Malware Analysis Report

2025-04-14 04:41

Sample ID 240612-3qh7cayhqj
Target c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19
SHA256 c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19

Threat Level: Shows suspicious behavior

The file c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:43

Reported

2024-06-12 23:45

Platform

win7-20240611-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718235788" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718235788" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe

"C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2840-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 20f0cbbeeaae0cbb30bd5d7bde2dc8dd
SHA1 b22d6798802630eece51222fe08cf17cb613dde0
SHA256 3c4d0a32b3caa16a86208a310c1d44e36269fe89c4a28310ff81c85f30303e9f
SHA512 37f58fcc217b5e95af3542932772704b7f6282cdfbed5727919874c803b381b7c3b17b5ef4b49090a14ef98f11bb85f610660e5e0066cbe994263eff575c0330

\Windows\system\rundll32.exe

MD5 f6e335453cf139136237aec9829d0444
SHA1 212eb2d49d7c3472effd6903662959685e23e43f
SHA256 90aaa59d7be59e516c6b7f7e4e138869d63c39b6eedb2cc2e4e0548e5bf7b74e
SHA512 b6e2f8d49f4496a67d2170593b3172463e05942c3eebcdbfd407ed4e4730180571edc065e15a6b52ba352d3163d054f161f41195a9615c72ef7e6ff3a151cf18

memory/2840-12-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/2768-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2840-18-0x00000000004A0000-0x00000000004B6000-memory.dmp

memory/2840-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2840-22-0x00000000004A0000-0x00000000004A6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:43

Reported

2024-06-12 23:45

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718235796" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718235796" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe

"C:\Users\Admin\AppData\Local\Temp\c606c075429ea6aeca585cfa0ed5c435c32a384d22ed23b83b9b9340fccb3b19.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.82.21.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/4848-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 1a22c7e8539d5db5da33d67b89d5348c
SHA1 0c871ff568dfc8817312125bb183b836ff84877b
SHA256 2faa065a1498813ba4f67fd14678fc045397315b46931e3028ecb3fcad1fa77b
SHA512 8d3e0655f4aa14bf1867b778ba44c579e1fb9090fa11d4c844571504fbdc16f6a5ee81b4d6a51dc305339a918458dc7515efeff858cc31c064408a766a85a512

C:\Windows\System\rundll32.exe

MD5 9b7628abed772f040274fdcf578faf8f
SHA1 34f4a75caf13e91a822e092caeed84d75df7bd58
SHA256 4789950bedce1b2234e8827af9cd98b3a7f524601f2c34906e4f7597498b714b
SHA512 e1595441590693b92fa76f1af98f893f04f7bb8ad1325f3d56fcb68f9ed16aa5d46d8450443b2d1c554601abfcc94a5b04951057cc9c3b1765810995de32a061

memory/4848-13-0x0000000000400000-0x0000000000415A00-memory.dmp