Malware Analysis Report

2024-12-01 01:30

Sample ID 241110-bsgyhsyrbq
Target 8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d
SHA256 8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d

Threat Level: Shows suspicious behavior

The file 8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731201860" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731201860" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe

"C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 123.237.251.103.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3908-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 1f137999f26f9f4106c348d85b331085
SHA1 e4b1085033204e610d07aa61cfcb34aa00ac4c5c
SHA256 e6a4ff63ffca1eebefde1becbef4ea7e346b250a4f95c3a4dd3c9915bb6f92d8
SHA512 f6fabee492d15a853281e2513b7475b589207751a0e337e1659f3f1df8019219f012288f50e6085eb8a655dcbd1e91048023176627ccfbc25ca7e9800ad33938

C:\Windows\System\rundll32.exe

MD5 577f9239ab95bb65a8b46d3c76ae74e3
SHA1 ee1980f2039840eab0a57cb0cf497c0db99f2b1a
SHA256 55c1f7e0a76d5cbb79ae6d04dd8cd0deba25c1d558966efbe89da2b42677626c
SHA512 e264cfcc2bc962a31dfd16982708f1989d19ae302e17bc40591687f4d1c968fe127ae074adb5486ce7c18f0dd9c63039b830f7e47a8e97f3671955dc0b00d570

memory/3908-13-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1636-14-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:26

Platform

win7-20240903-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731201861" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731201861" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe

"C:\Users\Admin\AppData\Local\Temp\8515dde495bd0d573e6d7d3286b80d0818756f505c50913eb3d7fafac1f5418d.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1812-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 35d232fb56785272aae6a0a0879784ba
SHA1 710a78346c4ceb5c703a2d245a53392f8a1b7982
SHA256 a25e61ad853a4dd72f3c264576c9ddab6f6ff68b677f6fa1e2369389100ee1bf
SHA512 280a9b01b3e30ce2b9260a1b5e7726f34e736a46b841768034474d8f43755a0ce289c513ebedc65b9f0f1e2f635dc0d40025f408bee343f8a99182026420b494

\Windows\system\rundll32.exe

MD5 9a897e548be4d89468effd151062bbba
SHA1 b4d6641ade55e4f3d2ddb8c86eec1d1a0083aa8b
SHA256 ba58b65ce44c1e1f71674b58cc3f63e2d0120b2bd3f5db532bb828fd96d01998
SHA512 1fd67ee39ef0a34cbcfcc759072017e920fa7c4e7aee663a34651ad9c44cff9003e758035c1049421e98b1116656133e19df754b5a3fd771f8d9a2da558a891e

memory/1812-11-0x0000000000270000-0x0000000000286000-memory.dmp

memory/1812-20-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1812-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2484-21-0x0000000000400000-0x0000000000415A00-memory.dmp