Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-fadwcsyamk
Target 94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8
SHA256 94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8

Threat Level: Shows suspicious behavior

The file 94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:39

Reported

2024-06-13 04:42

Platform

win7-20240611-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253596" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253596" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe

"C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2012-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 08a566ab9c159a33aea7634bf4496cbe
SHA1 81021ba4a9611b5203edeee050f2fc5c06bc7402
SHA256 7551cf608ab20590913e7b85ca54dc82ee38c001100793d61c83141e54e415fc
SHA512 918f7a39d7222a372a339679a50d19344ebcc179f90d3cdd82866994f5ffdbabaf3436214065af50c61c0e4453bd7e800daeb93a5d542faeaa62cd32fbb9fc5b

\Windows\system\rundll32.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

memory/2012-12-0x0000000000240000-0x0000000000256000-memory.dmp

memory/2744-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2012-18-0x0000000000240000-0x0000000000256000-memory.dmp

memory/2012-22-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2012-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:39

Reported

2024-06-13 04:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253593" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253593" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe

"C:\Users\Admin\AppData\Local\Temp\94e1cdfefd5b040c3dfce4f03d5828c9f8244dbde4582a54726471d5b8e200f8.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/5016-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 8e9e7b6665d5a21484a2b64759b086a9
SHA1 2ccbe60e1c93e77aa0cdde18b7c39c63dde2f1af
SHA256 ca9cd6b6f2f2850e38d4ed81a062ee98d056bc2d5e465c81f079f17b6252290a
SHA512 3dc24c2e15b18e1fafca1055149a1869c14169432d5bb44d3d5b8a84afaa54223e3e51641b5eb4d8f24aec16392b8587d2f66be63f7a15ba4c4c576e2191c8bd

C:\Windows\System\rundll32.exe

MD5 d6a5d43a931d71ccf6c7583b7ca38894
SHA1 6b9363bab4a0d7058e25d9ccd85f51e073ad1024
SHA256 c66c659018a934371d024ec5b255c42c2a7054e61af2a7dabed8d62794d016ab
SHA512 202ea35681838c3a4d24fe5ab8a1529476a292cbc9c93d4a4660d57834f5894c918391a8e2e50e1d3edcd3c2656a86acf8ac4d061a4ad81bdd7163a732ba9ea9

memory/5016-13-0x0000000000400000-0x0000000000415A00-memory.dmp