Malware Analysis Report

2024-12-01 01:20

Sample ID 241110-byqslswhmf
Target b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d
SHA256 b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d

Threat Level: Shows suspicious behavior

The file b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:33

Reported

2024-11-10 01:35

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731202408" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731202408" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe

"C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2336-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 7f068b0ae2814962e9c09ee92fe35d19
SHA1 42c1c6c8e9c8611638b14f6dd1329db578731763
SHA256 6c0cf95e7427f1dca2cd36ee95dd8df7684b6ac490a4c370146a447f39542285
SHA512 3c5a8c44b5f2a68a492dbd2df9f6304c9190f6fc427347f9f50a537ef7abbad1fe704391cfbe567c1c7feaffce51cecafc6d04d6b12f9efe97c017c410249c00

\Windows\system\rundll32.exe

MD5 422b2574a6fec8b4d41ea5f21e7dc0f5
SHA1 a43a65504c640e7231c317d01d4b433d1d6dbf17
SHA256 8bf869d2dcc174cf29d285a13e6d3fd0e04ea759e855b1f5997d9ec1c9204db9
SHA512 ecc9a86038ef71b6350cb1fe32ff8abc617b6041445c4998a0c3991c990649a40ad658ca304d0e65b5a1599ebbc0a3c78c18ec8f70a2a888f1a0f7cc3a438329

memory/2336-17-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2336-12-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/2336-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2336-21-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/1544-22-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:33

Reported

2024-11-10 01:35

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\system\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1731202409" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1731202409" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe

"C:\Users\Admin\AppData\Local\Temp\b58e07f57d344f1f7d29022d9513e9cf12d7ac05dfdea961858fa0f876a83d9d.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 123.237.251.103.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp

Files

memory/2624-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 d0a1c08fdf8691c8d8ee76c7b4a3bc53
SHA1 9616766843e777b56a8ecbb4ca73ce6036387d24
SHA256 9ae68141bd0f4529c46f39143700e92d532296d101d09bbce1811f5ef34aa5ea
SHA512 b33173ad1a35e0e03a317d64c9e9c29732e2faa552e8c9d29b8675a3e19d169ecbe4ab6258b441c31ee0e296446a6e39f707b9357c839015a2be268e3f67c6cc

C:\Windows\System\rundll32.exe

MD5 76fbfa25e65c6c96f50accd809a92a05
SHA1 292be30fa03409cb01952793d293c0385f5588b9
SHA256 aa90417e670664385c5338b8da56eb6b06eb1b505f9823c33165d357f11a0239
SHA512 912b3b36d532d480904cb31a03df09456573aa3ee206bd29784da229473d5bb051e42548d9caa9960c425964425cf950ae085701bed11578ea6c86d86ac329c6

memory/2624-13-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/4932-14-0x0000000000400000-0x0000000000415A00-memory.dmp