Malware Analysis Report

2025-08-10 21:45

Sample ID 240610-e55f5acb4t
Target e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986
SHA256 e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986

Threat Level: Shows suspicious behavior

The file e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:32

Reported

2024-06-10 04:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717994494" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717994494" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe

"C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1504-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 ca835a7bf1653a5552282dc40da25743
SHA1 fe513a0f1e66c08bf4eebe802298b2ffae9f58dc
SHA256 28dc0974fbd576644735991b86d53a8cd95bb0e4a90c463e338d941e98389633
SHA512 424514440fc632e1034d7405a157f02a132d2f6ac24f229db4b045b35baef875611002cae8c5177a77bf21a01ffaf1da21c5d370c208cc6952556f2ee657a73a

C:\Windows\System\rundll32.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

memory/1504-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 04:32

Reported

2024-06-10 04:44

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717994493" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717994493" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe

"C:\Users\Admin\AppData\Local\Temp\e2e4f4fa6155a92737a04013420a875a6416251dc3f4a26c7c5e065b79e39986.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1712-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\system\rundll32.exe

MD5 f73612aae8eedd82914815db24ea7e9b
SHA1 3dcf29754f09f0a2e1b3300248ca249ff8b5dba8
SHA256 7c5fcbf4a6c47d4bcdc8fff430cde874286842d85af5c63ad2f1ad0e1ee8da96
SHA512 8eea8c63e018c00de70a2052a037b02b45aa9ee7f7c88e0561fbdcb5ca753c403b38a53f23115fc9d52dc4ad338fca25c670952b926b2fef67ee655127522a1e

memory/2072-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1712-17-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/1712-15-0x00000000002F0000-0x0000000000306000-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 2ad714671406ac1e18f800539129e50c
SHA1 e1ad602e18f9e69c2009571c58bfb84f206429ce
SHA256 b055bd8268c6d3dbb6597cdedec9777bb388a7398c23b6389ce7ba7d388bad53
SHA512 e303b5b00563bfa58ce136133c8584f109dcff20044bb12de5f712070494975c9d0b7d9bdfc1825728170beca4bcf7bae1b48498c83d8338e3c70af9dfd92212

memory/1712-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1712-22-0x00000000002F0000-0x00000000002F2000-memory.dmp