Malware Analysis Report

2025-03-15 00:30

Sample ID 240603-2frkasbd8y
Target de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12
SHA256 de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12

Threat Level: Shows suspicious behavior

The file de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:31

Reported

2024-06-03 22:34

Platform

win7-20240508-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453911" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453911" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe

"C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1368-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 79c6b2c35c0b56a149ab5c94b4369a18
SHA1 2f190a2849780b321456a121ca0e1ee33d92cde0
SHA256 6182cffb416bdd2e75b86fef4d6d2b1d7ce42d857576568896fd7cf760024088
SHA512 0ff9c80665363c0e78a4624849561693e1d7bf613e082fc0bc506e51df19a7f28cc46220e6f4dacafb86f20d1e687fc33a77faf7a695fe0bd55a1cfb57f04395

\Windows\system\rundll32.exe

MD5 c8988f4b64a58c2473fcc576b96be02f
SHA1 5ba505457567634d72fafac78a1150aaa0c80d79
SHA256 ad1df3d9b5c6ec56fc2c3131ac9ad2a99f4d6bc8b170a0c5fa13b3f407871dbd
SHA512 36e8edf017a1f5cdc282020cb8d5f746baf49ac83304218457b217a626426b0a6b6059a85fdd18bff29fed8c0bcd977d1b131f8fa6d4727f4e930042bb6d0934

memory/1368-12-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/1368-18-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/1368-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1368-21-0x00000000002F0000-0x00000000002F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:31

Reported

2024-06-03 22:34

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453926" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453926" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe

"C:\Users\Admin\AppData\Local\Temp\de6410046fa739296870063696ba1d2cb2f8d2ca6a96a1b5978b3e9803047c12.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/3248-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 f0409453655da58cc78ed3cdf054b501
SHA1 a015b1aa4f99569f1708cfd2ccb4ac8a2f2c8df3
SHA256 e0b2a6c3d8981a6df2bbd8ccd2b4b367828b052aa742d436d34320c62dd48635
SHA512 7a07d8cf7c37aa00aa685b5510dfc847ea5c9b72f4cfd72624097a26ebd6781e29ac50919761d2f77168aa853c693c56301436387e61fb3fd85a2cdfad221a57

C:\Windows\System\rundll32.exe

MD5 d3bb2281dd1901326222abaf9e6a9fa3
SHA1 eb7e4c9230586793f94a5a06cba274b68c7cd971
SHA256 b0613db4bb5527b0a650c000a1197d4fcce62c48999520810d4903401fb56003
SHA512 69bc4123f86846d7a56eb051899887c318c1cb979310739784e222f00593e9a010cb9023040d6929f07da1696a0a1b2b407bb379838bbea8d6b9d8c78a5bb731

memory/3248-13-0x0000000000400000-0x0000000000415A00-memory.dmp