Malware Analysis Report

2025-04-14 02:57

Sample ID 240613-c7hc9svgjn
Target 66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff
SHA256 66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff

Threat Level: Shows suspicious behavior

The file 66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:42

Reported

2024-06-13 02:45

Platform

win7-20240508-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246578" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246578" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe

"C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/2416-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 ecd5eb607043d830481ec58aaa34cbe4
SHA1 cda68ee968baf547370e7cc19d4061b3622b19fe
SHA256 b610697ab4e72bfe9c452257ce41aff07efe2fb251ef7f4bb301e3d1cd96c9cd
SHA512 9be3b2f20cfc21e9a7bf701efc31e4821eab214cff632d6db647292f9c5d9ea926c7442de3c89360b828ced5864514b3c516e883486e17cc6279ec768e1dc203

\Windows\system\rundll32.exe

MD5 d8b8995f8a6c85450522a6203e9224e8
SHA1 741521abf99b88551be917f4742141a59819ec1b
SHA256 6a20c8cf18683a0b266085e14b24ea661cf37424d16ef1a1b80b322ab5563f19
SHA512 bcb81245bc8dcc51d28a963ba955241726664f02c024d93baaffbfc7e04f3426b035c4d812a5ce363ca41500b4dc75ce1d1f9e2c21c970a20ec259cc08b426ff

memory/2416-16-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2416-17-0x00000000003D0000-0x00000000003E6000-memory.dmp

memory/2820-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/2416-21-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:42

Reported

2024-06-13 02:45

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246578" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246578" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe

"C:\Users\Admin\AppData\Local\Temp\66c0fe59c7ce71778fca856e96c5868b4f40900d9924efc317e2401785c33dff.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2968-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 ecd5eb607043d830481ec58aaa34cbe4
SHA1 cda68ee968baf547370e7cc19d4061b3622b19fe
SHA256 b610697ab4e72bfe9c452257ce41aff07efe2fb251ef7f4bb301e3d1cd96c9cd
SHA512 9be3b2f20cfc21e9a7bf701efc31e4821eab214cff632d6db647292f9c5d9ea926c7442de3c89360b828ced5864514b3c516e883486e17cc6279ec768e1dc203

C:\Windows\System\rundll32.exe

MD5 d8b8995f8a6c85450522a6203e9224e8
SHA1 741521abf99b88551be917f4742141a59819ec1b
SHA256 6a20c8cf18683a0b266085e14b24ea661cf37424d16ef1a1b80b322ab5563f19
SHA512 bcb81245bc8dcc51d28a963ba955241726664f02c024d93baaffbfc7e04f3426b035c4d812a5ce363ca41500b4dc75ce1d1f9e2c21c970a20ec259cc08b426ff

memory/2968-13-0x0000000000400000-0x0000000000415A00-memory.dmp