Malware Analysis Report

2025-03-15 00:31

Sample ID 240603-2egzgabd3v
Target caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc
SHA256 caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc

Threat Level: Shows suspicious behavior

The file caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453778" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453778" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe

"C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2272-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 32f7be798e77fffa066790af9ee9579d
SHA1 89c416f346b2ce2430db60ff41e27042bf5b9420
SHA256 a6496af4f365b9448591113cf1e7321b4830f4b138d5b285c4a5a4fc7d7195c5
SHA512 fd7c5e191b7a986f4c109064a9a6d44dfdfaffedc184b82ceb3ac884a948c24a1a1b67b0f6fc3e166e1512e145652be6313665dc722b70b934c4ac3300cd6c89

\Windows\system\rundll32.exe

MD5 f5303973b55d49f4b04699f21b78d053
SHA1 97ece96bd954d61aa3c19ae1410549fadc2a83ef
SHA256 687d3cc883e1780594eb4117c95b0eb753c33e875dbd0d5a5b1e14a52361fa1a
SHA512 38c9a1d05cb1d1c9028b3f142dd921858b9f2f474d9ea2e2630e6f7868a221fe0239445b12c6ce5c98178f9690dd1a3691c5bcd1b65a551f4f7ea87f7a01dd86

memory/2272-12-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2272-18-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2272-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2272-21-0x00000000003E0000-0x00000000003E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:29

Reported

2024-06-03 22:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717453780" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717453780" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe

"C:\Users\Admin\AppData\Local\Temp\caeed6a00ff3f8021f5fc948ec537ea1eee2930ef347b6a9dbb1918aed0e7ebc.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/5036-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 ce011bc68669cf6bfcfdceeda3c5e255
SHA1 cc300b6c6c73e421d0b9623d38a2dc7ab5fcd844
SHA256 549fa1ecdfe18e58faa7fadf0fb6d55464397bdb59d8b64170d4e3d4308de893
SHA512 0217df7586c7f8b9486382f4661b63655db31e25b4d0ffe15fb2aaa770b77a6b91a020cba26398e3ec01786f950eb3f36da60e836707162ec5145383abc31576

C:\Windows\System\rundll32.exe

MD5 f2d5ad61e6e8ebaa72c8c4374d109ce2
SHA1 2ff4e59067376a4e58e81e624925a576da14bc25
SHA256 223bcbff1439efa61b3b67c323e35cbc9ae0aa6ff17562e3558af840d2157530
SHA512 2c7a8605fe04494d9466b2ac6d500f18a9168d2572cbaa8da2dd9bbcf141a29e14fa1dc9dc01f5607c766796c10da966994ce9d6ee308bfeeb43384b3d429653

memory/5036-13-0x0000000000400000-0x0000000000415A00-memory.dmp