Malware Analysis Report

2025-04-14 01:48

Sample ID 240602-2ef26shd2s
Target eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608
SHA256 eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608

Threat Level: Shows suspicious behavior

The file eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367375" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367375" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe

"C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1916-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 e0d2bb595732265e7d785f0b652f035d
SHA1 6d4c1d1d0dff305a57b0ca818ba8e19af72a4911
SHA256 c446744fdcb4f9ae94a6236bf626f7bfdda0d4a6e8471e21915d027b129dcd3d
SHA512 b04f3394aa7970228c8f599356f2347cdbb5d2a6dea4585290a9581e1e0f06697f79d30246d94c91b1ac37cd7da1594c2d7c378f0e9888f115dd9557e4e84de3

\Windows\system\rundll32.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

memory/1916-18-0x0000000000260000-0x0000000000276000-memory.dmp

memory/1916-17-0x0000000000260000-0x0000000000276000-memory.dmp

memory/1916-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1916-21-0x0000000000260000-0x0000000000262000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717367378" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717367378" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe

"C:\Users\Admin\AppData\Local\Temp\eec362ff5acad006bee6079d1408a29ac19e29f5b5a8775b3935052568f13608.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1444-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 5d87dd5f9364845bca37781244e9a613
SHA1 6bfd8215b0c707915e0aca13e67a3fa597687ca9
SHA256 00241433dfa2e6f55833b436553755e5c63f4dd99a258864e87e508d8831cdb5
SHA512 35ef0d877a78d34043742596b6255096a4527079c5e467e98f211ba95db502ff77dbe269c7db6b2dd0b833a85b0ebb14fa87e06a8f87a9f916025aec20f9aa6f

C:\Windows\system\rundll32.exe

MD5 cba6b59a49d3d66fcc7da46f031154cb
SHA1 7da410e1e57abf2df63a3906d9db63edab8bb61f
SHA256 e721936fc7d81e6740d839d3fcf1ffa743bd95f20c4f6d6c69655f492fd870cb
SHA512 5b434f5957f11b5ed3c1b2d6b778d8ed0d41a2090f628e266e3529b85b105326fc325f7ff2d510d859d4ba02696b789c80032a3561890c292ea9c736519714c4

memory/1444-13-0x0000000000400000-0x0000000000415A00-memory.dmp