Malware Analysis Report

2025-04-13 10:35

Sample ID 240326-nb5dpsgh25
Target df071cea2b017b1429caef1d49d93dfd
SHA256 9567c4b9f9804cac7979f1be0a96f746cf1c80d69b04542e1c05bf6be20b6736
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9567c4b9f9804cac7979f1be0a96f746cf1c80d69b04542e1c05bf6be20b6736

Threat Level: Known bad

The file df071cea2b017b1429caef1d49d93dfd was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Windows security bypass

Tofsee

Sets service image path in registry

Modifies Windows Firewall

Creates new service(s)

Checks computer location settings

Executes dropped EXE

Deletes itself

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 11:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 11:14

Reported

2024-03-26 11:16

Platform

win7-20240220-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\iuqgfemf = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\iuqgfemf\ImagePath = "C:\\Windows\\SysWOW64\\iuqgfemf\\vuemuahi.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 2924 N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 2792 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\netsh.exe
PID 2792 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\netsh.exe
PID 2792 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\netsh.exe
PID 2792 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\netsh.exe
PID 2428 wrote to memory of 2924 N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe C:\Windows\SysWOW64\svchost.exe
PID 2428 wrote to memory of 2924 N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe C:\Windows\SysWOW64\svchost.exe
PID 2428 wrote to memory of 2924 N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe C:\Windows\SysWOW64\svchost.exe
PID 2428 wrote to memory of 2924 N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe C:\Windows\SysWOW64\svchost.exe
PID 2428 wrote to memory of 2924 N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe C:\Windows\SysWOW64\svchost.exe
PID 2428 wrote to memory of 2924 N/A C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe

"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\iuqgfemf\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vuemuahi.exe" C:\Windows\SysWOW64\iuqgfemf\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create iuqgfemf binPath= "C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe /d\"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description iuqgfemf "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start iuqgfemf

C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe

C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe /d"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 67.195.204.74:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 66.102.1.26:25 smtp.google.com tcp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
RU 176.111.174.19:443 tcp

Files

memory/2792-1-0x0000000000520000-0x0000000000620000-memory.dmp

memory/2792-2-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2792-3-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vuemuahi.exe

MD5 79cf8baf8d3873dd87d7681dbc15a4dc
SHA1 7947e89cfc29c25b4433f74d840d6a711bc9cff5
SHA256 23a396de79aaae96182a4d95cd3d00df4d39642a6ff8f062e35d306fed060116
SHA512 9584d4ffbdac9027d04f372399d035282699946bbd2df6fcbf7287d33ad0b9392c3162cfd48f4ff845df56b11de62f959f8f6bce71847fcd10d40aac7c3159a7

C:\Windows\SysWOW64\iuqgfemf\vuemuahi.exe

MD5 4cff44cce4ee7ef3ba7cbb120b6418e1
SHA1 b78c21d61c6b64ac3bcf1ad77cac4ce1dd564182
SHA256 833efd62a13991b680f8fd0258864cb093f1d08dc9712ceaea861d3d805c59b9
SHA512 280db0b6c3679305c642b9918ec1996f47a670c1e1d8f14824c7dde21e2a9b8ab1f12e9c3c87a3330093bfd9821b3c104ff3669d074e26a32b13f1f0b2a412b6

memory/2792-7-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2792-8-0x0000000000220000-0x0000000000233000-memory.dmp

memory/2428-10-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/2428-11-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2428-17-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2924-15-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2924-19-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2924-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2924-12-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2924-20-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2924-21-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2924-22-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 11:14

Reported

2024-03-26 11:17

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ccuxfuvz\ImagePath = "C:\\Windows\\SysWOW64\\ccuxfuvz\\qdoxyjul.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2444 set thread context of 2704 N/A C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\sc.exe
PID 116 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\netsh.exe
PID 116 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\netsh.exe
PID 116 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe C:\Windows\SysWOW64\netsh.exe
PID 2444 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2704 N/A C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe

"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ccuxfuvz\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qdoxyjul.exe" C:\Windows\SysWOW64\ccuxfuvz\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create ccuxfuvz binPath= "C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe /d\"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description ccuxfuvz "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start ccuxfuvz

C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe

C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe /d"C:\Users\Admin\AppData\Local\Temp\df071cea2b017b1429caef1d49d93dfd.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1044

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2444 -ip 2444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 52.101.40.26:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 98.136.96.75:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 66.102.1.26:25 smtp.google.com tcp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 176.111.174.19:443 tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/116-1-0x0000000000670000-0x0000000000770000-memory.dmp

memory/116-2-0x0000000002080000-0x0000000002093000-memory.dmp

memory/116-3-0x0000000000400000-0x000000000045D000-memory.dmp

memory/116-5-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qdoxyjul.exe

MD5 b7a9cf09e97cab214eccdae52c5882b3
SHA1 4a3f27b370de1a19093f37e74545938fffa509ec
SHA256 82d708ed4afce49096220a30594cba6cb85d76171967e0b81702c14c41ea6f21
SHA512 c398421f3710d6cb2ee77e1ce7208109cc7a321ca4e71b57559400c9901ac4b55673235e0820ef9cff93dfdbfddd6f918ec5202e35883cfb465c7768e0d2197d

C:\Windows\SysWOW64\ccuxfuvz\qdoxyjul.exe

MD5 3e136af1e4f6624defcef84c96314ac3
SHA1 77ea27389ff1dc5dbfb702220f4c6d100186d01a
SHA256 1a4ffe3f7e54c7fd80a412ba5ff288f3f6e6869c0b78d89a8e6827125838eb9f
SHA512 635cdcd63353c4c3eab7171c51a693a53929783ea5f32dc1ed99c329faa7020f5edb4dc30d5904f084df006e5e6f8a42ee560899111a4a4de438bc755a4b2743

memory/116-8-0x0000000000400000-0x000000000045D000-memory.dmp

memory/116-9-0x0000000002080000-0x0000000002093000-memory.dmp

memory/2444-11-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/2444-12-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2704-13-0x0000000000530000-0x0000000000545000-memory.dmp

memory/2704-16-0x0000000000530000-0x0000000000545000-memory.dmp

memory/2704-17-0x0000000000530000-0x0000000000545000-memory.dmp

memory/2444-18-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2704-19-0x0000000000530000-0x0000000000545000-memory.dmp

memory/2704-20-0x0000000000530000-0x0000000000545000-memory.dmp