Malware Analysis Report

2025-03-15 00:32

Sample ID 240603-2egcyacc37
Target 3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96
SHA256 3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96

Threat Level: Shows suspicious behavior

The file 3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win7-20240508-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453779" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453779" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe

"C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1972-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 84c590dc8d5bbdbfe36ddacd052d8296
SHA1 f7dd969056e6e7eab5e93bbc6298ab39085d10d2
SHA256 792923e92fc5675a87cb2d84e6358939a84ce8d65f36620ebd1e6dca766b1e79
SHA512 f8c0b446bfa2dd936f79c114c26dd7045fbcc4450b8d42b2e396cd1257c0613fca21d79fee8e434db5a715596911d2d6c67466a09923cc6f9bdd4eeceeb1239f

memory/1972-12-0x00000000005B0000-0x00000000005C6000-memory.dmp

\Windows\system\rundll32.exe

MD5 c594ce3574557441b9504072d5f6e7de
SHA1 3cb7432f1eecd5c8d811b29aee3ad3dac329616b
SHA256 9d82977eefd0d6e70221f797ac6c2e5f512b002ec8ccc530778b184621e25d14
SHA512 d5d0df1955e79aabeb2a605677ab8a22ffad3d66f0014f92ccac374b406ac7e7853e871601fb6135da6b329ac297dd709dc53b967c9db63f75d24969c3c89519

memory/3024-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1972-18-0x00000000005B0000-0x00000000005C6000-memory.dmp

memory/1972-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453779" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453779" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe

"C:\Users\Admin\AppData\Local\Temp\3aa91f72d32fbf91630e82d0727ae97ac93eb73ed40a6ce519510439cd229b96.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/868-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 84c590dc8d5bbdbfe36ddacd052d8296
SHA1 f7dd969056e6e7eab5e93bbc6298ab39085d10d2
SHA256 792923e92fc5675a87cb2d84e6358939a84ce8d65f36620ebd1e6dca766b1e79
SHA512 f8c0b446bfa2dd936f79c114c26dd7045fbcc4450b8d42b2e396cd1257c0613fca21d79fee8e434db5a715596911d2d6c67466a09923cc6f9bdd4eeceeb1239f

C:\Windows\System\rundll32.exe

MD5 c594ce3574557441b9504072d5f6e7de
SHA1 3cb7432f1eecd5c8d811b29aee3ad3dac329616b
SHA256 9d82977eefd0d6e70221f797ac6c2e5f512b002ec8ccc530778b184621e25d14
SHA512 d5d0df1955e79aabeb2a605677ab8a22ffad3d66f0014f92ccac374b406ac7e7853e871601fb6135da6b329ac297dd709dc53b967c9db63f75d24969c3c89519

memory/868-13-0x0000000000400000-0x0000000000415A00-memory.dmp