Malware Analysis Report

2024-12-07 11:38

Sample ID 241113-vnneaayraq
Target a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe
SHA256 a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4f
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4f

Threat Level: Shows suspicious behavior

The file a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:08

Reported

2024-11-13 17:10

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731517704" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "505" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731517704" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe

"C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/392-0-0x0000000000400000-0x0000000000415000-memory.dmp

\Windows\system\rundll32.exe

MD5 e02d0e86a207232603172aead7387f45
SHA1 4cab36575800cd925ec2176951e83ec9b0f0f337
SHA256 e29db7b4bcbd9b8ca8d2e7fb807f19c6eab1798c480825f14e4c6e4cefe59a29
SHA512 eefbd41376b75d613af240f424773b2362c9412abd0ebb80a928c73d4f11a1754c247c0cc2793d16c0a0c557286888a0ed8f1564f90b712cd0fefd3a6d8601bc

memory/392-10-0x00000000002D0000-0x00000000002E5000-memory.dmp

memory/392-13-0x0000000000400000-0x0000000000415000-memory.dmp

memory/392-14-0x00000000002D0000-0x00000000002D6000-memory.dmp

memory/3012-15-0x0000000000400000-0x0000000000415000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:08

Reported

2024-11-13 17:10

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731517700" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731517700" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "505" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe

"C:\Users\Admin\AppData\Local\Temp\a6c8b00f6dd7d18d28936d9a13e922f49b0e235d3757bec43438bd88e86a5a4fN.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 123.237.251.103.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/540-0-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Windows\System\rundll32.exe

MD5 e8664173cc9c33eba109d9b84de4bb54
SHA1 dc3e3eecc8452538fb0cd1efe962d11d8ba09fde
SHA256 c329fa2185f1e1c304f3dd80aedee6c716ccf54e4e7c3dc3908c72c91fbcf5a0
SHA512 41dd45d8c0f20ed97c871d9166a59b91451058a7dff1d13703a1f897ec8dc7dcd3b366b594ecfc077da717a795776cf95a8a546bc56dacbf31f88d44b367d3b4

memory/540-7-0x0000000000400000-0x0000000000415000-memory.dmp

memory/1864-8-0x0000000000400000-0x0000000000415000-memory.dmp