Malware Analysis Report

2025-04-13 10:35

Sample ID 240325-wr59yaeh84
Target dea2ca171f528876b5bb42ac2630b2fb
SHA256 ffbe4fc61de6a70ab99966df71a5b4ebf80ae6646020679a8a27e450b9b4240b
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ffbe4fc61de6a70ab99966df71a5b4ebf80ae6646020679a8a27e450b9b4240b

Threat Level: Known bad

The file dea2ca171f528876b5bb42ac2630b2fb was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Tofsee

Windows security bypass

Creates new service(s)

Sets service image path in registry

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Deletes itself

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 18:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 18:10

Reported

2024-03-25 18:13

Platform

win7-20231129-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qctzrsdf = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qctzrsdf\ImagePath = "C:\\Windows\\SysWOW64\\qctzrsdf\\gsrwvnlw.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2584 set thread context of 1904 N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1884 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 1884 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\netsh.exe
PID 1884 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\netsh.exe
PID 2584 wrote to memory of 1904 N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe C:\Windows\SysWOW64\svchost.exe
PID 2584 wrote to memory of 1904 N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe C:\Windows\SysWOW64\svchost.exe
PID 2584 wrote to memory of 1904 N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe C:\Windows\SysWOW64\svchost.exe
PID 2584 wrote to memory of 1904 N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe C:\Windows\SysWOW64\svchost.exe
PID 2584 wrote to memory of 1904 N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe C:\Windows\SysWOW64\svchost.exe
PID 2584 wrote to memory of 1904 N/A C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe

"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qctzrsdf\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gsrwvnlw.exe" C:\Windows\SysWOW64\qctzrsdf\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create qctzrsdf binPath= "C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe /d\"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description qctzrsdf "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start qctzrsdf

C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe

C:\Windows\SysWOW64\qctzrsdf\gsrwvnlw.exe /d"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.228.110:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 64.233.184.26:25 smtp.google.com tcp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
RU 176.111.174.19:443 tcp

Files

memory/1884-1-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1884-2-0x00000000001B0000-0x00000000001C3000-memory.dmp

memory/1884-4-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gsrwvnlw.exe

MD5 d2d2399e50da5ea1a6401e0195f34227
SHA1 3a0abf0063a9ad97814024c68cbabcab455409e7
SHA256 ef89b802cebf7c78c107df553e57179ad78fe95545f916fd985263affeea3686
SHA512 9f0b3f4080cb2eaf89e07dbfae2eb46012f2f80f662ef998be8a22a9a0784d09d763e2c3bd824d4f66a714aaf954f5441542ad39faeb294a21526436f70ffde3

memory/1884-7-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1904-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1904-9-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2584-14-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1904-12-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2584-15-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1904-18-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1904-19-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1904-20-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 18:10

Reported

2024-03-25 18:13

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jouqeiiz\ImagePath = "C:\\Windows\\SysWOW64\\jouqeiiz\\zxkodhwr.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2448 set thread context of 1856 N/A C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\sc.exe
PID 2288 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\netsh.exe
PID 2288 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe C:\Windows\SysWOW64\netsh.exe
PID 2448 wrote to memory of 1856 N/A C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 1856 N/A C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 1856 N/A C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 1856 N/A C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe C:\Windows\SysWOW64\svchost.exe
PID 2448 wrote to memory of 1856 N/A C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe

"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jouqeiiz\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zxkodhwr.exe" C:\Windows\SysWOW64\jouqeiiz\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create jouqeiiz binPath= "C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe /d\"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description jouqeiiz "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start jouqeiiz

C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe

C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe /d"C:\Users\Admin\AppData\Local\Temp\dea2ca171f528876b5bb42ac2630b2fb.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2288 -ip 2288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1164

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 248

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 98.136.96.91:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 64.233.184.26:25 smtp.google.com tcp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 201.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp

Files

memory/2288-1-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2288-2-0x0000000002070000-0x0000000002083000-memory.dmp

memory/2288-3-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zxkodhwr.exe

MD5 3387106eaf8f2685510eda12ec90a265
SHA1 d811216c46c75f76087ba5d5778f041f0ba98f09
SHA256 7ab76683fd94ab87a179d6e50f112dca3442d50ce19e6774eef074ce2b6057f1
SHA512 c733b7ecb6e79f22227a6f2f8954a91fca1604cf42f8a84fb293a7856bf4c5464ae4ce988cc5c159981f3221ac21d84395f40d66107125c125f13ae6c8337b2e

C:\Windows\SysWOW64\jouqeiiz\zxkodhwr.exe

MD5 92023058260097913b5c2347773fd13d
SHA1 0fc493532bd64ea8c2904ee73c7bca3f52710356
SHA256 61ead434ce52c645f8fd0a17b5ca6a8aa5d594e7b98458090f7fe4932a5ae203
SHA512 51ea6f0473ff8df1ec760974c8b1cc727ff936c37c7a8c2e5f55bbeea85018d5169853fe5ce3f23d5d724339fa6bef18d8678570e349c9c40254e26b65d62502

memory/2288-8-0x0000000002070000-0x0000000002083000-memory.dmp

memory/2288-7-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2448-10-0x0000000000690000-0x0000000000790000-memory.dmp

memory/1856-12-0x00000000008C0000-0x00000000008D5000-memory.dmp

memory/2448-11-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1856-15-0x00000000008C0000-0x00000000008D5000-memory.dmp

memory/1856-16-0x00000000008C0000-0x00000000008D5000-memory.dmp

memory/1856-17-0x00000000008C0000-0x00000000008D5000-memory.dmp

memory/2448-18-0x0000000000400000-0x000000000045D000-memory.dmp

memory/1856-19-0x00000000008C0000-0x00000000008D5000-memory.dmp