Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-faqj6ayanj
Target f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd
SHA256 f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd

Threat Level: Shows suspicious behavior

The file f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:40

Reported

2024-06-13 04:42

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253629" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253629" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe

"C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2224-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 398da659a6d86561b69cdd15bddf04c7
SHA1 727745cf7edc35d0a430208e31078a3584029e5b
SHA256 1196a61f813ca5a5cc1f64d3756301cfad17ff83f6b620faa561e9bec60b7193
SHA512 39dc2474840512b19a2e8cb5df1fd360cfa9eb537a4ecf2b077f45f2eb703adbe14457dbe062ceb0d74572a24025bf1c5a45d51282a385badbac2568b1fdfcc7

\Windows\system\rundll32.exe

MD5 7d995fbc138b13e7ef7083c6b24da77c
SHA1 86b998bdaa2ca3db25c867b21b318309a2ea0205
SHA256 53b5b76fb7f76c557632f9cb5debd9f8c1389c0ddf34ed84d18cf5cd282578b6
SHA512 24b5212d50fec00c88b4eaa63f6bef8e18a6c4d895cfe57459bc179118da193dba6040477a29df15e7da29b65c6782adfbe03d3804ea85eff3ddf66118ee276a

memory/2224-11-0x00000000002E0000-0x00000000002F6000-memory.dmp

memory/1704-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2224-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2224-21-0x00000000002E0000-0x00000000002E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:40

Reported

2024-06-13 04:42

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253629" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253629" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe

"C:\Users\Admin\AppData\Local\Temp\f3ba8a36c0a6894e32e5246fbb0679b179787d928780e4d03cf231bcbb04fabd.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=3688 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/4920-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 398da659a6d86561b69cdd15bddf04c7
SHA1 727745cf7edc35d0a430208e31078a3584029e5b
SHA256 1196a61f813ca5a5cc1f64d3756301cfad17ff83f6b620faa561e9bec60b7193
SHA512 39dc2474840512b19a2e8cb5df1fd360cfa9eb537a4ecf2b077f45f2eb703adbe14457dbe062ceb0d74572a24025bf1c5a45d51282a385badbac2568b1fdfcc7

C:\Windows\System\rundll32.exe

MD5 7d995fbc138b13e7ef7083c6b24da77c
SHA1 86b998bdaa2ca3db25c867b21b318309a2ea0205
SHA256 53b5b76fb7f76c557632f9cb5debd9f8c1389c0ddf34ed84d18cf5cd282578b6
SHA512 24b5212d50fec00c88b4eaa63f6bef8e18a6c4d895cfe57459bc179118da193dba6040477a29df15e7da29b65c6782adfbe03d3804ea85eff3ddf66118ee276a

memory/2960-13-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/4920-14-0x0000000000400000-0x0000000000415A00-memory.dmp