Malware Analysis Report

2025-04-13 10:35

Sample ID 240326-mgvwsagb23
Target def068a1136728af31342c71582b1a85
SHA256 bad8cfc47d63460e56554bdffe7e3cd7f8d8f4acd077c1846812ddab9a13b3d6
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bad8cfc47d63460e56554bdffe7e3cd7f8d8f4acd077c1846812ddab9a13b3d6

Threat Level: Known bad

The file def068a1136728af31342c71582b1a85 was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Windows security bypass

Tofsee

Modifies Windows Firewall

Sets service image path in registry

Creates new service(s)

Checks computer location settings

Executes dropped EXE

Deletes itself

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 10:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 10:26

Reported

2024-03-26 10:29

Platform

win7-20240215-en

Max time kernel

142s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qfyvcure = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qfyvcure\ImagePath = "C:\\Windows\\SysWOW64\\qfyvcure\\xdozrgam.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 2832 N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 2868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\netsh.exe
PID 2868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\netsh.exe
PID 2868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\netsh.exe
PID 2868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\netsh.exe
PID 1740 wrote to memory of 2832 N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe C:\Windows\SysWOW64\svchost.exe
PID 1740 wrote to memory of 2832 N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe C:\Windows\SysWOW64\svchost.exe
PID 1740 wrote to memory of 2832 N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe C:\Windows\SysWOW64\svchost.exe
PID 1740 wrote to memory of 2832 N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe C:\Windows\SysWOW64\svchost.exe
PID 1740 wrote to memory of 2832 N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe C:\Windows\SysWOW64\svchost.exe
PID 1740 wrote to memory of 2832 N/A C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe

"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qfyvcure\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xdozrgam.exe" C:\Windows\SysWOW64\qfyvcure\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create qfyvcure binPath= "C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe /d\"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description qfyvcure "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start qfyvcure

C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe

C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe /d"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.11.0:25 microsoft-com.mail.protection.outlook.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 98.136.96.91:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 142.251.173.27:25 smtp.google.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
HK 43.231.4.6:443 tcp

Files

memory/2868-1-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/2868-3-0x00000000002B0000-0x00000000002C3000-memory.dmp

memory/2868-4-0x0000000000400000-0x00000000008EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xdozrgam.exe

MD5 7678ea08e076aa08cc6893bc848bc670
SHA1 916332d8ae03a3767e2b747ee3207d74c2bbb3db
SHA256 9a015915f6ba263519015410adc721cce3d9b4ee780b6dca0c620b9b3ce56257
SHA512 64d2584db85797d6fae13b88342e63decbe3fd495ae1e1efd0f05aa2bcb15196783b728273e9c897e1d1b0fff84910354a8fc7737e636751f036d9e05c3a75df

C:\Windows\SysWOW64\qfyvcure\xdozrgam.exe

MD5 aac1a881e3a112a21807c59a24e82df1
SHA1 105a213f66b798345023f8b6ac2fab186c9146f9
SHA256 5de551a5fcab5287e8cc0aa024c4491ba994bd71eb26661ca834ba533d8f6274
SHA512 eb4b6daba94a61fce19d0706febc15092e706dc6ad98338e58970d072673aa6e3879331bb8da5ea1025e31b3f6afbce0cfe2390e7c53d0f485962a6e9e160c2c

memory/2868-7-0x0000000000400000-0x00000000008EA000-memory.dmp

memory/2868-8-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/1740-11-0x0000000000400000-0x00000000008EA000-memory.dmp

memory/2832-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2832-12-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1740-17-0x0000000000400000-0x00000000008EA000-memory.dmp

memory/2832-15-0x0000000000080000-0x0000000000095000-memory.dmp

memory/1740-10-0x00000000009D0000-0x0000000000AD0000-memory.dmp

memory/2832-19-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2832-20-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2832-21-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 10:26

Reported

2024-03-26 10:29

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xhvkyoyr\ImagePath = "C:\\Windows\\SysWOW64\\xhvkyoyr\\xyabvytl.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1764 set thread context of 2368 N/A C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\sc.exe
PID 5004 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\netsh.exe
PID 5004 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\netsh.exe
PID 5004 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe C:\Windows\SysWOW64\netsh.exe
PID 1764 wrote to memory of 2368 N/A C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe C:\Windows\SysWOW64\svchost.exe
PID 1764 wrote to memory of 2368 N/A C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe C:\Windows\SysWOW64\svchost.exe
PID 1764 wrote to memory of 2368 N/A C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe C:\Windows\SysWOW64\svchost.exe
PID 1764 wrote to memory of 2368 N/A C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe C:\Windows\SysWOW64\svchost.exe
PID 1764 wrote to memory of 2368 N/A C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe

"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xhvkyoyr\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xyabvytl.exe" C:\Windows\SysWOW64\xhvkyoyr\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create xhvkyoyr binPath= "C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe /d\"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description xhvkyoyr "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start xhvkyoyr

C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe

C:\Windows\SysWOW64\xhvkyoyr\xyabvytl.exe /d"C:\Users\Admin\AppData\Local\Temp\def068a1136728af31342c71582b1a85.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1188

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.42.0:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 98.136.96.76:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 142.251.173.26:25 smtp.google.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp

Files

memory/5004-1-0x0000000000C00000-0x0000000000D00000-memory.dmp

memory/5004-2-0x0000000000A70000-0x0000000000A83000-memory.dmp

memory/5004-4-0x0000000000400000-0x00000000008EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyabvytl.exe

MD5 f6f2749669158d6ca19aa22300d46873
SHA1 c8ef3ac0d626bf9d988de296f078448a1431dce8
SHA256 d79dbb8ef74abf3246b4e8375426fc9f447a7ab9b4b5f143c5c2d23f93ba436c
SHA512 afd2cca27900863223cbd1de655f1860d223f5b4040888497bd1daae7c18976cba1d04bd9b0ea7a420409739d956c1cceb4851f8da5e370708c6db1c6352e824

memory/5004-8-0x0000000000A70000-0x0000000000A83000-memory.dmp

memory/5004-7-0x0000000000400000-0x00000000008EA000-memory.dmp

memory/1764-10-0x0000000000A20000-0x0000000000B20000-memory.dmp

memory/1764-11-0x0000000000400000-0x00000000008EA000-memory.dmp

memory/2368-12-0x00000000009A0000-0x00000000009B5000-memory.dmp

memory/2368-16-0x00000000009A0000-0x00000000009B5000-memory.dmp

memory/2368-18-0x00000000009A0000-0x00000000009B5000-memory.dmp

memory/1764-17-0x0000000000400000-0x00000000008EA000-memory.dmp

memory/2368-19-0x00000000009A0000-0x00000000009B5000-memory.dmp