Malware Analysis Report

2025-08-05 20:07

Sample ID 240611-qtg28sydmb
Target 232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a
SHA256 232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a

Threat Level: Shows suspicious behavior

The file 232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 13:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 13:33

Reported

2024-06-11 13:35

Platform

win7-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718112783" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718112783" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe

"C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/2028-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 157fc363e164ef2ec062558defe0e30e
SHA1 4db1696c329b70f3a3057c7b1fad89dcfc60bcff
SHA256 e54037f2d2f05a12a2ee2bc5fd913bb3f92d4533958cd617d76a3dc47bf754a7
SHA512 34ee193e16b8f95c805a7f447d483abdf0eb1e1f97c2a8978d107bd7d8e47a9f655a46564f390f72c9550463e60ecd2ec509e2c97b91892425ca4cfb6f4c5e57

\Windows\system\rundll32.exe

MD5 78253eda55f949a76113cad10f540c41
SHA1 64b658a4d3a460ae2636649fd80e181c859c0e2e
SHA256 02f7b4467bd0b42fb508abee7088b1d6f3b70ae9c68e961c6bb71987edeca0af
SHA512 463dcf50bfa7676417d7d15c9b742fc2e3606625da1e2fcbaae871f8fdb3b720a8fd388b2e3a655ce8032a05af310261dfb41274e7a49f7554b5ae6083aa66d1

memory/2028-15-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2028-17-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2780-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2028-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2028-22-0x00000000003E0000-0x00000000003E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 13:33

Reported

2024-06-11 13:35

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718112784" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718112784" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe

"C:\Users\Admin\AppData\Local\Temp\232c082c75a639812e2f9026917fe80e3536964ddd23c78ce894e2a6607e5b7a.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/4492-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 1956c85ec17b9fd1054149f1e2637afe
SHA1 8ceb9f856fc7c4a32badd302ab95c7e63738d721
SHA256 bbc30378845aea7da9881c686b93e4ea9d17931dffd65a8a1cafe92a6ab89d59
SHA512 de1539fe181085ede7ea20f772cb83f4f07b305e913ffd151b0d1ec1669a0ee39939f3bdb78c291756cca27d536de341cb251570788464dc499e175dcebd270e

C:\Windows\System\rundll32.exe

MD5 99f96077981c7aaecd09da0ca9e8d2d1
SHA1 93d2cfff9f7cb4248e4e6aea43a3ad0660f9ef32
SHA256 8c8b4266744b5cd5943734dd681010275a63a1ce4b3234f1d46d342dacd58135
SHA512 cfd093e8d33a9339652d3dfb59a298bfd89f65932a117efbbc547296b63c8ea704ebbafb7928e9308e0eb314477050b2ca22bc908c481ce661c33d3d3d22c177

memory/4492-13-0x0000000000400000-0x0000000000415A00-memory.dmp