Malware Analysis Report

2025-04-03 12:53

Sample ID 241109-23v61axjen
Target f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25
SHA256 f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25

Threat Level: Shows suspicious behavior

The file f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:06

Reported

2024-11-09 23:09

Platform

win7-20240903-en

Max time kernel

149s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731193617" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731193617" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe

"C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1624-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 876d4ddf656f4a974ba044fb20f20050
SHA1 b6124533fa3a53957003c9591e9d0c2f4d1feba2
SHA256 86cc6a92deb3a2054fd039a2e8923b036797425095d85cee2e9489f869b1fd7c
SHA512 a5b550e615e1432e39b7004cb21a8a83ec9573b72c8abb001c1c15ab923deb85ec90844518375b0c1918e4655a5f57d5c5c848577b397363a5c262ca72c82bf0

\Windows\system\rundll32.exe

MD5 b6e3eef832091e5c446ae3e2972837e4
SHA1 5ec0efdcdfb7f3370dca5e43a36eb22aa640262b
SHA256 2b23f5584d89d49085b6ee1e1a48824e44b44cb1cd18ec1028e360f541a09127
SHA512 9e423c0497b494e7b05af692d34cdbb3e7d54262f83a66585bb56e8010fc8311776bab611d6011cffd6c6ea0bc655d8eeac4fc7eeebd4404936f030a9f558f23

memory/1624-12-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/1624-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1624-20-0x00000000002E0000-0x00000000002E2000-memory.dmp

memory/604-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:06

Reported

2024-11-09 23:09

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731193621" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731193621" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe

"C:\Users\Admin\AppData\Local\Temp\f9a4c6221281d40951f0f4fdc7a7abc32729c1e051ab7e50ea91b9962033ec25.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 123.237.251.103.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3380-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 ef3dc5c6459114885b85bd3f01a1e553
SHA1 067b72aef5c9bf550035176439e998530d73b0cc
SHA256 d972995011b46407a0f6d0d1bbbe2e302af6fc6b6f405969c816d028ba5d5bbc
SHA512 35970fe9f33d107f1701d58a5b28be9872ab2e92762672d725c491df201202226645182d6f5d768686279670bddaf5db4452f7aa6d2f9899e744eaba9eb6e285

C:\Windows\system\rundll32.exe

MD5 46cab76d256c2d99762adb5ea0b3797f
SHA1 dc1b0e7e206f30d228f40022dc33bd9cc76a9860
SHA256 d665bda3c381df1d0a59b5a32d92c3ce448421f5c4ad4070a2754b152b1b25c1
SHA512 652083faad21ea8777d7140d3996e5048c6d76f3bbdfca1230cdf2221b60fd7c344a10f75ba9c804d2383ecaa2211244da7308f18449d4f5c68018fd70792e04

memory/3380-13-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/220-14-0x0000000000400000-0x0000000000415A00-memory.dmp