Malware Analysis Report

2025-08-11 01:03

Sample ID 240611-nlvbgswapp
Target 882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b
SHA256 882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b

Threat Level: Shows suspicious behavior

The file 882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 11:29

Reported

2024-06-11 11:32

Platform

win7-20240220-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105377" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105377" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe

"C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1724-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 119e2d2afad371e84a15ce4c6cbee915
SHA1 6added3df41f758dbc41f3b1604da16799a58315
SHA256 79881e5d40220dec9b02f986573a72ae930c640bb636a6e6ca2431614640f0da
SHA512 2075ea6123e94f7bc2ecb95a2507492cc0ed66d43c485aa6724d7271da45050a1130aeeaef048bb442f335342a8c19af1965b4677e9a7676f9bf364c2b51129b

\Windows\system\rundll32.exe

MD5 392b084170dd4bb9e657a915a02a07a5
SHA1 9d7aea4eb1bbdb2c21eb464f3f6f275a473be07a
SHA256 cf504e1b9849d8c1d5225846f7f4c440f6db784c9e0bfba976cfaec1a9d9ec03
SHA512 5bc1b4a3dbdbc8a70d3fcb748963679621939eb702a5ccea44d52fc4bf91d44d967d9a534b5524e9a41960ba3710cd08915d91d291f472d3d645b67c23a0135a

memory/1724-16-0x0000000000330000-0x0000000000346000-memory.dmp

memory/1724-17-0x0000000000330000-0x0000000000346000-memory.dmp

memory/2804-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1724-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1724-22-0x0000000000330000-0x0000000000332000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 11:29

Reported

2024-06-11 11:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105378" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105378" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe

"C:\Users\Admin\AppData\Local\Temp\882102817c55b1f884a9256061123dc0508714992326ea92f4927dd8ec0ef27b.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/3188-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 0d63035d1b9bfecb5a5f1e5d04866899
SHA1 a8df07fcb5d7ed1c7b5f5db51ab29dd8f74e2791
SHA256 cfa436a6dd4d2db5920eb8f876a5bb7fae153f35d6675d3b694a7dec59c82e29
SHA512 3d576fdb6582e7a79e11d6f90807dbc122d9c09855c1ef56b18562121cc2fe175f8cda7775d097cf904ca56a10409ed702c42c188bd73896e51af129553f2c3b

C:\Windows\System\rundll32.exe

MD5 836c2b0bdb83e487e9ccdb072249d63f
SHA1 8a7cf1159cdfd0652933a302ae0912191773e72f
SHA256 7ddafc22d0be0bfcbc4c4c262df630117ced1c519eed1401b97a12faecc6610e
SHA512 6e1b4446f67626afa4d110abaee686dc4dcd4ebf42d9bacc9c6c3f8e8dfa49dab66be84a97d8c837e76b123570829a0a078bbf6e8531684650d91a00fad9fc72

memory/3188-13-0x0000000000400000-0x0000000000415A00-memory.dmp