Malware Analysis Report

2025-04-13 10:35

Sample ID 240326-kksjqahc8y
Target debe4a88a9ba02f69a42ff9d1d3db1aa
SHA256 40ed19717bc806f511f30549b4be0b5968677539034246531127419781a09933
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40ed19717bc806f511f30549b4be0b5968677539034246531127419781a09933

Threat Level: Known bad

The file debe4a88a9ba02f69a42ff9d1d3db1aa was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Windows security bypass

Tofsee

Modifies Windows Firewall

Creates new service(s)

Sets service image path in registry

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 08:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 08:39

Reported

2024-03-26 08:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\sbtotvfm = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\sbtotvfm\ImagePath = "C:\\Windows\\SysWOW64\\sbtotvfm\\dekteaow.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1480 set thread context of 2472 N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1196 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 1196 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\netsh.exe
PID 1196 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\netsh.exe
PID 1196 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\netsh.exe
PID 1196 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\netsh.exe
PID 1480 wrote to memory of 2472 N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe C:\Windows\SysWOW64\svchost.exe
PID 1480 wrote to memory of 2472 N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe C:\Windows\SysWOW64\svchost.exe
PID 1480 wrote to memory of 2472 N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe C:\Windows\SysWOW64\svchost.exe
PID 1480 wrote to memory of 2472 N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe C:\Windows\SysWOW64\svchost.exe
PID 1480 wrote to memory of 2472 N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe C:\Windows\SysWOW64\svchost.exe
PID 1480 wrote to memory of 2472 N/A C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe

"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sbtotvfm\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dekteaow.exe" C:\Windows\SysWOW64\sbtotvfm\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create sbtotvfm binPath= "C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe /d\"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description sbtotvfm "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start sbtotvfm

C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe

C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe /d"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 67.195.228.110:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 108.177.15.27:25 smtp.google.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
HK 43.231.4.6:443 tcp

Files

memory/1196-2-0x0000000000220000-0x0000000000233000-memory.dmp

memory/1196-1-0x0000000000DE0000-0x0000000000EE0000-memory.dmp

memory/1196-4-0x0000000000400000-0x0000000000C14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dekteaow.exe

MD5 b1fdb2dd9ef09a20b0f695504a168893
SHA1 78dea53fd84327923d0fb4d57aa89d42638a84b9
SHA256 d0f96b662dced1470433e433bcbb63b9313017831314cb670a8533c32546d1e1
SHA512 8fb8fa16d6038e80d9e58c45512e48d9a43762540f7d32fdb63af4cd54409e531f2717f1c6fe46c2c4efe53840efe1785ad14d04badb4412e8a8049d7e3640dc

C:\Windows\SysWOW64\sbtotvfm\dekteaow.exe

MD5 58e0db332061fdb9495aa0babd36077b
SHA1 752f6b164166c11cefdd152f26d8dd4e6af6c9c8
SHA256 0a50742a3c4300fbfa6f40db69fac17ee3be33886cef21344ae85a34e164d65d
SHA512 25908eddf3ff650a679088ec79e2b89ccc2b81f79a4c35d99a7bd8098701bf7d3511fb1f490178167929c036148f7fcd2fb273b5eee36e497007eea5a35ec766

memory/1196-7-0x0000000000400000-0x0000000000C14000-memory.dmp

memory/1480-9-0x0000000000DC0000-0x0000000000EC0000-memory.dmp

memory/1480-11-0x0000000000400000-0x0000000000C14000-memory.dmp

memory/2472-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2472-10-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2472-14-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2472-17-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2472-18-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1480-19-0x0000000000400000-0x0000000000C14000-memory.dmp

memory/2472-20-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2472-21-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 08:39

Reported

2024-03-26 08:42

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fssxqypz\ImagePath = "C:\\Windows\\SysWOW64\\fssxqypz\\yqynvtxv.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1164 set thread context of 4560 N/A C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 776 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\sc.exe
PID 776 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\netsh.exe
PID 776 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\netsh.exe
PID 776 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe C:\Windows\SysWOW64\netsh.exe
PID 1164 wrote to memory of 4560 N/A C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe C:\Windows\SysWOW64\svchost.exe
PID 1164 wrote to memory of 4560 N/A C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe C:\Windows\SysWOW64\svchost.exe
PID 1164 wrote to memory of 4560 N/A C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe C:\Windows\SysWOW64\svchost.exe
PID 1164 wrote to memory of 4560 N/A C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe C:\Windows\SysWOW64\svchost.exe
PID 1164 wrote to memory of 4560 N/A C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe

"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fssxqypz\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yqynvtxv.exe" C:\Windows\SysWOW64\fssxqypz\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create fssxqypz binPath= "C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe /d\"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description fssxqypz "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start fssxqypz

C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe

C:\Windows\SysWOW64\fssxqypz\yqynvtxv.exe /d"C:\Users\Admin\AppData\Local\Temp\debe4a88a9ba02f69a42ff9d1d3db1aa.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 776 -ip 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 1224

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 67.195.228.110:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 108.177.15.26:25 smtp.google.com tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 203.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 192.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.176:80 tcp

Files

memory/776-1-0x0000000000CC0000-0x0000000000DC0000-memory.dmp

memory/776-2-0x0000000002830000-0x0000000002843000-memory.dmp

memory/776-4-0x0000000000400000-0x0000000000C14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yqynvtxv.exe

MD5 46efa9361858c0f5ef41eda6261ad609
SHA1 06ab4c49bfec0d575bc8cc8e9266c42f9bd284ab
SHA256 3646dd39f0674b14b8666dff0755fd429177f7611316a319152326a981c4a014
SHA512 1afe16a3f78f80022f6247ecf729c384164c0e049b612177ee3b5ca561c1fe915539a87fa0931a36570be2a7736a0a93fbc384d2f3624035c9a4c5a9f38ef361

memory/776-7-0x0000000000400000-0x0000000000C14000-memory.dmp

memory/776-8-0x0000000002830000-0x0000000002843000-memory.dmp

memory/1164-11-0x0000000000400000-0x0000000000C14000-memory.dmp

memory/1164-10-0x0000000000E40000-0x0000000000F40000-memory.dmp

memory/4560-12-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/4560-15-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/4560-16-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/1164-17-0x0000000000400000-0x0000000000C14000-memory.dmp

memory/4560-18-0x0000000000490000-0x00000000004A5000-memory.dmp

memory/4560-19-0x0000000000490000-0x00000000004A5000-memory.dmp