Malware Analysis Report

2025-08-05 20:07

Sample ID 240611-qs92maydlh
Target 75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2
SHA256 75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2

Threat Level: Shows suspicious behavior

The file 75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 13:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 13:32

Reported

2024-06-11 13:35

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718112761" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718112761" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe

"C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/3636-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 cd2b66f40f6073c4efe0c1b26a49e6ff
SHA1 e953c8ff54952912f9f6a74dcff4c9b3f3cc8f70
SHA256 7c1beb11db2d5c470bff0da93750f891123bcbc80c16b633dd0d72b013108192
SHA512 cc89294e0983b441b6ddce33630420474ba5704843bbed176c1a955126adfa90780f381609522e06661f97640d352d5b8e0ec2f92020417b470743f72aa3af58

C:\Windows\System\rundll32.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

memory/1372-13-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/3636-14-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 13:32

Reported

2024-06-11 13:35

Platform

win7-20240221-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718112766" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718112766" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe

"C:\Users\Admin\AppData\Local\Temp\75ee8e5f930b9f1557a883648bc6bbf3017f772240dd5b0003c60f9a2b93aac2.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1936-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 051c6c59b0fd465df0cba0f0d61e0fb9
SHA1 42af0b949915f4639c642a7acf065a3d1de7c116
SHA256 14e9b023c7dc0266f66da9106b4befbcb0be6d57ed8e0602114898f2ef819747
SHA512 f44e43ce5636caebbdda2d42a2b4d1a281a980dc2a635226337725716ad56e8063a8fbd168537c572dba18048e9d9ddbafc196ac2840d1605c86e9b232289b60

\Windows\system\rundll32.exe

MD5 f4bc70ff1befb9187978568ebf17ea34
SHA1 369570a073cc7ddbd1f9a71d0189224d9dee3b9d
SHA256 01b25196d1c74b7ffef73d46e4a3b32016a45d1dc5393e676a9d822bc8210087
SHA512 61909cefc026ccc5b2095aa0346d5bb053b96fdae843eb5ac44e33c5ef791ebfa56be982b0d7fae7312dc194b9d7034bf87ed09596d3726fb9787f57becf6c87

memory/1936-12-0x0000000000370000-0x0000000000386000-memory.dmp

memory/3004-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1936-18-0x0000000000370000-0x0000000000386000-memory.dmp

memory/1936-21-0x0000000000400000-0x0000000000415A00-memory.dmp