Malware Analysis Report

2025-04-14 02:58

Sample ID 240613-c7qdwa1hja
Target debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07
SHA256 debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07

Threat Level: Shows suspicious behavior

The file debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:45

Platform

win7-20240508-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246601" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246601" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe

"C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/2232-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 d3ed63e83b90d972a8ecb094a0bc52e2
SHA1 859645f509242477d96c5a55883081d0c7581824
SHA256 47a3b04479e56bece397c54f17e0f074826dac3c87c12152499a507f9458b365
SHA512 9a9362489e856ebb855fc32d6eb9164f4c9442f716d6d8bf0f67ff9b71848192880903b5111a9a2cdcc5d509412fc555d3a2452b5ac8adc27b78c0d61a22ceea

\Windows\system\rundll32.exe

MD5 abf7f5e63c94118c62ae73c3f49a3c86
SHA1 cf628e4b04ea812a5278f8aa8909879156883f44
SHA256 08575ec182c665c9961b98db7cd18725f1a34bac08462ca47cc7f956134a0dd4
SHA512 8955433a5dbd97453f38ccc03d2f973be3dbc91dd3ada684e4b9f7741961a41b22084be69b4215fdb02c5467ab15172a492e05ebec506f2e4edf909ebabea540

memory/2232-12-0x0000000000260000-0x0000000000276000-memory.dmp

memory/2832-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2232-18-0x0000000000260000-0x0000000000276000-memory.dmp

memory/2232-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2232-22-0x0000000000260000-0x0000000000262000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:43

Reported

2024-06-13 02:45

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246602" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246602" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe

"C:\Users\Admin\AppData\Local\Temp\debf6d2b16e9f2d7283255bc6fd061db86afa021b36a046bec0ba69f1b12bb07.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/944-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 971c18a4cd09826a7c6943731c077ae6
SHA1 d36056e0984d163acb3e61693bf0b1d03df34fcd
SHA256 78e2c55b64a7fcdc5e743ba5fb7593f2aebb277e4b3237e096b9a94f44ade0f1
SHA512 d113cfed2448605561ef954946d291d6af6bfa7afba0e99ad089b557b564ff1f7ff828bab575e1819248b6d74ab28582a1c9cf189acbec8318ef3f019dfce553

C:\Windows\System\rundll32.exe

MD5 bf6626ecf0f25c0166b848fb512a83ea
SHA1 53c68391a5066de9ef29c38755a881e7b2a6a77c
SHA256 06640a70e6fd57817dd81666adf1de19d8b5c9c3240c6a5bb2f1cc9911590bf9
SHA512 e11b1b75710f264365fc41f653786499c1c07bfcad814f80e2acf5f811838e9c163c8d55ec7810d27f5780cc06f4b46ca5c789a747ca8369a26a17b05d554510

memory/944-13-0x0000000000400000-0x0000000000415A00-memory.dmp