135ea90603254748
SHA1 db306ba10b342b3267e7c2f72e5b8877dfafc8be
SHA256 86d9b0e04c1ab6030a1aa3a724bd324bf8a581873d5c815c88f246e1df0fcd4a
SHA512 aaf31fd37eb50f35c154ce72696dadea71cec2b77f12e4f6e3f9d2e40e60fbd1798299be333af2bb763c62a8145f9ae81a232843bb132d58a676c57941dac34c

memory/460-10-0x0000000010000000-0x0000000010080000-memory.dmp

memory/460-11-0x0000000010000000-0x0000000010080000-memory.dmp

memory/460-13-0x0000000010000000-0x0000000010080000-memory.dmp