Malware Analysis Report

2025-04-14 01:48

Sample ID 240602-2ef26sad94
Target b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5
SHA256 b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5

Threat Level: Shows suspicious behavior

The file b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win7-20240508-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367376" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367376" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe

"C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2212-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 6ba3cf39be4af62f811912156223ea81
SHA1 e147c0254960904fb54819211e9666a9f6ea8880
SHA256 b0944f12b410b975c2e72679ff8a0861e7d4241e174329c1d4e963b61833a5ff
SHA512 8f78ec2d67f391ea3cd8f0c000dadb05f694e0c77e9877f9b1c02359a06e2a18f75214aa448a65fa235b4447e01905631ca6c6fce3d178a474d3c57a5fe507e6

\Windows\system\rundll32.exe

MD5 b846ce3e10670783e8c659359b562740
SHA1 cff45bd289880ee180dbdd1c157e1a5274fcb831
SHA256 6de25fe4b63c8bcb2e427159e756bd9740ab09c24fdb9fae142ad3f8d55fc389
SHA512 b7e02a8dfc7bf76c1b84fe969fd6140e21d14092a723e2559ab5e350d0d5440ec807e6d9b90908196a70059ac6c23514e611f923ce81b819316b7bd4ac164f51

memory/2212-16-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/2212-17-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/2184-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2212-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2212-22-0x00000000002F0000-0x00000000002F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367379" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367379" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe

"C:\Users\Admin\AppData\Local\Temp\b8fabf807efe6c0b712c20ded166d12c182f5a76e3adc352f2f9a6fcdf9defb5.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3968-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 76d34b0faf8a356668d0dbd909594cdf
SHA1 1b0463ae732fd461deae7598251403d8e4a91e9a
SHA256 65143cdf6c14f3871f0d3f4232454daa042cba66aab4a1d7f3a6d3250a15a313
SHA512 d0c4a12057d1375fde6fa47d187bc60c7b5d6f62b17bfc7fb9f449ab98d3297937b88aec966ac1a4d862c7d0f99aba47b00ee65e538ecc062b5b7fd08e417cc6

C:\Windows\System\rundll32.exe

MD5 388dd5f4b72ad505c9fca603739aa82c
SHA1 75bf92c7bb8793e6dd9821e99bcf0b152bb7ef89
SHA256 a6fe2f464ab5a693b37c56da0469eb10ec9303011afe6a51b3c478741d379f4e
SHA512 420046fd105093f6db82ee4edf7f46a5b95155d2f9135c45b5d1ed628a3e8a3a017bc5d60a776d12c1fa27fe097a3acc47540642a951c572ffde975a081eb789

memory/3968-13-0x0000000000400000-0x0000000000415A00-memory.dmp