Malware Analysis Report

2025-03-14 22:10

Sample ID 240613-fejmeavcpe
Target 7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a
SHA256 7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a

Threat Level: Shows suspicious behavior

The file 7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:47

Reported

2024-06-13 04:49

Platform

win7-20240220-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718254027" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718254027" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe

"C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/2360-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

\Windows\system\rundll32.exe

MD5 78e70f15776f745ce34c37ad7f8cd1a3
SHA1 0846c7c8a5bf2239ce55298a885b5acde9eac92d
SHA256 b14d3b7c9b6836d4c9e20b9d1bd53477aa457bff42b185647c45230f017457f1
SHA512 0778bacdb2d4a98f1dd56e78bc193f796dfaa365e53e5173f6f98a9e1081e6303de20c642861fe88ce946c8364f88e2ac049c2e3ad6e8b755cf7aa7ba5e08fe5

memory/2360-18-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/2988-19-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2360-17-0x00000000002F0000-0x0000000000306000-memory.dmp

memory/2360-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:47

Reported

2024-06-13 04:49

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718254035" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718254035" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe

"C:\Users\Admin\AppData\Local\Temp\7acfc0f7c3e424d1e01bc74c15b86c3961f9ddae5950419a3a35e460dd03035a.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4248-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 3b42ff4a685dc780e4aa4ff22cdd9b22
SHA1 b6041b672cf48545ab3580b85725c9f2bf078abb
SHA256 fbd5042adce2c89fc66a8db783a820d277bac844be78c006a2f4cd9f833ebb20
SHA512 0fa58b350bc33ca50b2cc2f92d676b4e695b9505027e3695227ddff1e38efd49b467d4533b6edd9f71cda0422a93f35fda3840631a679feb53592d0aa134c2b9

C:\Windows\System\rundll32.exe

MD5 2ee4c03249fee21f225f4eca24c0c2c4
SHA1 0597594e1b192db58145acef4e3fa59fa7bbd9e3
SHA256 c80ac839960867719610c77501f0d08233dac7a71537b6bc7d674df7346e9995
SHA512 aa6c90e5dd11910ff7992bae85678c502db944d60e9fb996316e0d2ce4f3dea8ebe9203b18a6c4497831275d832e1c0bce79c51f1e9e4bbcab8235b60137d5b7

memory/4248-13-0x0000000000400000-0x0000000000415A00-memory.dmp