Malware Analysis Report

2025-06-16 05:08

Sample ID 240313-b8py3ahc6s
Target c4a9c28cd43849f4627561bca275779e
SHA256 f42d0e2c1568ab7d7ff6add4693f22eb888133cd6bfbdfd45b8863355fdecb6d
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f42d0e2c1568ab7d7ff6add4693f22eb888133cd6bfbdfd45b8863355fdecb6d

Threat Level: Known bad

The file c4a9c28cd43849f4627561bca275779e was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Tofsee

Windows security bypass

Creates new service(s)

Modifies Windows Firewall

Sets service image path in registry

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 01:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 01:49

Reported

2024-03-13 01:51

Platform

win7-20240220-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\dujmyxav = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dujmyxav\ImagePath = "C:\\Windows\\SysWOW64\\dujmyxav\\cpgphuwq.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2456 set thread context of 2336 N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 2912 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 2912 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\netsh.exe
PID 2456 wrote to memory of 2336 N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe C:\Windows\SysWOW64\svchost.exe
PID 2456 wrote to memory of 2336 N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe C:\Windows\SysWOW64\svchost.exe
PID 2456 wrote to memory of 2336 N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe C:\Windows\SysWOW64\svchost.exe
PID 2456 wrote to memory of 2336 N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe C:\Windows\SysWOW64\svchost.exe
PID 2456 wrote to memory of 2336 N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe C:\Windows\SysWOW64\svchost.exe
PID 2456 wrote to memory of 2336 N/A C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe

"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\dujmyxav\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cpgphuwq.exe" C:\Windows\SysWOW64\dujmyxav\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create dujmyxav binPath= "C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description dujmyxav "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start dujmyxav

C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe

C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe /d"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 67.195.204.79:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
IE 209.85.203.26:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp

Files

memory/2912-1-0x0000000000520000-0x0000000000620000-memory.dmp

memory/2912-4-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2912-3-0x0000000000220000-0x0000000000233000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cpgphuwq.exe

MD5 07f7b8054a15596471807c7830991a4f
SHA1 711aa0643bf39af809e01e2fddf9862b002b7a37
SHA256 8592d91185244a5173494d301c3b9dde3b959703827183d4d90034e6d2a05bf5
SHA512 92060c96391c99c8fb2f0c8391c896342f5edaa41c21505242d0b7e89b9b2f88e9496ec598e3bc62353f02f9e2f8bdfea887d4b24315f6c63745ae8ec910e70f

C:\Windows\SysWOW64\dujmyxav\cpgphuwq.exe

MD5 b4ea8d12200344126056f292a7974ac2
SHA1 74471f400beabc67e5e6400b044c61604a3b98b0
SHA256 8ee434d29ffe59b8e959202e7b41110ba977d2ca5181d8ed8e4143278615ca51
SHA512 e7e03949bfbb0e854b3c033d07e0958749c53fe603c012237bfe14b1c46aa144a9573bc491820c13234c83cdc7b80ccaeffe4981c4d29e4715c7880c5881c66d

memory/2912-8-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2912-9-0x0000000000520000-0x0000000000620000-memory.dmp

memory/2456-10-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2336-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2456-12-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2336-15-0x0000000000090000-0x00000000000A5000-memory.dmp

memory/2336-11-0x0000000000090000-0x00000000000A5000-memory.dmp

memory/2456-17-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2336-19-0x0000000000090000-0x00000000000A5000-memory.dmp

memory/2336-21-0x0000000000090000-0x00000000000A5000-memory.dmp

memory/2336-20-0x0000000000090000-0x00000000000A5000-memory.dmp

memory/2336-22-0x0000000000090000-0x00000000000A5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 01:49

Reported

2024-03-13 01:52

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\azqsemep\ImagePath = "C:\\Windows\\SysWOW64\\azqsemep\\jcuqozn.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\azqsemep\jcuqozn.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2960 set thread context of 1844 N/A C:\Windows\SysWOW64\azqsemep\jcuqozn.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\sc.exe
PID 1160 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\netsh.exe
PID 1160 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\netsh.exe
PID 1160 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe C:\Windows\SysWOW64\netsh.exe
PID 2960 wrote to memory of 1844 N/A C:\Windows\SysWOW64\azqsemep\jcuqozn.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 1844 N/A C:\Windows\SysWOW64\azqsemep\jcuqozn.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 1844 N/A C:\Windows\SysWOW64\azqsemep\jcuqozn.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 1844 N/A C:\Windows\SysWOW64\azqsemep\jcuqozn.exe C:\Windows\SysWOW64\svchost.exe
PID 2960 wrote to memory of 1844 N/A C:\Windows\SysWOW64\azqsemep\jcuqozn.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe

"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\azqsemep\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jcuqozn.exe" C:\Windows\SysWOW64\azqsemep\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create azqsemep binPath= "C:\Windows\SysWOW64\azqsemep\jcuqozn.exe /d\"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description azqsemep "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start azqsemep

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1160 -ip 1160

C:\Windows\SysWOW64\azqsemep\jcuqozn.exe

C:\Windows\SysWOW64\azqsemep\jcuqozn.exe /d"C:\Users\Admin\AppData\Local\Temp\c4a9c28cd43849f4627561bca275779e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 1032

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2960 -ip 2960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 98.136.96.77:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
IE 209.85.203.27:25 smtp.google.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp

Files

memory/1160-1-0x0000000000590000-0x0000000000690000-memory.dmp

memory/1160-2-0x0000000000540000-0x0000000000553000-memory.dmp

memory/1160-3-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1160-5-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jcuqozn.exe

MD5 a2bc50fe744af23015711dbc342a838c
SHA1 bbe916432b9d9bf7ea48b2fed91bc88c1289f6ba
SHA256 217ad582afa06a687a833d120d94726ebc947299bd35876ec3a88c8ee5cebb0a
SHA512 06a473da057e31554a2ebdeb87aa46fc9f7b33e2b0a67bab54e0b6ac9308898e7ee9936e5de044d661841e3d05c1ba6747ba8b2ca4af294ae72194cb1722fc5c

C:\Windows\SysWOW64\azqsemep\jcuqozn.exe

MD5 d657654190c9c6f6216eea17b6289b68
SHA1 36817bf38719027fae0ca5f25d7d8b4b7eb145a1
SHA256 198d5a289c8799e5b791702491349efd37c52d43bf3b7c3644aca90382020a50
SHA512 d4117ae075887b365b84de71e2ba82bcfe74332cbf41109204ead37cff95dcd4101537905f692b59512f2d4e7d33e9ae2724c44b0a1f9a958218efa7ab82b471

memory/1160-9-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1160-10-0x0000000000540000-0x0000000000553000-memory.dmp

memory/2960-11-0x0000000000470000-0x0000000000570000-memory.dmp

memory/2960-12-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1844-13-0x0000000000700000-0x0000000000715000-memory.dmp

memory/1844-17-0x0000000000700000-0x0000000000715000-memory.dmp

memory/2960-18-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1844-19-0x0000000000700000-0x0000000000715000-memory.dmp

memory/1844-22-0x0000000000700000-0x0000000000715000-memory.dmp