Malware Analysis Report

2025-04-13 10:35

Sample ID 240326-mxy85sgd79
Target defc1cba4b8990663ca51d25a32af585
SHA256 5ab3671466c3136f8b9cd603f45ce7a038c9b8ed2ea58a713c5fff6a0928f729
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ab3671466c3136f8b9cd603f45ce7a038c9b8ed2ea58a713c5fff6a0928f729

Threat Level: Known bad

The file defc1cba4b8990663ca51d25a32af585 was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Tofsee

Windows security bypass

Modifies Windows Firewall

Sets service image path in registry

Creates new service(s)

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 10:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 10:51

Reported

2024-03-26 10:54

Platform

win7-20240221-en

Max time kernel

164s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\gbcvsuxt = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\gbcvsuxt\ImagePath = "C:\\Windows\\SysWOW64\\gbcvsuxt\\foesthwc.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2416 set thread context of 2384 N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 1748 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\netsh.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe C:\Windows\SysWOW64\svchost.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe C:\Windows\SysWOW64\svchost.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe C:\Windows\SysWOW64\svchost.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe C:\Windows\SysWOW64\svchost.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe C:\Windows\SysWOW64\svchost.exe
PID 2416 wrote to memory of 2384 N/A C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe

"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gbcvsuxt\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\foesthwc.exe" C:\Windows\SysWOW64\gbcvsuxt\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create gbcvsuxt binPath= "C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe /d\"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description gbcvsuxt "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start gbcvsuxt

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe

C:\Windows\SysWOW64\gbcvsuxt\foesthwc.exe /d"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 67.195.204.79:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 142.251.173.26:25 smtp.google.com tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp

Files

memory/1748-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/1748-2-0x0000000000220000-0x0000000000233000-memory.dmp

memory/1748-3-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\foesthwc.exe

MD5 3516364e331c80b4d17a6bf8247077e9
SHA1 0f6e417d2629c168a3d54f23f2f757ee294da5e7
SHA256 223abf8eac1b1bd1db3bdee22635ad841df31d1dd405744dcc54ee906c9c8e32
SHA512 7232cfb3c05f7ed3314e8f6e32ecf97cf03ab8a5521cd54f9249fe7018fddeb88803477662c24adc4f0c162272c336ec76c219eeb16a53e213c48227948f8cfb

memory/1748-6-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1748-7-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2416-10-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2416-11-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2384-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2384-12-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2416-16-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2384-15-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2384-20-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2384-21-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2384-22-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 10:51

Reported

2024-03-26 10:54

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tfmoiayo\ImagePath = "C:\\Windows\\SysWOW64\\tfmoiayo\\pkzjotlj.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2356 set thread context of 4064 N/A C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\sc.exe
PID 2972 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\netsh.exe
PID 2972 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\netsh.exe
PID 2972 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe C:\Windows\SysWOW64\netsh.exe
PID 2356 wrote to memory of 4064 N/A C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe C:\Windows\SysWOW64\svchost.exe
PID 2356 wrote to memory of 4064 N/A C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe C:\Windows\SysWOW64\svchost.exe
PID 2356 wrote to memory of 4064 N/A C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe C:\Windows\SysWOW64\svchost.exe
PID 2356 wrote to memory of 4064 N/A C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe C:\Windows\SysWOW64\svchost.exe
PID 2356 wrote to memory of 4064 N/A C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe

"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\tfmoiayo\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\pkzjotlj.exe" C:\Windows\SysWOW64\tfmoiayo\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create tfmoiayo binPath= "C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe /d\"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description tfmoiayo "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start tfmoiayo

C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe

C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe /d"C:\Users\Admin\AppData\Local\Temp\defc1cba4b8990663ca51d25a32af585.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.40.26:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 98.136.96.76:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 142.251.173.26:25 smtp.google.com tcp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 refabyd.info udp
US 8.8.8.8:53 defeatwax.ru udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 defeatwax.ru udp

Files

memory/2972-1-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/2972-2-0x00000000021B0000-0x00000000021C3000-memory.dmp

memory/2972-3-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2972-5-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkzjotlj.exe

MD5 7a7d8e685d73e16fba5f07545e2e30e1
SHA1 d51b90b4b0dca940bd5bff0b47a271886077089c
SHA256 1cd00f194ea2de04b6b0d172b0d4bb9902a48158f2e7a8abcc7b912afe478825
SHA512 f6b2424fa359f5de1aadf596677d121f8c496f68defb8907ceb8d6ea3b8e2478e7aff7349b25a841ea2cacdd3f3229f409eab8d4b32cd635ac8b8c7923ab31f5

C:\Windows\SysWOW64\tfmoiayo\pkzjotlj.exe

MD5 915b763ff0061e425de41661a17a1145
SHA1 f997ee91041812e0cbe3495d5aa2024163207b5a
SHA256 3049561f36725332e61295b59f0773d98e02a8680b1369de359e7b4cf72cfd4d
SHA512 5356720202dd835d820be1d7cd1c7e82c365cb5ee6c88cc605495346e5686eeb40268257584c455a3fea6c46896177b468ace484e24c478151bd3f14ed2f2ee2

memory/2356-9-0x0000000000660000-0x0000000000760000-memory.dmp

memory/2356-10-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4064-11-0x0000000000850000-0x0000000000865000-memory.dmp

memory/2972-14-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/4064-15-0x0000000000850000-0x0000000000865000-memory.dmp

memory/2972-16-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2356-17-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4064-18-0x0000000000850000-0x0000000000865000-memory.dmp

memory/4064-19-0x0000000000850000-0x0000000000865000-memory.dmp

memory/2972-21-0x00000000021B0000-0x00000000021C3000-memory.dmp

memory/4064-27-0x0000000000850000-0x0000000000865000-memory.dmp