Malware Analysis Report

2025-08-11 01:03

Sample ID 240611-nlvbgswapn
Target 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4
SHA256 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4

Threat Level: Shows suspicious behavior

The file 0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 11:29

Reported

2024-06-11 11:32

Platform

win7-20240419-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105375" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105375" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe

"C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/2288-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 335b7f137403a901c16b114cb38acf90
SHA1 355b5d4a2e1ac9bb4989f01bcc37bdb758c29f65
SHA256 91439cd1ba28cddc639fd1f41899bb25f13c40235eb69623a500a72e0f68b785
SHA512 0c4fd8c41bb4ebffdea051d8065de906679cc5b538f1197d1a68243ac4a9f79909bfe19339f22fbea6c2f3627fe388b0718a9a61317e3fb504a4bb70b4e9c3aa

\Windows\system\rundll32.exe

MD5 dd4bb783e447d964044f2e90eadbe9e5
SHA1 b8f5bce77409c32ceca8bf4fcc031d906c748405
SHA256 9c390300492552cb421a5d7b2279fd67eca49c25f147061d3af679998ab447b4
SHA512 fb71b6ebd6757d19bddf4a2d8117a8e692076093fc7e3dfe866c94e91c377676252e62b4a00a390cb345ddba7060dfaa82ef41ad959a39123b35c955f17763c4

memory/2288-12-0x0000000000390000-0x00000000003A6000-memory.dmp

memory/2240-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2288-19-0x0000000000390000-0x00000000003A6000-memory.dmp

memory/2288-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 11:29

Reported

2024-06-11 11:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718105380" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718105380" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe

"C:\Users\Admin\AppData\Local\Temp\0c3eb47bf0f4c392b7834985a5eb1c8f88b345d1ecbe1f201270751c8c37aeb4.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2664-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 1b793f4464e6fefe6aaad7195a299381
SHA1 f504547d3e11862432202eab416514a672f15572
SHA256 adc5ed2bf1ba84c0dd2e02cc9de36d80e17a4cf5233144507921c3fdf89a5856
SHA512 df242a7ec9a9e9019521db7462668d9da6ee62436f965732de0b82e4b1b96b62dbe875ce2068ac58f4c9d26baeee586db98e725f72e1cb76bfdad6db19ee7a57

C:\Windows\system\rundll32.exe

MD5 24aa32c0452c4abce82f65f59d063c60
SHA1 5de7878b284cee2e5463869e7c2f22d8f0a9b2fe
SHA256 454f8501117f113a2fbd60a4ded743cff9f051a25ed50428549fb7c0d5956f54
SHA512 c63623160177c6b4bc601b329b69b1a7a73d2701c71f240ab833978cf332d20de1c4d538a694a94a1c037a91593910832de08c256a2744eb16720c0c6aa1dee1

memory/2664-13-0x0000000000400000-0x0000000000415A00-memory.dmp