Malware Analysis Report

2025-04-14 02:58

Sample ID 240613-c6xrkavfpr
Target 36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255
SHA256 36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255

Threat Level: Shows suspicious behavior

The file 36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:41

Reported

2024-06-13 02:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246518" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246518" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe

"C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/2156-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

C:\Windows\System\rundll32.exe

MD5 00422949fffc8ca4bb348894655587aa
SHA1 7cbb527077cf4f18b5017cff5c9f6f5ab69f394a
SHA256 192655059a179190de27c5916c8797ea5d2b08c5b75b59f5a8d33505359370b7
SHA512 87e10b907679cd17829ef9c17106137c6e1d983632def274bca7f41f3b7bf55df9570ad504b0d9a3da1c970359bb40e476c901c23b6813900ba48c3193c2658f

memory/2156-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:41

Reported

2024-06-13 02:44

Platform

win7-20240419-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246518" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246518" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe

"C:\Users\Admin\AppData\Local\Temp\36fe3a0cf3a422ec3df13d3e8800ac84dbef19cffcb5271c2d5f755b42eb7255.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/2028-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

\Windows\system\rundll32.exe

MD5 00422949fffc8ca4bb348894655587aa
SHA1 7cbb527077cf4f18b5017cff5c9f6f5ab69f394a
SHA256 192655059a179190de27c5916c8797ea5d2b08c5b75b59f5a8d33505359370b7
SHA512 87e10b907679cd17829ef9c17106137c6e1d983632def274bca7f41f3b7bf55df9570ad504b0d9a3da1c970359bb40e476c901c23b6813900ba48c3193c2658f

memory/2028-18-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2028-17-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2028-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2028-21-0x00000000002E0000-0x00000000002F6000-memory.dmp