Malware Analysis Report

2025-08-11 01:03

Sample ID 240611-nlvbgsvfle
Target 9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d
SHA256 9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d

Threat Level: Shows suspicious behavior

The file 9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 11:29

Reported

2024-06-11 11:32

Platform

win7-20240419-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105379" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105379" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe

"C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/2460-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 b7609239751f129365c3c5c015b8e4fe
SHA1 d5c8e5cca37e6db1b03b2a265063c4221f7114c5
SHA256 969550724a9bdc0d268ab485c75caa8a5950a6ae529bf093a5cd0253d7c7e983
SHA512 b74f72a0e15723b29ba0b48b0d5ab47ac0507e52c1c4faa2cd5f3fb35aa2ac4549772573a9d201047496f53a71b3e4adf8bab1811a9b5d7f8798e1f23b31c45a

\Windows\system\rundll32.exe

MD5 6e3b9ceb652bc5b5fbd4680df1930463
SHA1 033d0c9a812fa532a803918d93a63c3adf68abb7
SHA256 a8f7e89a5de580df46125962f317ee8b94d6d05aa6c53a8598503cd561057567
SHA512 f46a0068ba82ddf36b082885c9d5200bb79214fa03430ce6127b06239284f35e06662bbb77cbd24ea1282670c3ee536c5180dd1bcc734479b005cbfb4dfc1992

memory/2460-12-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/1296-18-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2460-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2460-21-0x00000000002F0000-0x00000000002F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 11:29

Reported

2024-06-11 11:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105378" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105378" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe

"C:\Users\Admin\AppData\Local\Temp\9739b22562473f0a57d1c02b8a1d766c60073f96a2031ba9f189e6de38b44b6d.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/3148-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 0d63035d1b9bfecb5a5f1e5d04866899
SHA1 a8df07fcb5d7ed1c7b5f5db51ab29dd8f74e2791
SHA256 cfa436a6dd4d2db5920eb8f876a5bb7fae153f35d6675d3b694a7dec59c82e29
SHA512 3d576fdb6582e7a79e11d6f90807dbc122d9c09855c1ef56b18562121cc2fe175f8cda7775d097cf904ca56a10409ed702c42c188bd73896e51af129553f2c3b

C:\Windows\System\rundll32.exe

MD5 836c2b0bdb83e487e9ccdb072249d63f
SHA1 8a7cf1159cdfd0652933a302ae0912191773e72f
SHA256 7ddafc22d0be0bfcbc4c4c262df630117ced1c519eed1401b97a12faecc6610e
SHA512 6e1b4446f67626afa4d110abaee686dc4dcd4ebf42d9bacc9c6c3f8e8dfa49dab66be84a97d8c837e76b123570829a0a078bbf6e8531684650d91a00fad9fc72

memory/3148-13-0x0000000000400000-0x0000000000415A00-memory.dmp