Malware Analysis Report

2025-04-03 12:28

Sample ID 241109-23wgrstkb1
Target 18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c
SHA256 18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c

Threat Level: Shows suspicious behavior

The file 18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:06

Reported

2024-11-09 23:09

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731193619" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731193619" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe

"C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2104-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 0ee1e244db7a903d134373a2d93456a7
SHA1 cb74574a158393c6d3603ace752767df89ba5ca7
SHA256 5274c6e5c79dfed6e2f923c9e822821899956917b70932e8620874a8ba79935c
SHA512 c60464c1d1ae610474bed5f10da4143bac4690021033ad6884c102f28f07b2a3422a60924b5e1881a1ca74b4b5fb3f4dd6b887c55392ff43ed690f0200e26e01

\Windows\system\rundll32.exe

MD5 d7531615f20c0faae8d170cc58a40015
SHA1 03d7b8c3a01f73b248132db72382630b219b2fe9
SHA256 0f4fbc3f182002ebdf1aa2b8a45a6c48055e2b7a5bc1123cb277bb9edac228be
SHA512 954bb1b92a067ee0a48c9da30c6aeb838ad2308b334614ed4b50f11912dc0fdfbdfdd0a47b14a6721c960691292e438c1d49816b5ab40b97e11601ea982cfb1d

memory/2104-12-0x0000000000300000-0x0000000000316000-memory.dmp

memory/2104-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2360-20-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:06

Reported

2024-11-09 23:09

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731193620" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731193620" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe

"C:\Users\Admin\AppData\Local\Temp\18c5f9669cfe6309368eec2f04419d71b61c51ae2d2c2924cef220b228dbb09c.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 123.237.251.103.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.208.201.84.in-addr.arpa udp

Files

memory/4784-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 cc0de284e350fe885d59deb4111098b4
SHA1 9363adcb1d7c878cc8a963c4e6b754882b0b0598
SHA256 6fba97d7c26310aa224432bc3b175f0814d30a6e7171f0b0cb3e5d5b7235a238
SHA512 4490979b51d23c970d369c8a34502d9486509c21bb3e45ae72d677786b63365ca4447f85e816e972716a99bb21f6e21d86c50cd2f295b20845cf899cb5d9c946

C:\Windows\System\rundll32.exe

MD5 6202adf52541669e306e023f9f1cc1dd
SHA1 94e453d1ac8a266a4c6137c6f5977990cd20073e
SHA256 786dd19a1e426d4557448aa1c0b5ef9bce1b2966a4b193adfb3ff16140cfe032
SHA512 f6ff36de5bbef054ffb9ea3a6e581f1d4d3ddd50dfc2b13ff9795f178d06fcf528fdb2c71266088ad847d3455e480332fecd11cda99a57f7f83c39a70db1353d

memory/4784-13-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2412-14-0x0000000000400000-0x0000000000415A00-memory.dmp