Malware Analysis Report

2025-04-14 04:16

Sample ID 240609-jeb44sff6t
Target ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef
SHA256 ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef

Threat Level: Shows suspicious behavior

The file ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 07:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 07:34

Reported

2024-06-09 07:37

Platform

win7-20240221-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717918477" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717918477" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe

"C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1740-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 8e326bd6a4fbe4ded463149092ceb7e9
SHA1 647f98f63131b34091a368be4bf16a541a541a0a
SHA256 b3b5aa67fce01bc843eb60cfb0a10f0c4cd1352b67c4b8076744afb0f8b33b35
SHA512 c948f1efef3688cf7aed8fc5315999b5fc798ba2431c8bc8e3e7523e3e162f4dd3ddbfa56f2e7b011d160d562f6f85edfca02462fefce5f067bb80a5d211adb3

\Windows\system\rundll32.exe

MD5 7ddca6dee6068b82c0e94b597431e6c2
SHA1 ed9e72f4877beade2af45c22f90c88779869a82f
SHA256 dcb832610f8cf41a0a71414499416ff7c5f7b383321c7d3768b19c746f2eafc9
SHA512 d0c8e4c50f15c8a531d502997eb0484281366c8456d0bec4ff511f240d9a4354e7349662e8763cab5fd0df4b89d0bf8692edf3361e4c1282058ceca11e2feb23

memory/1740-18-0x0000000000270000-0x0000000000286000-memory.dmp

memory/2916-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1740-19-0x0000000000270000-0x0000000000286000-memory.dmp

memory/1740-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1740-22-0x0000000000270000-0x0000000000272000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 07:34

Reported

2024-06-09 07:37

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717918478" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717918478" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe

"C:\Users\Admin\AppData\Local\Temp\ed4624489a5096953dd2e1ac800fd17ad1b6cdd4065f0539c3a67554c7828aef.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3076-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\system\rundll32.exe

MD5 2437345d81ba537d62ae316259e16fb4
SHA1 af1ef3de1b1fd5a33f7f585c57b6098b37baa960
SHA256 c5658b92e4f975ab9533623978057c35cbbae0962e9e31ba77441f67fa803ddd
SHA512 e09acd94bb252fb25adc2ef92a03cce7224acd53549d02a39363270284c3e41bfa18c39d7369ed33a9c8da23066df9c175660abbe512302d5f3bb288e5d5fe7a

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 1d601bcefd0ad8f0e96c5682473d33f6
SHA1 9bde2a1376f0b886fe4b64b3892d5f410de30ea9
SHA256 203a37620ddf8863b4b51fd3cb1c57081bbb336fa6122c47431acb7dfe159c0a
SHA512 c6e8758b4a85b388be235c43d5c3c9922c6901e6988eba0be236b5b04380544148134ce4c9c5bf33f4be2610ff74a0d0ee82cb76670e5d33c13ad8365fbba138

memory/3076-13-0x0000000000400000-0x0000000000415A00-memory.dmp