Malware Analysis Report

2025-04-14 01:48

Sample ID 240602-2ef26sad93
Target 03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666
SHA256 03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666

Threat Level: Shows suspicious behavior

The file 03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win7-20240419-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367374" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367374" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe

"C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2180-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 0260efa4f1cc549467db0f624a03aa9c
SHA1 d9fab7460b37dbff8eec6cf5e9ce908f82422410
SHA256 d012bf8fa55128c5f665acb1e171545e8fbac85b8a91a2b8c630f3994eac5e76
SHA512 d607b18ee291b37331e5d00a4382f46c31175a1898740d178d1758b756d8408114ca768ea7a013ec2af5eb4785bfbf2ca01f5e1155fb359131764c78288d8831

\Windows\system\rundll32.exe

MD5 7cf67e676e377deff9cbd453497d77ff
SHA1 148fb4b60d1943d842852137a7b01fb8a72eb58b
SHA256 0790f50a5cc658f4a40139b20508bcc1dcbbcb9e12ed608d8603538ee9812ac3
SHA512 4b2e2f505b15296c3556ea90ffa4103df250d00c112511c7c0a148d806cf803d811cce60b32dcaed7933908d9ed031bb764d3470c7db54436e2f38fccd003b5c

memory/2180-18-0x0000000000260000-0x0000000000276000-memory.dmp

memory/2180-17-0x0000000000260000-0x0000000000276000-memory.dmp

memory/2180-21-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2180-20-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367379" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367379" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe

"C:\Users\Admin\AppData\Local\Temp\03ebbf411eecf643583d4e908cc2736bdbae7300e11b4ae8807ff3482b1f6666.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2720-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 76d34b0faf8a356668d0dbd909594cdf
SHA1 1b0463ae732fd461deae7598251403d8e4a91e9a
SHA256 65143cdf6c14f3871f0d3f4232454daa042cba66aab4a1d7f3a6d3250a15a313
SHA512 d0c4a12057d1375fde6fa47d187bc60c7b5d6f62b17bfc7fb9f449ab98d3297937b88aec966ac1a4d862c7d0f99aba47b00ee65e538ecc062b5b7fd08e417cc6

C:\Windows\System\rundll32.exe

MD5 388dd5f4b72ad505c9fca603739aa82c
SHA1 75bf92c7bb8793e6dd9821e99bcf0b152bb7ef89
SHA256 a6fe2f464ab5a693b37c56da0469eb10ec9303011afe6a51b3c478741d379f4e
SHA512 420046fd105093f6db82ee4edf7f46a5b95155d2f9135c45b5d1ed628a3e8a3a017bc5d60a776d12c1fa27fe097a3acc47540642a951c572ffde975a081eb789

memory/2720-13-0x0000000000400000-0x0000000000415A00-memory.dmp