Malware Analysis Report

2025-03-15 00:32

Sample ID 240603-2eg98scc43
Target cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb
SHA256 cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb

Threat Level: Shows suspicious behavior

The file cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win7-20240221-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453782" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453782" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe

"C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1640-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 95df74fea81a1875d23857a22ae315ef
SHA1 f716e76af67d975f7e3b9ab36dfccf2088fbc8f0
SHA256 d117ff6080e2ee4744338f87c50c544bab1070fd9a6ff12911a7de62fce59261
SHA512 4209449a0d6f7f0890c8bd7cad2cc86ac3e0b712e81eb0175046d2c455140b567e58af971072baf03ce814ce36df8eeedb4c65485429e39a729cc48ec29659fa

\Windows\system\rundll32.exe

MD5 6d46910a5f393a0549de8022e0739c3a
SHA1 36a16cb60a512008c0637bd7c1f0bc7542bd254f
SHA256 92e10836feb92a6bacd12263e1dc3c3c171a1152a8efdbd692b781d518c4cbda
SHA512 62fc8aa7dddd8cdd50bd13350710c7858455e9e9cee881f094d2f0cb04dc7eefa76d11fd609b44056b66d42258e33a7300205cdfe6bbd9ee60c1b071c3569a9e

memory/2456-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1640-18-0x0000000000280000-0x0000000000296000-memory.dmp

memory/1640-17-0x0000000000280000-0x0000000000296000-memory.dmp

memory/1640-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453781" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453781" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe

"C:\Users\Admin\AppData\Local\Temp\cf03ea4c076c8ed7a44667f26ee57b135bf65acb50f48f3b574f61b2eb1a49cb.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4368-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 7a0bedee251abcd48348aaee42113de0
SHA1 f4aacbf995c3616da4952683b51c2c89cf6456ed
SHA256 cfab936d7b22263e1db52c4fd936838ee97c2768378c61554926756af1fd0231
SHA512 9871154bf2da2b2fa7af99d277609de3f419a75fc1017ce1861933dbdc8ec435272c24c92d6d4757ab94bed3880976019beed8e308bfeb2eae8e1affb13ff2bd

C:\Windows\System\rundll32.exe

MD5 dbb1d726b8b525c826a83cce48b8492a
SHA1 8a88983139910bcaeb59267c3051c181a5b90791
SHA256 73f740f384b0d9340cc53eed9712290d0824c2cc3db3d2122f00e5402a3ce02b
SHA512 1e028c34199e519fa09b53dba863c47f8499319152d118052b40b214b7ea43a2b5d81be9f821fcce8958be58d2af79df48e1a0b087ef01c22561432b75b464bd

memory/2116-13-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/4368-14-0x0000000000400000-0x0000000000415A00-memory.dmp