Malware Analysis Report

2025-04-14 04:16

Sample ID 240609-je7wsaff8s
Target d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea
SHA256 d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea

Threat Level: Shows suspicious behavior

The file d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 07:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 07:36

Reported

2024-06-09 07:38

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717918576" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717918576" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe

"C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2860-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 40205530f5d04c2c28c4c584c3e8ab33
SHA1 a5e0afb7999e949c8d1a7a0b19ba098d8e673c9b
SHA256 6fa3a66617cfb991879a05ae28dda18d85e1ffa66f9001c717d0ced07cafc423
SHA512 4df4c91aaaf10a7e58409ddf8eae2218a6e4317620925486757f3c1ee71375f6b1f2447b9a37135b1f9e5b0f05e8552f10474ee194c70489050c8db964b213c9

memory/2860-12-0x00000000001F0000-0x0000000000206000-memory.dmp

\Windows\system\rundll32.exe

MD5 d04645b85c49687fa3569593dc270960
SHA1 40be28d9bc52cb10ece5aade156e7c6528554201
SHA256 5b6a0ac5dd29170c02f518f266fe34b339caa39641d2d1040ee94581a29279f2
SHA512 0c3323c6c7c0bf47187ea035b7cfddd75cbecf5a9d785c48bf234f65a700d9439b7fc5124a6899b173a987c54a8424f4341f6f45ca9118de43d81fae46bc4139

memory/2152-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2860-18-0x00000000001F0000-0x0000000000206000-memory.dmp

memory/2860-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2860-22-0x00000000001F0000-0x00000000001F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 07:36

Reported

2024-06-09 07:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717918578" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717918578" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe

"C:\Users\Admin\AppData\Local\Temp\d2ef4d3c6d92b82e4defffcc8cc26d9faae5275672dcc38bbef80e302f09afea.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1800-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 d104d9fe05fb73207401cfe3b7711549
SHA1 eb326e8b281b4fcffd055a7450ef166b77c7ac28
SHA256 4894ad648926063c8bedeea930fec8cb3b1228c6ec545f2e59e9f30d1dfd4e4e
SHA512 b38116003ffcd94834cdb7d8d130cf0c0354fb4aef31f21759dd5d65324a9da7a75632ad2020aa609c872f3aeada15d76b9013235ec7befbc3c7b539e9cf9100

C:\Windows\System\rundll32.exe

MD5 c531b260c3f9e5205f79c2078b67e27b
SHA1 53fce97c0069c388862359fcdd4b68121beb055d
SHA256 75f96264f8e125984cef198a21dd040ddf00b37e4bbf91c3943ce6de604786b1
SHA512 f2f52374eeea3b267e20670d5ede6b13511f81ef96ad73700d32bad6d4d087fbc79478be5a63050a593151d2625405ecc2657cf6ac45ee8564021a7e4c17bb11

memory/1800-13-0x0000000000400000-0x0000000000415A00-memory.dmp