Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-falafavblh
Target 1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0
SHA256 1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0

Threat Level: Shows suspicious behavior

The file 1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:40

Reported

2024-06-13 04:42

Platform

win7-20240419-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253614" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253614" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe

"C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/1824-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 2a3a74e2dfc09fa725be0269bc34981f
SHA1 068430cd2aa90070f2868379d16f7ec3ccd7db24
SHA256 ed957a74da4aecf654670ddd8d813ba687864cc1225c8168a2ef68a1dabd5c15
SHA512 f7b8906c6d1d154887ec4ebade80deb1b64aa4a719507c6a110ac3cb49b67d478769b31e92eb5b739b47ff2f37347c33a68c3ba79c072bca701766cd9c10d40b

\Windows\system\rundll32.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

memory/1824-18-0x0000000000360000-0x0000000000376000-memory.dmp

memory/1824-17-0x0000000000360000-0x0000000000376000-memory.dmp

memory/2644-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1824-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1824-22-0x0000000000360000-0x0000000000362000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:40

Reported

2024-06-13 04:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718253625" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718253625" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe

"C:\Users\Admin\AppData\Local\Temp\1eab97ad79f88071aaeb9acc34c7b5cbec04bb3c9790539a5bb9421756feadc0.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp

Files

memory/1500-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 457276c27339f94a9025c40890309ddc
SHA1 0f2327cbff6c66e77f9ddcecefed0cea1496c86e
SHA256 dc1bc40300b942029c99879a51e11bfe9d611e56851bda1a2e06e056f78b2955
SHA512 688f43e95a661f8012b390bc5ee91a6f434bd735a53980c061d4444f7cb1a67c7e9deec9492fdf1e4b1a6d0715fb4a8922b20521d9e1e507003e209d76ab63b0

C:\Windows\System\rundll32.exe

MD5 f9c2173a795055cc408d5c35567c2521
SHA1 ca1da5ddf31f9b81e9458e5536d11b22baf8d6a2
SHA256 6bfb5e8dd91937253762654fa51440b0b72b3fe10bb8574d590b93a8d782aded
SHA512 2ccc7cdcba31ac4606d57ffd34af471a9bba9ccbe78a71527f613550d7f8633af7248267bde4cee5f04f23d1154d287f5d789fd2ac67893be206f3639e9ee54d

memory/1500-13-0x0000000000400000-0x0000000000415A00-memory.dmp