Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-fbxd4avbqb
Target b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b
SHA256 b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b

Threat Level: Shows suspicious behavior

The file b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:42

Reported

2024-06-13 04:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253752" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253752" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe

"C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/4456-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 ae131d80317e290ed4f215c1b1479e22
SHA1 6655410815e9a4eb1a8fa59582626ad955f37675
SHA256 91bbd0ff2491f9d65d15ba1d1c06fa9075623e937696e357ce1a70608930c214
SHA512 1abfe1f19434abdd0d90ad7449768d1e0e788cff701cd7979c1ba4a2bda49ee23aef03641566752a55e4fbae385438993ca1d58a42f1f02bf5a5ef7c002e3d4d

C:\Windows\System\rundll32.exe

MD5 7e618fe5243fcb4867f91ea1867a7d70
SHA1 20097fa73682efbbd1da68ec6d4b01cbbffb2c86
SHA256 478d599bdb3f4d06d7cedc4feaa86b14443426635c05c0143faa1217924dc5cc
SHA512 fbc406ed2d5a4f8685334fc4f11dfa91813a2517c7d052a263b50e45b3e8eed41f1917e619807072915ec9cc707a680d074f99370a46e5cf0d7040cbfa1c65cd

memory/4456-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:42

Reported

2024-06-13 04:45

Platform

win7-20240611-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253756" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253756" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe

"C:\Users\Admin\AppData\Local\Temp\b14518774148a69aa9da2c76e1fb790ddfff1ac550dd272839c19a4ec6c2288b.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

C:\Windows\system\rundll32.exe

MD5 4ea491b31b9860278d37e47fa785fa35
SHA1 af8ab05fbf044b0b5b45c6a74663f8e156055629
SHA256 35ebd346d0263fcf5af752788fe4db9f149b55940a1ff97a3fb957079c1a4300
SHA512 2ad9e279e0da260032203b8a2fb13467948b8d1f66053162114854a384850b994a5642af24651884602e5c71828f7d17184437d762d5986283b0c687b02d3f6a

memory/3008-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2140-18-0x0000000000260000-0x0000000000276000-memory.dmp

memory/2140-12-0x0000000000260000-0x0000000000276000-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 32bc94676d71a8e525fefb1c8133fae4
SHA1 eefe95bd6ab5766307ee373f7b56b2804a9ee5cf
SHA256 e37abdd59f3f210bbb76607b6bedb9840066026475d2ea0bacdb54e7da994e4c
SHA512 8350b35e44911b8fde488bf71e40d5edf0e5b6de816ae32f6074df686e69ef36c25cc57b05eccb5d78c35bd842492b1632ad7ca598ff68500e444a3da12d70ec

memory/2140-0-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2140-22-0x0000000000260000-0x0000000000262000-memory.dmp

memory/2140-21-0x0000000000400000-0x0000000000415A00-memory.dmp