Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-fab2rsyalr
Target 2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa
SHA256 2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa

Threat Level: Shows suspicious behavior

The file 2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:39

Reported

2024-06-13 04:42

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253588" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253588" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe

"C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3388-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

C:\Windows\System\rundll32.exe

MD5 9d6f89758b7d9cfe7bf6fd14827cd87d
SHA1 041046ef4960368fac0e04360294a421d7de57a9
SHA256 47f2d6cfcad2153045e46a4928df49ef41c1851ffe8df7a42b6af75cf7ee015c
SHA512 ba27f55b219cc9adf2223d8381bc2fcbbd2607eb2ace1cd17a1bb66fd6c02a12893de7657baac11c54a55e885c259b0d3ab847f79ea2ec5689d7e2a6f1150608

memory/3388-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:39

Reported

2024-06-13 04:42

Platform

win7-20240611-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253587" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253587" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe

"C:\Users\Admin\AppData\Local\Temp\2717869ba7103005b12052eba168ede18f49b74bca58c2d7632056163aa484fa.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2332-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 42d006bb4b980fadbb2f08d291a51153
SHA1 1f0de8f21e38db4d712503baed885a7136104f80
SHA256 4abd06b3ad26428e935465d1eb762b469cbc5229db4c9e0b9f343796359e2bd8
SHA512 1c00d06d9a3daf2646ceb653a3096e8e9f4a3010bf9d964f6511339f5a9e15b83d050a4ac7e1eff70f7b4e9535f37e52cc72d94b7b1a4609f400daf9fbbbd908

\Windows\system\rundll32.exe

MD5 d336b3b46924a83e5033b1692d80f33f
SHA1 faf3bc57fe1e968f86dbd597a12c0947d78ab893
SHA256 422aa9b5f2a73748dab2dad1f741b1b1e823d4881af3a58da2434899e17d4836
SHA512 cd2612eaed8654ea84fff3c339fa70c52f64d1b56ef296d6cd56d5f7682d62d4d77db987f8972a701699f9d491c6da18552933b146c77f4a7ff65ea9f56ef590

memory/2056-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2332-19-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/2332-18-0x00000000002B0000-0x00000000002C6000-memory.dmp

memory/2332-21-0x0000000000400000-0x0000000000415A00-memory.dmp