Malware Analysis Report

2025-04-13 10:35

Sample ID 240326-krqcyaee75
Target dec340af99d11d4bda18bafe03b2172f
SHA256 7d34075aebc551801edcf950ad816a5f277522f2d6b53679e7bd2921d89e0c4f
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d34075aebc551801edcf950ad816a5f277522f2d6b53679e7bd2921d89e0c4f

Threat Level: Known bad

The file dec340af99d11d4bda18bafe03b2172f was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Windows security bypass

Tofsee

Sets service image path in registry

Creates new service(s)

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Deletes itself

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 08:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 08:50

Reported

2024-03-26 08:53

Platform

win7-20240221-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\swmbeksk = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\swmbeksk\ImagePath = "C:\\Windows\\SysWOW64\\swmbeksk\\xrritctv.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2576 set thread context of 2432 N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 2656 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\netsh.exe
PID 2656 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\netsh.exe
PID 2656 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\netsh.exe
PID 2656 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\netsh.exe
PID 2576 wrote to memory of 2432 N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 2432 N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 2432 N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 2432 N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 2432 N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 2432 N/A C:\Windows\SysWOW64\swmbeksk\xrritctv.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe

"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\swmbeksk\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xrritctv.exe" C:\Windows\SysWOW64\swmbeksk\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create swmbeksk binPath= "C:\Windows\SysWOW64\swmbeksk\xrritctv.exe /d\"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description swmbeksk "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start swmbeksk

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\swmbeksk\xrritctv.exe

C:\Windows\SysWOW64\swmbeksk\xrritctv.exe /d"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.228.110:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 108.177.15.26:25 smtp.google.com tcp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
HK 43.231.4.7:443 tcp

Files

memory/2656-1-0x0000000000620000-0x0000000000720000-memory.dmp

memory/2656-2-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2656-3-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xrritctv.exe

MD5 6f578b58b5a64d772aa55856ef4fbdcf
SHA1 8f2e254596172239f2d806600880a5c6942fea51
SHA256 b9c699a14f19135b75b3075503866d17081365801768bb823e1ffe201c9ba0fb
SHA512 a3150eaff9bfce0ceb308bfc178ee17467c21d02f1db80909d8181381c2aaa1fe1bc5b3843d6dc0901bb6947a0804d1c3d08c288f4edef674dbf80927a7348af

memory/2656-6-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2656-7-0x0000000000220000-0x0000000000233000-memory.dmp

C:\Windows\SysWOW64\swmbeksk\xrritctv.exe

MD5 c4e23be772e5e12730db06e72ba7e9f0
SHA1 40350b79ae346a8367d645ef18227c6495f4d21b
SHA256 76ba89131581366b996fd420062ae86332b554316df38d93229d3dc000df2365
SHA512 69e501bd798adc992f8ba03a7d8e1221bfce343da7c9af242f39dbfe6d00ddd81d308002371be830b312d1d67413372901736c2e1d9fba114fc0bdfdb3221070

memory/2432-11-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2576-10-0x0000000000610000-0x0000000000710000-memory.dmp

memory/2576-13-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2432-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2576-17-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2432-15-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2432-20-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2432-21-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2432-22-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 08:50

Reported

2024-03-26 08:52

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sliiqbqf\ImagePath = "C:\\Windows\\SysWOW64\\sliiqbqf\\gidjcpz.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ŒwY C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe N/A
File created C:\Windows\SysWOW64\´?X C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 404 set thread context of 3004 N/A C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\cmd.exe
PID 3424 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\sc.exe
PID 3424 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\netsh.exe
PID 3424 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\netsh.exe
PID 3424 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe C:\Windows\SysWOW64\netsh.exe
PID 404 wrote to memory of 3004 N/A C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe C:\Windows\SysWOW64\svchost.exe
PID 404 wrote to memory of 3004 N/A C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe C:\Windows\SysWOW64\svchost.exe
PID 404 wrote to memory of 3004 N/A C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe C:\Windows\SysWOW64\svchost.exe
PID 404 wrote to memory of 3004 N/A C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe C:\Windows\SysWOW64\svchost.exe
PID 404 wrote to memory of 3004 N/A C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe

"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sliiqbqf\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gidjcpz.exe" C:\Windows\SysWOW64\sliiqbqf\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create sliiqbqf binPath= "C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe /d\"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description sliiqbqf "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start sliiqbqf

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3424 -ip 3424

C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe

C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe /d"C:\Users\Admin\AppData\Local\Temp\dec340af99d11d4bda18bafe03b2172f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1028

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 548

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.54.36:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 98.136.96.76:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 108.177.15.26:25 smtp.google.com tcp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/3424-1-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/3424-2-0x00000000021B0000-0x00000000021C3000-memory.dmp

memory/3424-3-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gidjcpz.exe

MD5 22f23142479b4e750945ff4abd484247
SHA1 9c68c0d91479c78fb64b76d00f78bea9e7781d24
SHA256 69b75925d4341bdae1482039d30c43a1be1631c207d000e19930b45f4dc83ba7
SHA512 05603cc0cd211c96e2773b93d6a381c33f19eb7ac3adb6b12111a930312875b111f7b5458fcdf64767d3c937f70b376144e3cb1acafbb33e24bf482a8f76d438

C:\Windows\SysWOW64\sliiqbqf\gidjcpz.exe

MD5 7fa11de4bcbc3ed6c566df1725ffa250
SHA1 7714a1781036d7a0d110d81116282b57d2e937cc
SHA256 bcca1faee7403e0934bdb8dde9465755f1324d11fc03316da0a8198ff9174685
SHA512 16052bd3fe3dd83a055d594e2ea6ec6aff059b6197c336a2b6cd8bb0ba2fdcb7aa5d736bcba0c3d5472f1f1d5cc741ba22cdc55c84e70f98cea48b5145861dfa

memory/3424-7-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3424-8-0x00000000021B0000-0x00000000021C3000-memory.dmp

memory/404-10-0x0000000000570000-0x0000000000670000-memory.dmp

memory/404-11-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3004-12-0x00000000010C0000-0x00000000010D5000-memory.dmp

memory/3004-16-0x00000000010C0000-0x00000000010D5000-memory.dmp

memory/3004-18-0x00000000010C0000-0x00000000010D5000-memory.dmp

memory/404-17-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3004-19-0x00000000010C0000-0x00000000010D5000-memory.dmp